diff --git a/java-iam/grpc-google-iam-v1/src/main/java/com/google/iam/v1/IAMPolicyGrpc.java b/java-iam/grpc-google-iam-v1/src/main/java/com/google/iam/v1/IAMPolicyGrpc.java index 53e66232af..dc9f5653e5 100644 --- a/java-iam/grpc-google-iam-v1/src/main/java/com/google/iam/v1/IAMPolicyGrpc.java +++ b/java-iam/grpc-google-iam-v1/src/main/java/com/google/iam/v1/IAMPolicyGrpc.java @@ -21,7 +21,7 @@ * * * 
- * ## API Overview
+ * API Overview
  * Manages Identity and Access Management (IAM) policies.
  * Any implementation of an API that offers access control features
  * implements the google.iam.v1.IAMPolicy interface.
@@ -215,7 +215,7 @@ public IAMPolicyFutureStub newStub(
    *
    *
    * 
-   * ## API Overview
+   * API Overview
    * Manages Identity and Access Management (IAM) policies.
    * Any implementation of an API that offers access control features
    * implements the google.iam.v1.IAMPolicy interface.
@@ -243,6 +243,7 @@ public abstract static class IAMPolicyImplBase implements io.grpc.BindableServic
      * 
      * Sets the access control policy on the specified resource. Replaces any
      * existing policy.
+     * Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.
      * 

      */
     public void setIamPolicy(
@@ -274,7 +275,7 @@ public void getIamPolicy(
      * 
      * Returns permissions that a caller has on the specified resource.
      * If the resource does not exist, this will return an empty set of
-     * permissions, not a NOT_FOUND error.
+     * permissions, not a `NOT_FOUND` error.
      * Note: This operation is designed to be used for building permission-aware
      * UIs and command-line tools, not for authorization checking. This operation
      * may "fail open" without warning.
@@ -318,7 +319,7 @@ public final io.grpc.ServerServiceDefinition bindService() {
    *
    *
    * 
-   * ## API Overview
+   * API Overview
    * Manages Identity and Access Management (IAM) policies.
    * Any implementation of an API that offers access control features
    * implements the google.iam.v1.IAMPolicy interface.
@@ -354,6 +355,7 @@ protected IAMPolicyStub build(io.grpc.Channel channel, io.grpc.CallOptions callO
      * 
      * Sets the access control policy on the specified resource. Replaces any
      * existing policy.
+     * Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.
      * 

      */
     public void setIamPolicy(
@@ -389,7 +391,7 @@ public void getIamPolicy(
      * 
      * Returns permissions that a caller has on the specified resource.
      * If the resource does not exist, this will return an empty set of
-     * permissions, not a NOT_FOUND error.
+     * permissions, not a `NOT_FOUND` error.
      * Note: This operation is designed to be used for building permission-aware
      * UIs and command-line tools, not for authorization checking. This operation
      * may "fail open" without warning.
@@ -410,7 +412,7 @@ public void testIamPermissions(
    *
    *
    * 
-   * ## API Overview
+   * API Overview
    * Manages Identity and Access Management (IAM) policies.
    * Any implementation of an API that offers access control features
    * implements the google.iam.v1.IAMPolicy interface.
@@ -448,6 +450,7 @@ protected IAMPolicyBlockingStub build(
      * 
      * Sets the access control policy on the specified resource. Replaces any
      * existing policy.
+     * Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.
      * 

      */
     public com.google.iam.v1.Policy setIamPolicy(com.google.iam.v1.SetIamPolicyRequest request) {
@@ -475,7 +478,7 @@ public com.google.iam.v1.Policy getIamPolicy(com.google.iam.v1.GetIamPolicyReque
      * 
      * Returns permissions that a caller has on the specified resource.
      * If the resource does not exist, this will return an empty set of
-     * permissions, not a NOT_FOUND error.
+     * permissions, not a `NOT_FOUND` error.
      * Note: This operation is designed to be used for building permission-aware
      * UIs and command-line tools, not for authorization checking. This operation
      * may "fail open" without warning.
@@ -492,7 +495,7 @@ public com.google.iam.v1.TestIamPermissionsResponse testIamPermissions(
    *
    *
    * 
-   * ## API Overview
+   * API Overview
    * Manages Identity and Access Management (IAM) policies.
    * Any implementation of an API that offers access control features
    * implements the google.iam.v1.IAMPolicy interface.
@@ -529,6 +532,7 @@ protected IAMPolicyFutureStub build(io.grpc.Channel channel, io.grpc.CallOptions
      * 
      * Sets the access control policy on the specified resource. Replaces any
      * existing policy.
+     * Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED` errors.
      * 

      */
     public com.google.common.util.concurrent.ListenableFuture
@@ -558,7 +562,7 @@ protected IAMPolicyFutureStub build(io.grpc.Channel channel, io.grpc.CallOptions
      * 
      * Returns permissions that a caller has on the specified resource.
      * If the resource does not exist, this will return an empty set of
-     * permissions, not a NOT_FOUND error.
+     * permissions, not a `NOT_FOUND` error.
      * Note: This operation is designed to be used for building permission-aware
      * UIs and command-line tools, not for authorization checking. This operation
      * may "fail open" without warning.
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditConfig.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditConfig.java
new file mode 100644
index 0000000000..eb28aad02c
--- /dev/null
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditConfig.java
@@ -0,0 +1,1227 @@
+/*
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+// Generated by the protocol buffer compiler.  DO NOT EDIT!
+// source: google/iam/v1/policy.proto
+
+package com.google.iam.v1;
+
+/**
+ *
+ *
+ * 
+ * Specifies the audit configuration for a service.
+ * The configuration determines which permission types are logged, and what
+ * identities, if any, are exempted from logging.
+ * An AuditConfig must have one or more AuditLogConfigs.
+ * If there are AuditConfigs for both `allServices` and a specific service,
+ * the union of the two AuditConfigs is used for that service: the log_types
+ * specified in each AuditConfig are enabled, and the exempted_members in each
+ * AuditLogConfig are exempted.
+ * Example Policy with multiple AuditConfigs:
+ *     {
+ *       "audit_configs": [
+ *         {
+ *           "service": "allServices",
+ *           "audit_log_configs": [
+ *             {
+ *               "log_type": "DATA_READ",
+ *               "exempted_members": [
+ *                 "user:jose@example.com"
+ *               ]
+ *             },
+ *             {
+ *               "log_type": "DATA_WRITE"
+ *             },
+ *             {
+ *               "log_type": "ADMIN_READ"
+ *             }
+ *           ]
+ *         },
+ *         {
+ *           "service": "sampleservice.googleapis.com",
+ *           "audit_log_configs": [
+ *             {
+ *               "log_type": "DATA_READ"
+ *             },
+ *             {
+ *               "log_type": "DATA_WRITE",
+ *               "exempted_members": [
+ *                 "user:aliya@example.com"
+ *               ]
+ *             }
+ *           ]
+ *         }
+ *       ]
+ *     }
+ * For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+ * logging. It also exempts jose@example.com from DATA_READ logging, and
+ * aliya@example.com from DATA_WRITE logging.
+ * 

+ *
+ * Protobuf type {@code google.iam.v1.AuditConfig}
+ */
+public final class AuditConfig extends com.google.protobuf.GeneratedMessageV3
+    implements
+    // @@protoc_insertion_point(message_implements:google.iam.v1.AuditConfig)
+    AuditConfigOrBuilder {
+  private static final long serialVersionUID = 0L;
+  // Use AuditConfig.newBuilder() to construct.
+  private AuditConfig(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+    super(builder);
+  }
+
+  private AuditConfig() {
+    service_ = "";
+    auditLogConfigs_ = java.util.Collections.emptyList();
+  }
+
+  @java.lang.Override
+  @SuppressWarnings({"unused"})
+  protected java.lang.Object newInstance(UnusedPrivateParameter unused) {
+    return new AuditConfig();
+  }
+
+  @java.lang.Override
+  public final com.google.protobuf.UnknownFieldSet getUnknownFields() {
+    return this.unknownFields;
+  }
+
+  private AuditConfig(
+      com.google.protobuf.CodedInputStream input,
+      com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    this();
+    if (extensionRegistry == null) {
+      throw new java.lang.NullPointerException();
+    }
+    int mutable_bitField0_ = 0;
+    com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+        com.google.protobuf.UnknownFieldSet.newBuilder();
+    try {
+      boolean done = false;
+      while (!done) {
+        int tag = input.readTag();
+        switch (tag) {
+          case 0:
+            done = true;
+            break;
+          case 10:
+            {
+              java.lang.String s = input.readStringRequireUtf8();
+
+              service_ = s;
+              break;
+            }
+          case 26:
+            {
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
+                auditLogConfigs_ = new java.util.ArrayList();
+                mutable_bitField0_ |= 0x00000001;
+              }
+              auditLogConfigs_.add(
+                  input.readMessage(com.google.iam.v1.AuditLogConfig.parser(), extensionRegistry));
+              break;
+            }
+          default:
+            {
+              if (!parseUnknownField(input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+        }
+      }
+    } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+      throw e.setUnfinishedMessage(this);
+    } catch (java.io.IOException e) {
+      throw new com.google.protobuf.InvalidProtocolBufferException(e).setUnfinishedMessage(this);
+    } finally {
+      if (((mutable_bitField0_ & 0x00000001) != 0)) {
+        auditLogConfigs_ = java.util.Collections.unmodifiableList(auditLogConfigs_);
+      }
+      this.unknownFields = unknownFields.build();
+      makeExtensionsImmutable();
+    }
+  }
+
+  public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
+    return com.google.iam.v1.PolicyProto.internal_static_google_iam_v1_AuditConfig_descriptor;
+  }
+
+  @java.lang.Override
+  protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internalGetFieldAccessorTable() {
+    return com.google.iam.v1.PolicyProto
+        .internal_static_google_iam_v1_AuditConfig_fieldAccessorTable
+        .ensureFieldAccessorsInitialized(
+            com.google.iam.v1.AuditConfig.class, com.google.iam.v1.AuditConfig.Builder.class);
+  }
+
+  public static final int SERVICE_FIELD_NUMBER = 1;
+  private volatile java.lang.Object service_;
+  /**
+   *
+   *
+   * 
+   * Specifies a service that will be enabled for audit logging.
+   * For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+   * `allServices` is a special value that covers all services.
+   * 

+   *
+   * string service = 1;
+   *
+   * @return The service.
+   */
+  @java.lang.Override
+  public java.lang.String getService() {
+    java.lang.Object ref = service_;
+    if (ref instanceof java.lang.String) {
+      return (java.lang.String) ref;
+    } else {
+      com.google.protobuf.ByteString bs = (com.google.protobuf.ByteString) ref;
+      java.lang.String s = bs.toStringUtf8();
+      service_ = s;
+      return s;
+    }
+  }
+  /**
+   *
+   *
+   * 
+   * Specifies a service that will be enabled for audit logging.
+   * For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+   * `allServices` is a special value that covers all services.
+   * 

+   *
+   * string service = 1;
+   *
+   * @return The bytes for service.
+   */
+  @java.lang.Override
+  public com.google.protobuf.ByteString getServiceBytes() {
+    java.lang.Object ref = service_;
+    if (ref instanceof java.lang.String) {
+      com.google.protobuf.ByteString b =
+          com.google.protobuf.ByteString.copyFromUtf8((java.lang.String) ref);
+      service_ = b;
+      return b;
+    } else {
+      return (com.google.protobuf.ByteString) ref;
+    }
+  }
+
+  public static final int AUDIT_LOG_CONFIGS_FIELD_NUMBER = 3;
+  private java.util.List auditLogConfigs_;
+  /**
+   *
+   *
+   * 
+   * The configuration for logging of each type of permission.
+   * 

+   *
+   * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+   */
+  @java.lang.Override
+  public java.util.List getAuditLogConfigsList() {
+    return auditLogConfigs_;
+  }
+  /**
+   *
+   *
+   * 
+   * The configuration for logging of each type of permission.
+   * 

+   *
+   * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+   */
+  @java.lang.Override
+  public java.util.List
+      getAuditLogConfigsOrBuilderList() {
+    return auditLogConfigs_;
+  }
+  /**
+   *
+   *
+   * 
+   * The configuration for logging of each type of permission.
+   * 

+   *
+   * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+   */
+  @java.lang.Override
+  public int getAuditLogConfigsCount() {
+    return auditLogConfigs_.size();
+  }
+  /**
+   *
+   *
+   * 
+   * The configuration for logging of each type of permission.
+   * 

+   *
+   * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+   */
+  @java.lang.Override
+  public com.google.iam.v1.AuditLogConfig getAuditLogConfigs(int index) {
+    return auditLogConfigs_.get(index);
+  }
+  /**
+   *
+   *
+   * 
+   * The configuration for logging of each type of permission.
+   * 

+   *
+   * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+   */
+  @java.lang.Override
+  public com.google.iam.v1.AuditLogConfigOrBuilder getAuditLogConfigsOrBuilder(int index) {
+    return auditLogConfigs_.get(index);
+  }
+
+  private byte memoizedIsInitialized = -1;
+
+  @java.lang.Override
+  public final boolean isInitialized() {
+    byte isInitialized = memoizedIsInitialized;
+    if (isInitialized == 1) return true;
+    if (isInitialized == 0) return false;
+
+    memoizedIsInitialized = 1;
+    return true;
+  }
+
+  @java.lang.Override
+  public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException {
+    if (!com.google.protobuf.GeneratedMessageV3.isStringEmpty(service_)) {
+      com.google.protobuf.GeneratedMessageV3.writeString(output, 1, service_);
+    }
+    for (int i = 0; i < auditLogConfigs_.size(); i++) {
+      output.writeMessage(3, auditLogConfigs_.get(i));
+    }
+    unknownFields.writeTo(output);
+  }
+
+  @java.lang.Override
+  public int getSerializedSize() {
+    int size = memoizedSize;
+    if (size != -1) return size;
+
+    size = 0;
+    if (!com.google.protobuf.GeneratedMessageV3.isStringEmpty(service_)) {
+      size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, service_);
+    }
+    for (int i = 0; i < auditLogConfigs_.size(); i++) {
+      size += com.google.protobuf.CodedOutputStream.computeMessageSize(3, auditLogConfigs_.get(i));
+    }
+    size += unknownFields.getSerializedSize();
+    memoizedSize = size;
+    return size;
+  }
+
+  @java.lang.Override
+  public boolean equals(final java.lang.Object obj) {
+    if (obj == this) {
+      return true;
+    }
+    if (!(obj instanceof com.google.iam.v1.AuditConfig)) {
+      return super.equals(obj);
+    }
+    com.google.iam.v1.AuditConfig other = (com.google.iam.v1.AuditConfig) obj;
+
+    if (!getService().equals(other.getService())) return false;
+    if (!getAuditLogConfigsList().equals(other.getAuditLogConfigsList())) return false;
+    if (!unknownFields.equals(other.unknownFields)) return false;
+    return true;
+  }
+
+  @java.lang.Override
+  public int hashCode() {
+    if (memoizedHashCode != 0) {
+      return memoizedHashCode;
+    }
+    int hash = 41;
+    hash = (19 * hash) + getDescriptor().hashCode();
+    hash = (37 * hash) + SERVICE_FIELD_NUMBER;
+    hash = (53 * hash) + getService().hashCode();
+    if (getAuditLogConfigsCount() > 0) {
+      hash = (37 * hash) + AUDIT_LOG_CONFIGS_FIELD_NUMBER;
+      hash = (53 * hash) + getAuditLogConfigsList().hashCode();
+    }
+    hash = (29 * hash) + unknownFields.hashCode();
+    memoizedHashCode = hash;
+    return hash;
+  }
+
+  public static com.google.iam.v1.AuditConfig parseFrom(java.nio.ByteBuffer data)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.iam.v1.AuditConfig parseFrom(
+      java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.iam.v1.AuditConfig parseFrom(com.google.protobuf.ByteString data)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.iam.v1.AuditConfig parseFrom(
+      com.google.protobuf.ByteString data,
+      com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.iam.v1.AuditConfig parseFrom(byte[] data)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.iam.v1.AuditConfig parseFrom(
+      byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.iam.v1.AuditConfig parseFrom(java.io.InputStream input)
+      throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
+  }
+
+  public static com.google.iam.v1.AuditConfig parseFrom(
+      java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  public static com.google.iam.v1.AuditConfig parseDelimitedFrom(java.io.InputStream input)
+      throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(PARSER, input);
+  }
+
+  public static com.google.iam.v1.AuditConfig parseDelimitedFrom(
+      java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  public static com.google.iam.v1.AuditConfig parseFrom(com.google.protobuf.CodedInputStream input)
+      throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
+  }
+
+  public static com.google.iam.v1.AuditConfig parseFrom(
+      com.google.protobuf.CodedInputStream input,
+      com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  @java.lang.Override
+  public Builder newBuilderForType() {
+    return newBuilder();
+  }
+
+  public static Builder newBuilder() {
+    return DEFAULT_INSTANCE.toBuilder();
+  }
+
+  public static Builder newBuilder(com.google.iam.v1.AuditConfig prototype) {
+    return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+  }
+
+  @java.lang.Override
+  public Builder toBuilder() {
+    return this == DEFAULT_INSTANCE ? new Builder() : new Builder().mergeFrom(this);
+  }
+
+  @java.lang.Override
+  protected Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+    Builder builder = new Builder(parent);
+    return builder;
+  }
+  /**
+   *
+   *
+   * 
+   * Specifies the audit configuration for a service.
+   * The configuration determines which permission types are logged, and what
+   * identities, if any, are exempted from logging.
+   * An AuditConfig must have one or more AuditLogConfigs.
+   * If there are AuditConfigs for both `allServices` and a specific service,
+   * the union of the two AuditConfigs is used for that service: the log_types
+   * specified in each AuditConfig are enabled, and the exempted_members in each
+   * AuditLogConfig are exempted.
+   * Example Policy with multiple AuditConfigs:
+   *     {
+   *       "audit_configs": [
+   *         {
+   *           "service": "allServices",
+   *           "audit_log_configs": [
+   *             {
+   *               "log_type": "DATA_READ",
+   *               "exempted_members": [
+   *                 "user:jose@example.com"
+   *               ]
+   *             },
+   *             {
+   *               "log_type": "DATA_WRITE"
+   *             },
+   *             {
+   *               "log_type": "ADMIN_READ"
+   *             }
+   *           ]
+   *         },
+   *         {
+   *           "service": "sampleservice.googleapis.com",
+   *           "audit_log_configs": [
+   *             {
+   *               "log_type": "DATA_READ"
+   *             },
+   *             {
+   *               "log_type": "DATA_WRITE",
+   *               "exempted_members": [
+   *                 "user:aliya@example.com"
+   *               ]
+   *             }
+   *           ]
+   *         }
+   *       ]
+   *     }
+   * For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
+   * logging. It also exempts jose@example.com from DATA_READ logging, and
+   * aliya@example.com from DATA_WRITE logging.
+   * 

+   *
+   * Protobuf type {@code google.iam.v1.AuditConfig}
+   */
+  public static final class Builder extends com.google.protobuf.GeneratedMessageV3.Builder
+      implements
+      // @@protoc_insertion_point(builder_implements:google.iam.v1.AuditConfig)
+      com.google.iam.v1.AuditConfigOrBuilder {
+    public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
+      return com.google.iam.v1.PolicyProto.internal_static_google_iam_v1_AuditConfig_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return com.google.iam.v1.PolicyProto
+          .internal_static_google_iam_v1_AuditConfig_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              com.google.iam.v1.AuditConfig.class, com.google.iam.v1.AuditConfig.Builder.class);
+    }
+
+    // Construct using com.google.iam.v1.AuditConfig.newBuilder()
+    private Builder() {
+      maybeForceBuilderInitialization();
+    }
+
+    private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      super(parent);
+      maybeForceBuilderInitialization();
+    }
+
+    private void maybeForceBuilderInitialization() {
+      if (com.google.protobuf.GeneratedMessageV3.alwaysUseFieldBuilders) {
+        getAuditLogConfigsFieldBuilder();
+      }
+    }
+
+    @java.lang.Override
+    public Builder clear() {
+      super.clear();
+      service_ = "";
+
+      if (auditLogConfigsBuilder_ == null) {
+        auditLogConfigs_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000001);
+      } else {
+        auditLogConfigsBuilder_.clear();
+      }
+      return this;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
+      return com.google.iam.v1.PolicyProto.internal_static_google_iam_v1_AuditConfig_descriptor;
+    }
+
+    @java.lang.Override
+    public com.google.iam.v1.AuditConfig getDefaultInstanceForType() {
+      return com.google.iam.v1.AuditConfig.getDefaultInstance();
+    }
+
+    @java.lang.Override
+    public com.google.iam.v1.AuditConfig build() {
+      com.google.iam.v1.AuditConfig result = buildPartial();
+      if (!result.isInitialized()) {
+        throw newUninitializedMessageException(result);
+      }
+      return result;
+    }
+
+    @java.lang.Override
+    public com.google.iam.v1.AuditConfig buildPartial() {
+      com.google.iam.v1.AuditConfig result = new com.google.iam.v1.AuditConfig(this);
+      int from_bitField0_ = bitField0_;
+      result.service_ = service_;
+      if (auditLogConfigsBuilder_ == null) {
+        if (((bitField0_ & 0x00000001) != 0)) {
+          auditLogConfigs_ = java.util.Collections.unmodifiableList(auditLogConfigs_);
+          bitField0_ = (bitField0_ & ~0x00000001);
+        }
+        result.auditLogConfigs_ = auditLogConfigs_;
+      } else {
+        result.auditLogConfigs_ = auditLogConfigsBuilder_.build();
+      }
+      onBuilt();
+      return result;
+    }
+
+    @java.lang.Override
+    public Builder clone() {
+      return super.clone();
+    }
+
+    @java.lang.Override
+    public Builder setField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) {
+      return super.setField(field, value);
+    }
+
+    @java.lang.Override
+    public Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field) {
+      return super.clearField(field);
+    }
+
+    @java.lang.Override
+    public Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+      return super.clearOneof(oneof);
+    }
+
+    @java.lang.Override
+    public Builder setRepeatedField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) {
+      return super.setRepeatedField(field, index, value);
+    }
+
+    @java.lang.Override
+    public Builder addRepeatedField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) {
+      return super.addRepeatedField(field, value);
+    }
+
+    @java.lang.Override
+    public Builder mergeFrom(com.google.protobuf.Message other) {
+      if (other instanceof com.google.iam.v1.AuditConfig) {
+        return mergeFrom((com.google.iam.v1.AuditConfig) other);
+      } else {
+        super.mergeFrom(other);
+        return this;
+      }
+    }
+
+    public Builder mergeFrom(com.google.iam.v1.AuditConfig other) {
+      if (other == com.google.iam.v1.AuditConfig.getDefaultInstance()) return this;
+      if (!other.getService().isEmpty()) {
+        service_ = other.service_;
+        onChanged();
+      }
+      if (auditLogConfigsBuilder_ == null) {
+        if (!other.auditLogConfigs_.isEmpty()) {
+          if (auditLogConfigs_.isEmpty()) {
+            auditLogConfigs_ = other.auditLogConfigs_;
+            bitField0_ = (bitField0_ & ~0x00000001);
+          } else {
+            ensureAuditLogConfigsIsMutable();
+            auditLogConfigs_.addAll(other.auditLogConfigs_);
+          }
+          onChanged();
+        }
+      } else {
+        if (!other.auditLogConfigs_.isEmpty()) {
+          if (auditLogConfigsBuilder_.isEmpty()) {
+            auditLogConfigsBuilder_.dispose();
+            auditLogConfigsBuilder_ = null;
+            auditLogConfigs_ = other.auditLogConfigs_;
+            bitField0_ = (bitField0_ & ~0x00000001);
+            auditLogConfigsBuilder_ =
+                com.google.protobuf.GeneratedMessageV3.alwaysUseFieldBuilders
+                    ? getAuditLogConfigsFieldBuilder()
+                    : null;
+          } else {
+            auditLogConfigsBuilder_.addAllMessages(other.auditLogConfigs_);
+          }
+        }
+      }
+      this.mergeUnknownFields(other.unknownFields);
+      onChanged();
+      return this;
+    }
+
+    @java.lang.Override
+    public final boolean isInitialized() {
+      return true;
+    }
+
+    @java.lang.Override
+    public Builder mergeFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      com.google.iam.v1.AuditConfig parsedMessage = null;
+      try {
+        parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        parsedMessage = (com.google.iam.v1.AuditConfig) e.getUnfinishedMessage();
+        throw e.unwrapIOException();
+      } finally {
+        if (parsedMessage != null) {
+          mergeFrom(parsedMessage);
+        }
+      }
+      return this;
+    }
+
+    private int bitField0_;
+
+    private java.lang.Object service_ = "";
+    /**
+     *
+     *
+     * 
+     * Specifies a service that will be enabled for audit logging.
+     * For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+     * `allServices` is a special value that covers all services.
+     * 

+     *
+     * string service = 1;
+     *
+     * @return The service.
+     */
+    public java.lang.String getService() {
+      java.lang.Object ref = service_;
+      if (!(ref instanceof java.lang.String)) {
+        com.google.protobuf.ByteString bs = (com.google.protobuf.ByteString) ref;
+        java.lang.String s = bs.toStringUtf8();
+        service_ = s;
+        return s;
+      } else {
+        return (java.lang.String) ref;
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies a service that will be enabled for audit logging.
+     * For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+     * `allServices` is a special value that covers all services.
+     * 

+     *
+     * string service = 1;
+     *
+     * @return The bytes for service.
+     */
+    public com.google.protobuf.ByteString getServiceBytes() {
+      java.lang.Object ref = service_;
+      if (ref instanceof String) {
+        com.google.protobuf.ByteString b =
+            com.google.protobuf.ByteString.copyFromUtf8((java.lang.String) ref);
+        service_ = b;
+        return b;
+      } else {
+        return (com.google.protobuf.ByteString) ref;
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies a service that will be enabled for audit logging.
+     * For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+     * `allServices` is a special value that covers all services.
+     * 

+     *
+     * string service = 1;
+     *
+     * @param value The service to set.
+     * @return This builder for chaining.
+     */
+    public Builder setService(java.lang.String value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+
+      service_ = value;
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies a service that will be enabled for audit logging.
+     * For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+     * `allServices` is a special value that covers all services.
+     * 

+     *
+     * string service = 1;
+     *
+     * @return This builder for chaining.
+     */
+    public Builder clearService() {
+
+      service_ = getDefaultInstance().getService();
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies a service that will be enabled for audit logging.
+     * For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+     * `allServices` is a special value that covers all services.
+     * 

+     *
+     * string service = 1;
+     *
+     * @param value The bytes for service to set.
+     * @return This builder for chaining.
+     */
+    public Builder setServiceBytes(com.google.protobuf.ByteString value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+      checkByteStringIsUtf8(value);
+
+      service_ = value;
+      onChanged();
+      return this;
+    }
+
+    private java.util.List auditLogConfigs_ =
+        java.util.Collections.emptyList();
+
+    private void ensureAuditLogConfigsIsMutable() {
+      if (!((bitField0_ & 0x00000001) != 0)) {
+        auditLogConfigs_ =
+            new java.util.ArrayList(auditLogConfigs_);
+        bitField0_ |= 0x00000001;
+      }
+    }
+
+    private com.google.protobuf.RepeatedFieldBuilderV3<
+            com.google.iam.v1.AuditLogConfig,
+            com.google.iam.v1.AuditLogConfig.Builder,
+            com.google.iam.v1.AuditLogConfigOrBuilder>
+        auditLogConfigsBuilder_;
+
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public java.util.List getAuditLogConfigsList() {
+      if (auditLogConfigsBuilder_ == null) {
+        return java.util.Collections.unmodifiableList(auditLogConfigs_);
+      } else {
+        return auditLogConfigsBuilder_.getMessageList();
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public int getAuditLogConfigsCount() {
+      if (auditLogConfigsBuilder_ == null) {
+        return auditLogConfigs_.size();
+      } else {
+        return auditLogConfigsBuilder_.getCount();
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public com.google.iam.v1.AuditLogConfig getAuditLogConfigs(int index) {
+      if (auditLogConfigsBuilder_ == null) {
+        return auditLogConfigs_.get(index);
+      } else {
+        return auditLogConfigsBuilder_.getMessage(index);
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public Builder setAuditLogConfigs(int index, com.google.iam.v1.AuditLogConfig value) {
+      if (auditLogConfigsBuilder_ == null) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        ensureAuditLogConfigsIsMutable();
+        auditLogConfigs_.set(index, value);
+        onChanged();
+      } else {
+        auditLogConfigsBuilder_.setMessage(index, value);
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public Builder setAuditLogConfigs(
+        int index, com.google.iam.v1.AuditLogConfig.Builder builderForValue) {
+      if (auditLogConfigsBuilder_ == null) {
+        ensureAuditLogConfigsIsMutable();
+        auditLogConfigs_.set(index, builderForValue.build());
+        onChanged();
+      } else {
+        auditLogConfigsBuilder_.setMessage(index, builderForValue.build());
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public Builder addAuditLogConfigs(com.google.iam.v1.AuditLogConfig value) {
+      if (auditLogConfigsBuilder_ == null) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        ensureAuditLogConfigsIsMutable();
+        auditLogConfigs_.add(value);
+        onChanged();
+      } else {
+        auditLogConfigsBuilder_.addMessage(value);
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public Builder addAuditLogConfigs(int index, com.google.iam.v1.AuditLogConfig value) {
+      if (auditLogConfigsBuilder_ == null) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        ensureAuditLogConfigsIsMutable();
+        auditLogConfigs_.add(index, value);
+        onChanged();
+      } else {
+        auditLogConfigsBuilder_.addMessage(index, value);
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public Builder addAuditLogConfigs(com.google.iam.v1.AuditLogConfig.Builder builderForValue) {
+      if (auditLogConfigsBuilder_ == null) {
+        ensureAuditLogConfigsIsMutable();
+        auditLogConfigs_.add(builderForValue.build());
+        onChanged();
+      } else {
+        auditLogConfigsBuilder_.addMessage(builderForValue.build());
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public Builder addAuditLogConfigs(
+        int index, com.google.iam.v1.AuditLogConfig.Builder builderForValue) {
+      if (auditLogConfigsBuilder_ == null) {
+        ensureAuditLogConfigsIsMutable();
+        auditLogConfigs_.add(index, builderForValue.build());
+        onChanged();
+      } else {
+        auditLogConfigsBuilder_.addMessage(index, builderForValue.build());
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public Builder addAllAuditLogConfigs(
+        java.lang.Iterable values) {
+      if (auditLogConfigsBuilder_ == null) {
+        ensureAuditLogConfigsIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(values, auditLogConfigs_);
+        onChanged();
+      } else {
+        auditLogConfigsBuilder_.addAllMessages(values);
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public Builder clearAuditLogConfigs() {
+      if (auditLogConfigsBuilder_ == null) {
+        auditLogConfigs_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000001);
+        onChanged();
+      } else {
+        auditLogConfigsBuilder_.clear();
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public Builder removeAuditLogConfigs(int index) {
+      if (auditLogConfigsBuilder_ == null) {
+        ensureAuditLogConfigsIsMutable();
+        auditLogConfigs_.remove(index);
+        onChanged();
+      } else {
+        auditLogConfigsBuilder_.remove(index);
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public com.google.iam.v1.AuditLogConfig.Builder getAuditLogConfigsBuilder(int index) {
+      return getAuditLogConfigsFieldBuilder().getBuilder(index);
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public com.google.iam.v1.AuditLogConfigOrBuilder getAuditLogConfigsOrBuilder(int index) {
+      if (auditLogConfigsBuilder_ == null) {
+        return auditLogConfigs_.get(index);
+      } else {
+        return auditLogConfigsBuilder_.getMessageOrBuilder(index);
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public java.util.List
+        getAuditLogConfigsOrBuilderList() {
+      if (auditLogConfigsBuilder_ != null) {
+        return auditLogConfigsBuilder_.getMessageOrBuilderList();
+      } else {
+        return java.util.Collections.unmodifiableList(auditLogConfigs_);
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public com.google.iam.v1.AuditLogConfig.Builder addAuditLogConfigsBuilder() {
+      return getAuditLogConfigsFieldBuilder()
+          .addBuilder(com.google.iam.v1.AuditLogConfig.getDefaultInstance());
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public com.google.iam.v1.AuditLogConfig.Builder addAuditLogConfigsBuilder(int index) {
+      return getAuditLogConfigsFieldBuilder()
+          .addBuilder(index, com.google.iam.v1.AuditLogConfig.getDefaultInstance());
+    }
+    /**
+     *
+     *
+     * 
+     * The configuration for logging of each type of permission.
+     * 

+     *
+     * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+     */
+    public java.util.List
+        getAuditLogConfigsBuilderList() {
+      return getAuditLogConfigsFieldBuilder().getBuilderList();
+    }
+
+    private com.google.protobuf.RepeatedFieldBuilderV3<
+            com.google.iam.v1.AuditLogConfig,
+            com.google.iam.v1.AuditLogConfig.Builder,
+            com.google.iam.v1.AuditLogConfigOrBuilder>
+        getAuditLogConfigsFieldBuilder() {
+      if (auditLogConfigsBuilder_ == null) {
+        auditLogConfigsBuilder_ =
+            new com.google.protobuf.RepeatedFieldBuilderV3<
+                com.google.iam.v1.AuditLogConfig,
+                com.google.iam.v1.AuditLogConfig.Builder,
+                com.google.iam.v1.AuditLogConfigOrBuilder>(
+                auditLogConfigs_,
+                ((bitField0_ & 0x00000001) != 0),
+                getParentForChildren(),
+                isClean());
+        auditLogConfigs_ = null;
+      }
+      return auditLogConfigsBuilder_;
+    }
+
+    @java.lang.Override
+    public final Builder setUnknownFields(final com.google.protobuf.UnknownFieldSet unknownFields) {
+      return super.setUnknownFields(unknownFields);
+    }
+
+    @java.lang.Override
+    public final Builder mergeUnknownFields(
+        final com.google.protobuf.UnknownFieldSet unknownFields) {
+      return super.mergeUnknownFields(unknownFields);
+    }
+
+    // @@protoc_insertion_point(builder_scope:google.iam.v1.AuditConfig)
+  }
+
+  // @@protoc_insertion_point(class_scope:google.iam.v1.AuditConfig)
+  private static final com.google.iam.v1.AuditConfig DEFAULT_INSTANCE;
+
+  static {
+    DEFAULT_INSTANCE = new com.google.iam.v1.AuditConfig();
+  }
+
+  public static com.google.iam.v1.AuditConfig getDefaultInstance() {
+    return DEFAULT_INSTANCE;
+  }
+
+  private static final com.google.protobuf.Parser PARSER =
+      new com.google.protobuf.AbstractParser() {
+        @java.lang.Override
+        public AuditConfig parsePartialFrom(
+            com.google.protobuf.CodedInputStream input,
+            com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+            throws com.google.protobuf.InvalidProtocolBufferException {
+          return new AuditConfig(input, extensionRegistry);
+        }
+      };
+
+  public static com.google.protobuf.Parser parser() {
+    return PARSER;
+  }
+
+  @java.lang.Override
+  public com.google.protobuf.Parser getParserForType() {
+    return PARSER;
+  }
+
+  @java.lang.Override
+  public com.google.iam.v1.AuditConfig getDefaultInstanceForType() {
+    return DEFAULT_INSTANCE;
+  }
+}
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditConfigOrBuilder.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditConfigOrBuilder.java
new file mode 100644
index 0000000000..06911aaf2b
--- /dev/null
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditConfigOrBuilder.java
@@ -0,0 +1,106 @@
+/*
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+// Generated by the protocol buffer compiler.  DO NOT EDIT!
+// source: google/iam/v1/policy.proto
+
+package com.google.iam.v1;
+
+public interface AuditConfigOrBuilder
+    extends
+    // @@protoc_insertion_point(interface_extends:google.iam.v1.AuditConfig)
+    com.google.protobuf.MessageOrBuilder {
+
+  /**
+   *
+   *
+   * 
+   * Specifies a service that will be enabled for audit logging.
+   * For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+   * `allServices` is a special value that covers all services.
+   * 

+   *
+   * string service = 1;
+   *
+   * @return The service.
+   */
+  java.lang.String getService();
+  /**
+   *
+   *
+   * 
+   * Specifies a service that will be enabled for audit logging.
+   * For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+   * `allServices` is a special value that covers all services.
+   * 

+   *
+   * string service = 1;
+   *
+   * @return The bytes for service.
+   */
+  com.google.protobuf.ByteString getServiceBytes();
+
+  /**
+   *
+   *
+   * 
+   * The configuration for logging of each type of permission.
+   * 

+   *
+   * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+   */
+  java.util.List getAuditLogConfigsList();
+  /**
+   *
+   *
+   * 
+   * The configuration for logging of each type of permission.
+   * 

+   *
+   * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+   */
+  com.google.iam.v1.AuditLogConfig getAuditLogConfigs(int index);
+  /**
+   *
+   *
+   * 
+   * The configuration for logging of each type of permission.
+   * 

+   *
+   * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+   */
+  int getAuditLogConfigsCount();
+  /**
+   *
+   *
+   * 
+   * The configuration for logging of each type of permission.
+   * 

+   *
+   * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+   */
+  java.util.List
+      getAuditLogConfigsOrBuilderList();
+  /**
+   *
+   *
+   * 
+   * The configuration for logging of each type of permission.
+   * 

+   *
+   * repeated .google.iam.v1.AuditLogConfig audit_log_configs = 3;
+   */
+  com.google.iam.v1.AuditLogConfigOrBuilder getAuditLogConfigsOrBuilder(int index);
+}
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditLogConfig.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditLogConfig.java
new file mode 100644
index 0000000000..a6f3a720c2
--- /dev/null
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditLogConfig.java
@@ -0,0 +1,1116 @@
+/*
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+// Generated by the protocol buffer compiler.  DO NOT EDIT!
+// source: google/iam/v1/policy.proto
+
+package com.google.iam.v1;
+
+/**
+ *
+ *
+ * 
+ * Provides the configuration for logging a type of permissions.
+ * Example:
+ *     {
+ *       "audit_log_configs": [
+ *         {
+ *           "log_type": "DATA_READ",
+ *           "exempted_members": [
+ *             "user:jose@example.com"
+ *           ]
+ *         },
+ *         {
+ *           "log_type": "DATA_WRITE"
+ *         }
+ *       ]
+ *     }
+ * This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+ * jose@example.com from DATA_READ logging.
+ * 

+ *
+ * Protobuf type {@code google.iam.v1.AuditLogConfig}
+ */
+public final class AuditLogConfig extends com.google.protobuf.GeneratedMessageV3
+    implements
+    // @@protoc_insertion_point(message_implements:google.iam.v1.AuditLogConfig)
+    AuditLogConfigOrBuilder {
+  private static final long serialVersionUID = 0L;
+  // Use AuditLogConfig.newBuilder() to construct.
+  private AuditLogConfig(com.google.protobuf.GeneratedMessageV3.Builder builder) {
+    super(builder);
+  }
+
+  private AuditLogConfig() {
+    logType_ = 0;
+    exemptedMembers_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+  }
+
+  @java.lang.Override
+  @SuppressWarnings({"unused"})
+  protected java.lang.Object newInstance(UnusedPrivateParameter unused) {
+    return new AuditLogConfig();
+  }
+
+  @java.lang.Override
+  public final com.google.protobuf.UnknownFieldSet getUnknownFields() {
+    return this.unknownFields;
+  }
+
+  private AuditLogConfig(
+      com.google.protobuf.CodedInputStream input,
+      com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    this();
+    if (extensionRegistry == null) {
+      throw new java.lang.NullPointerException();
+    }
+    int mutable_bitField0_ = 0;
+    com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+        com.google.protobuf.UnknownFieldSet.newBuilder();
+    try {
+      boolean done = false;
+      while (!done) {
+        int tag = input.readTag();
+        switch (tag) {
+          case 0:
+            done = true;
+            break;
+          case 8:
+            {
+              int rawValue = input.readEnum();
+
+              logType_ = rawValue;
+              break;
+            }
+          case 18:
+            {
+              java.lang.String s = input.readStringRequireUtf8();
+              if (!((mutable_bitField0_ & 0x00000001) != 0)) {
+                exemptedMembers_ = new com.google.protobuf.LazyStringArrayList();
+                mutable_bitField0_ |= 0x00000001;
+              }
+              exemptedMembers_.add(s);
+              break;
+            }
+          default:
+            {
+              if (!parseUnknownField(input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+        }
+      }
+    } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+      throw e.setUnfinishedMessage(this);
+    } catch (java.io.IOException e) {
+      throw new com.google.protobuf.InvalidProtocolBufferException(e).setUnfinishedMessage(this);
+    } finally {
+      if (((mutable_bitField0_ & 0x00000001) != 0)) {
+        exemptedMembers_ = exemptedMembers_.getUnmodifiableView();
+      }
+      this.unknownFields = unknownFields.build();
+      makeExtensionsImmutable();
+    }
+  }
+
+  public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
+    return com.google.iam.v1.PolicyProto.internal_static_google_iam_v1_AuditLogConfig_descriptor;
+  }
+
+  @java.lang.Override
+  protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internalGetFieldAccessorTable() {
+    return com.google.iam.v1.PolicyProto
+        .internal_static_google_iam_v1_AuditLogConfig_fieldAccessorTable
+        .ensureFieldAccessorsInitialized(
+            com.google.iam.v1.AuditLogConfig.class, com.google.iam.v1.AuditLogConfig.Builder.class);
+  }
+
+  /**
+   *
+   *
+   * 
+   * The list of valid permission types for which logging can be configured.
+   * Admin writes are always logged, and are not configurable.
+   * 

+   *
+   * Protobuf enum {@code google.iam.v1.AuditLogConfig.LogType}
+   */
+  public enum LogType implements com.google.protobuf.ProtocolMessageEnum {
+    /**
+     *
+     *
+     * 
+     * Default case. Should never be this.
+     * 

+     *
+     * LOG_TYPE_UNSPECIFIED = 0;
+     */
+    LOG_TYPE_UNSPECIFIED(0),
+    /**
+     *
+     *
+     * 
+     * Admin reads. Example: CloudIAM getIamPolicy
+     * 

+     *
+     * ADMIN_READ = 1;
+     */
+    ADMIN_READ(1),
+    /**
+     *
+     *
+     * 
+     * Data writes. Example: CloudSQL Users create
+     * 

+     *
+     * DATA_WRITE = 2;
+     */
+    DATA_WRITE(2),
+    /**
+     *
+     *
+     * 
+     * Data reads. Example: CloudSQL Users list
+     * 

+     *
+     * DATA_READ = 3;
+     */
+    DATA_READ(3),
+    UNRECOGNIZED(-1),
+    ;
+
+    /**
+     *
+     *
+     * 
+     * Default case. Should never be this.
+     * 

+     *
+     * LOG_TYPE_UNSPECIFIED = 0;
+     */
+    public static final int LOG_TYPE_UNSPECIFIED_VALUE = 0;
+    /**
+     *
+     *
+     * 
+     * Admin reads. Example: CloudIAM getIamPolicy
+     * 

+     *
+     * ADMIN_READ = 1;
+     */
+    public static final int ADMIN_READ_VALUE = 1;
+    /**
+     *
+     *
+     * 
+     * Data writes. Example: CloudSQL Users create
+     * 

+     *
+     * DATA_WRITE = 2;
+     */
+    public static final int DATA_WRITE_VALUE = 2;
+    /**
+     *
+     *
+     * 
+     * Data reads. Example: CloudSQL Users list
+     * 

+     *
+     * DATA_READ = 3;
+     */
+    public static final int DATA_READ_VALUE = 3;
+
+    public final int getNumber() {
+      if (this == UNRECOGNIZED) {
+        throw new java.lang.IllegalArgumentException(
+            "Can't get the number of an unknown enum value.");
+      }
+      return value;
+    }
+
+    /**
+     * @param value The numeric wire value of the corresponding enum entry.
+     * @return The enum associated with the given numeric wire value.
+     * @deprecated Use {@link #forNumber(int)} instead.
+     */
+    @java.lang.Deprecated
+    public static LogType valueOf(int value) {
+      return forNumber(value);
+    }
+
+    /**
+     * @param value The numeric wire value of the corresponding enum entry.
+     * @return The enum associated with the given numeric wire value.
+     */
+    public static LogType forNumber(int value) {
+      switch (value) {
+        case 0:
+          return LOG_TYPE_UNSPECIFIED;
+        case 1:
+          return ADMIN_READ;
+        case 2:
+          return DATA_WRITE;
+        case 3:
+          return DATA_READ;
+        default:
+          return null;
+      }
+    }
+
+    public static com.google.protobuf.Internal.EnumLiteMap internalGetValueMap() {
+      return internalValueMap;
+    }
+
+    private static final com.google.protobuf.Internal.EnumLiteMap internalValueMap =
+        new com.google.protobuf.Internal.EnumLiteMap() {
+          public LogType findValueByNumber(int number) {
+            return LogType.forNumber(number);
+          }
+        };
+
+    public final com.google.protobuf.Descriptors.EnumValueDescriptor getValueDescriptor() {
+      if (this == UNRECOGNIZED) {
+        throw new java.lang.IllegalStateException(
+            "Can't get the descriptor of an unrecognized enum value.");
+      }
+      return getDescriptor().getValues().get(ordinal());
+    }
+
+    public final com.google.protobuf.Descriptors.EnumDescriptor getDescriptorForType() {
+      return getDescriptor();
+    }
+
+    public static final com.google.protobuf.Descriptors.EnumDescriptor getDescriptor() {
+      return com.google.iam.v1.AuditLogConfig.getDescriptor().getEnumTypes().get(0);
+    }
+
+    private static final LogType[] VALUES = values();
+
+    public static LogType valueOf(com.google.protobuf.Descriptors.EnumValueDescriptor desc) {
+      if (desc.getType() != getDescriptor()) {
+        throw new java.lang.IllegalArgumentException("EnumValueDescriptor is not for this type.");
+      }
+      if (desc.getIndex() == -1) {
+        return UNRECOGNIZED;
+      }
+      return VALUES[desc.getIndex()];
+    }
+
+    private final int value;
+
+    private LogType(int value) {
+      this.value = value;
+    }
+
+    // @@protoc_insertion_point(enum_scope:google.iam.v1.AuditLogConfig.LogType)
+  }
+
+  public static final int LOG_TYPE_FIELD_NUMBER = 1;
+  private int logType_;
+  /**
+   *
+   *
+   * 
+   * The log type that this config enables.
+   * 

+   *
+   * .google.iam.v1.AuditLogConfig.LogType log_type = 1;
+   *
+   * @return The enum numeric value on the wire for logType.
+   */
+  @java.lang.Override
+  public int getLogTypeValue() {
+    return logType_;
+  }
+  /**
+   *
+   *
+   * 
+   * The log type that this config enables.
+   * 

+   *
+   * .google.iam.v1.AuditLogConfig.LogType log_type = 1;
+   *
+   * @return The logType.
+   */
+  @java.lang.Override
+  public com.google.iam.v1.AuditLogConfig.LogType getLogType() {
+    @SuppressWarnings("deprecation")
+    com.google.iam.v1.AuditLogConfig.LogType result =
+        com.google.iam.v1.AuditLogConfig.LogType.valueOf(logType_);
+    return result == null ? com.google.iam.v1.AuditLogConfig.LogType.UNRECOGNIZED : result;
+  }
+
+  public static final int EXEMPTED_MEMBERS_FIELD_NUMBER = 2;
+  private com.google.protobuf.LazyStringList exemptedMembers_;
+  /**
+   *
+   *
+   * 
+   * Specifies the identities that do not cause logging for this type of
+   * permission.
+   * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+   * 

+   *
+   * repeated string exempted_members = 2;
+   *
+   * @return A list containing the exemptedMembers.
+   */
+  public com.google.protobuf.ProtocolStringList getExemptedMembersList() {
+    return exemptedMembers_;
+  }
+  /**
+   *
+   *
+   * 
+   * Specifies the identities that do not cause logging for this type of
+   * permission.
+   * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+   * 

+   *
+   * repeated string exempted_members = 2;
+   *
+   * @return The count of exemptedMembers.
+   */
+  public int getExemptedMembersCount() {
+    return exemptedMembers_.size();
+  }
+  /**
+   *
+   *
+   * 
+   * Specifies the identities that do not cause logging for this type of
+   * permission.
+   * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+   * 

+   *
+   * repeated string exempted_members = 2;
+   *
+   * @param index The index of the element to return.
+   * @return The exemptedMembers at the given index.
+   */
+  public java.lang.String getExemptedMembers(int index) {
+    return exemptedMembers_.get(index);
+  }
+  /**
+   *
+   *
+   * 
+   * Specifies the identities that do not cause logging for this type of
+   * permission.
+   * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+   * 

+   *
+   * repeated string exempted_members = 2;
+   *
+   * @param index The index of the value to return.
+   * @return The bytes of the exemptedMembers at the given index.
+   */
+  public com.google.protobuf.ByteString getExemptedMembersBytes(int index) {
+    return exemptedMembers_.getByteString(index);
+  }
+
+  private byte memoizedIsInitialized = -1;
+
+  @java.lang.Override
+  public final boolean isInitialized() {
+    byte isInitialized = memoizedIsInitialized;
+    if (isInitialized == 1) return true;
+    if (isInitialized == 0) return false;
+
+    memoizedIsInitialized = 1;
+    return true;
+  }
+
+  @java.lang.Override
+  public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException {
+    if (logType_ != com.google.iam.v1.AuditLogConfig.LogType.LOG_TYPE_UNSPECIFIED.getNumber()) {
+      output.writeEnum(1, logType_);
+    }
+    for (int i = 0; i < exemptedMembers_.size(); i++) {
+      com.google.protobuf.GeneratedMessageV3.writeString(output, 2, exemptedMembers_.getRaw(i));
+    }
+    unknownFields.writeTo(output);
+  }
+
+  @java.lang.Override
+  public int getSerializedSize() {
+    int size = memoizedSize;
+    if (size != -1) return size;
+
+    size = 0;
+    if (logType_ != com.google.iam.v1.AuditLogConfig.LogType.LOG_TYPE_UNSPECIFIED.getNumber()) {
+      size += com.google.protobuf.CodedOutputStream.computeEnumSize(1, logType_);
+    }
+    {
+      int dataSize = 0;
+      for (int i = 0; i < exemptedMembers_.size(); i++) {
+        dataSize += computeStringSizeNoTag(exemptedMembers_.getRaw(i));
+      }
+      size += dataSize;
+      size += 1 * getExemptedMembersList().size();
+    }
+    size += unknownFields.getSerializedSize();
+    memoizedSize = size;
+    return size;
+  }
+
+  @java.lang.Override
+  public boolean equals(final java.lang.Object obj) {
+    if (obj == this) {
+      return true;
+    }
+    if (!(obj instanceof com.google.iam.v1.AuditLogConfig)) {
+      return super.equals(obj);
+    }
+    com.google.iam.v1.AuditLogConfig other = (com.google.iam.v1.AuditLogConfig) obj;
+
+    if (logType_ != other.logType_) return false;
+    if (!getExemptedMembersList().equals(other.getExemptedMembersList())) return false;
+    if (!unknownFields.equals(other.unknownFields)) return false;
+    return true;
+  }
+
+  @java.lang.Override
+  public int hashCode() {
+    if (memoizedHashCode != 0) {
+      return memoizedHashCode;
+    }
+    int hash = 41;
+    hash = (19 * hash) + getDescriptor().hashCode();
+    hash = (37 * hash) + LOG_TYPE_FIELD_NUMBER;
+    hash = (53 * hash) + logType_;
+    if (getExemptedMembersCount() > 0) {
+      hash = (37 * hash) + EXEMPTED_MEMBERS_FIELD_NUMBER;
+      hash = (53 * hash) + getExemptedMembersList().hashCode();
+    }
+    hash = (29 * hash) + unknownFields.hashCode();
+    memoizedHashCode = hash;
+    return hash;
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseFrom(java.nio.ByteBuffer data)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseFrom(
+      java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseFrom(com.google.protobuf.ByteString data)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseFrom(
+      com.google.protobuf.ByteString data,
+      com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseFrom(byte[] data)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseFrom(
+      byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseFrom(java.io.InputStream input)
+      throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseFrom(
+      java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseDelimitedFrom(java.io.InputStream input)
+      throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(PARSER, input);
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseDelimitedFrom(
+      java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseFrom(
+      com.google.protobuf.CodedInputStream input) throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
+  }
+
+  public static com.google.iam.v1.AuditLogConfig parseFrom(
+      com.google.protobuf.CodedInputStream input,
+      com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  @java.lang.Override
+  public Builder newBuilderForType() {
+    return newBuilder();
+  }
+
+  public static Builder newBuilder() {
+    return DEFAULT_INSTANCE.toBuilder();
+  }
+
+  public static Builder newBuilder(com.google.iam.v1.AuditLogConfig prototype) {
+    return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+  }
+
+  @java.lang.Override
+  public Builder toBuilder() {
+    return this == DEFAULT_INSTANCE ? new Builder() : new Builder().mergeFrom(this);
+  }
+
+  @java.lang.Override
+  protected Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+    Builder builder = new Builder(parent);
+    return builder;
+  }
+  /**
+   *
+   *
+   * 
+   * Provides the configuration for logging a type of permissions.
+   * Example:
+   *     {
+   *       "audit_log_configs": [
+   *         {
+   *           "log_type": "DATA_READ",
+   *           "exempted_members": [
+   *             "user:jose@example.com"
+   *           ]
+   *         },
+   *         {
+   *           "log_type": "DATA_WRITE"
+   *         }
+   *       ]
+   *     }
+   * This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
+   * jose@example.com from DATA_READ logging.
+   * 

+   *
+   * Protobuf type {@code google.iam.v1.AuditLogConfig}
+   */
+  public static final class Builder extends com.google.protobuf.GeneratedMessageV3.Builder
+      implements
+      // @@protoc_insertion_point(builder_implements:google.iam.v1.AuditLogConfig)
+      com.google.iam.v1.AuditLogConfigOrBuilder {
+    public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
+      return com.google.iam.v1.PolicyProto.internal_static_google_iam_v1_AuditLogConfig_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return com.google.iam.v1.PolicyProto
+          .internal_static_google_iam_v1_AuditLogConfig_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              com.google.iam.v1.AuditLogConfig.class,
+              com.google.iam.v1.AuditLogConfig.Builder.class);
+    }
+
+    // Construct using com.google.iam.v1.AuditLogConfig.newBuilder()
+    private Builder() {
+      maybeForceBuilderInitialization();
+    }
+
+    private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      super(parent);
+      maybeForceBuilderInitialization();
+    }
+
+    private void maybeForceBuilderInitialization() {
+      if (com.google.protobuf.GeneratedMessageV3.alwaysUseFieldBuilders) {}
+    }
+
+    @java.lang.Override
+    public Builder clear() {
+      super.clear();
+      logType_ = 0;
+
+      exemptedMembers_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+      bitField0_ = (bitField0_ & ~0x00000001);
+      return this;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
+      return com.google.iam.v1.PolicyProto.internal_static_google_iam_v1_AuditLogConfig_descriptor;
+    }
+
+    @java.lang.Override
+    public com.google.iam.v1.AuditLogConfig getDefaultInstanceForType() {
+      return com.google.iam.v1.AuditLogConfig.getDefaultInstance();
+    }
+
+    @java.lang.Override
+    public com.google.iam.v1.AuditLogConfig build() {
+      com.google.iam.v1.AuditLogConfig result = buildPartial();
+      if (!result.isInitialized()) {
+        throw newUninitializedMessageException(result);
+      }
+      return result;
+    }
+
+    @java.lang.Override
+    public com.google.iam.v1.AuditLogConfig buildPartial() {
+      com.google.iam.v1.AuditLogConfig result = new com.google.iam.v1.AuditLogConfig(this);
+      int from_bitField0_ = bitField0_;
+      result.logType_ = logType_;
+      if (((bitField0_ & 0x00000001) != 0)) {
+        exemptedMembers_ = exemptedMembers_.getUnmodifiableView();
+        bitField0_ = (bitField0_ & ~0x00000001);
+      }
+      result.exemptedMembers_ = exemptedMembers_;
+      onBuilt();
+      return result;
+    }
+
+    @java.lang.Override
+    public Builder clone() {
+      return super.clone();
+    }
+
+    @java.lang.Override
+    public Builder setField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) {
+      return super.setField(field, value);
+    }
+
+    @java.lang.Override
+    public Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field) {
+      return super.clearField(field);
+    }
+
+    @java.lang.Override
+    public Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+      return super.clearOneof(oneof);
+    }
+
+    @java.lang.Override
+    public Builder setRepeatedField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) {
+      return super.setRepeatedField(field, index, value);
+    }
+
+    @java.lang.Override
+    public Builder addRepeatedField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) {
+      return super.addRepeatedField(field, value);
+    }
+
+    @java.lang.Override
+    public Builder mergeFrom(com.google.protobuf.Message other) {
+      if (other instanceof com.google.iam.v1.AuditLogConfig) {
+        return mergeFrom((com.google.iam.v1.AuditLogConfig) other);
+      } else {
+        super.mergeFrom(other);
+        return this;
+      }
+    }
+
+    public Builder mergeFrom(com.google.iam.v1.AuditLogConfig other) {
+      if (other == com.google.iam.v1.AuditLogConfig.getDefaultInstance()) return this;
+      if (other.logType_ != 0) {
+        setLogTypeValue(other.getLogTypeValue());
+      }
+      if (!other.exemptedMembers_.isEmpty()) {
+        if (exemptedMembers_.isEmpty()) {
+          exemptedMembers_ = other.exemptedMembers_;
+          bitField0_ = (bitField0_ & ~0x00000001);
+        } else {
+          ensureExemptedMembersIsMutable();
+          exemptedMembers_.addAll(other.exemptedMembers_);
+        }
+        onChanged();
+      }
+      this.mergeUnknownFields(other.unknownFields);
+      onChanged();
+      return this;
+    }
+
+    @java.lang.Override
+    public final boolean isInitialized() {
+      return true;
+    }
+
+    @java.lang.Override
+    public Builder mergeFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      com.google.iam.v1.AuditLogConfig parsedMessage = null;
+      try {
+        parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        parsedMessage = (com.google.iam.v1.AuditLogConfig) e.getUnfinishedMessage();
+        throw e.unwrapIOException();
+      } finally {
+        if (parsedMessage != null) {
+          mergeFrom(parsedMessage);
+        }
+      }
+      return this;
+    }
+
+    private int bitField0_;
+
+    private int logType_ = 0;
+    /**
+     *
+     *
+     * 
+     * The log type that this config enables.
+     * 

+     *
+     * .google.iam.v1.AuditLogConfig.LogType log_type = 1;
+     *
+     * @return The enum numeric value on the wire for logType.
+     */
+    @java.lang.Override
+    public int getLogTypeValue() {
+      return logType_;
+    }
+    /**
+     *
+     *
+     * 
+     * The log type that this config enables.
+     * 

+     *
+     * .google.iam.v1.AuditLogConfig.LogType log_type = 1;
+     *
+     * @param value The enum numeric value on the wire for logType to set.
+     * @return This builder for chaining.
+     */
+    public Builder setLogTypeValue(int value) {
+
+      logType_ = value;
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * The log type that this config enables.
+     * 

+     *
+     * .google.iam.v1.AuditLogConfig.LogType log_type = 1;
+     *
+     * @return The logType.
+     */
+    @java.lang.Override
+    public com.google.iam.v1.AuditLogConfig.LogType getLogType() {
+      @SuppressWarnings("deprecation")
+      com.google.iam.v1.AuditLogConfig.LogType result =
+          com.google.iam.v1.AuditLogConfig.LogType.valueOf(logType_);
+      return result == null ? com.google.iam.v1.AuditLogConfig.LogType.UNRECOGNIZED : result;
+    }
+    /**
+     *
+     *
+     * 
+     * The log type that this config enables.
+     * 

+     *
+     * .google.iam.v1.AuditLogConfig.LogType log_type = 1;
+     *
+     * @param value The logType to set.
+     * @return This builder for chaining.
+     */
+    public Builder setLogType(com.google.iam.v1.AuditLogConfig.LogType value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+
+      logType_ = value.getNumber();
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * The log type that this config enables.
+     * 

+     *
+     * .google.iam.v1.AuditLogConfig.LogType log_type = 1;
+     *
+     * @return This builder for chaining.
+     */
+    public Builder clearLogType() {
+
+      logType_ = 0;
+      onChanged();
+      return this;
+    }
+
+    private com.google.protobuf.LazyStringList exemptedMembers_ =
+        com.google.protobuf.LazyStringArrayList.EMPTY;
+
+    private void ensureExemptedMembersIsMutable() {
+      if (!((bitField0_ & 0x00000001) != 0)) {
+        exemptedMembers_ = new com.google.protobuf.LazyStringArrayList(exemptedMembers_);
+        bitField0_ |= 0x00000001;
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies the identities that do not cause logging for this type of
+     * permission.
+     * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+     * 

+     *
+     * repeated string exempted_members = 2;
+     *
+     * @return A list containing the exemptedMembers.
+     */
+    public com.google.protobuf.ProtocolStringList getExemptedMembersList() {
+      return exemptedMembers_.getUnmodifiableView();
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies the identities that do not cause logging for this type of
+     * permission.
+     * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+     * 

+     *
+     * repeated string exempted_members = 2;
+     *
+     * @return The count of exemptedMembers.
+     */
+    public int getExemptedMembersCount() {
+      return exemptedMembers_.size();
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies the identities that do not cause logging for this type of
+     * permission.
+     * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+     * 

+     *
+     * repeated string exempted_members = 2;
+     *
+     * @param index The index of the element to return.
+     * @return The exemptedMembers at the given index.
+     */
+    public java.lang.String getExemptedMembers(int index) {
+      return exemptedMembers_.get(index);
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies the identities that do not cause logging for this type of
+     * permission.
+     * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+     * 

+     *
+     * repeated string exempted_members = 2;
+     *
+     * @param index The index of the value to return.
+     * @return The bytes of the exemptedMembers at the given index.
+     */
+    public com.google.protobuf.ByteString getExemptedMembersBytes(int index) {
+      return exemptedMembers_.getByteString(index);
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies the identities that do not cause logging for this type of
+     * permission.
+     * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+     * 

+     *
+     * repeated string exempted_members = 2;
+     *
+     * @param index The index to set the value at.
+     * @param value The exemptedMembers to set.
+     * @return This builder for chaining.
+     */
+    public Builder setExemptedMembers(int index, java.lang.String value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+      ensureExemptedMembersIsMutable();
+      exemptedMembers_.set(index, value);
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies the identities that do not cause logging for this type of
+     * permission.
+     * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+     * 

+     *
+     * repeated string exempted_members = 2;
+     *
+     * @param value The exemptedMembers to add.
+     * @return This builder for chaining.
+     */
+    public Builder addExemptedMembers(java.lang.String value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+      ensureExemptedMembersIsMutable();
+      exemptedMembers_.add(value);
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies the identities that do not cause logging for this type of
+     * permission.
+     * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+     * 

+     *
+     * repeated string exempted_members = 2;
+     *
+     * @param values The exemptedMembers to add.
+     * @return This builder for chaining.
+     */
+    public Builder addAllExemptedMembers(java.lang.Iterable values) {
+      ensureExemptedMembersIsMutable();
+      com.google.protobuf.AbstractMessageLite.Builder.addAll(values, exemptedMembers_);
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies the identities that do not cause logging for this type of
+     * permission.
+     * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+     * 

+     *
+     * repeated string exempted_members = 2;
+     *
+     * @return This builder for chaining.
+     */
+    public Builder clearExemptedMembers() {
+      exemptedMembers_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+      bitField0_ = (bitField0_ & ~0x00000001);
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies the identities that do not cause logging for this type of
+     * permission.
+     * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+     * 

+     *
+     * repeated string exempted_members = 2;
+     *
+     * @param value The bytes of the exemptedMembers to add.
+     * @return This builder for chaining.
+     */
+    public Builder addExemptedMembersBytes(com.google.protobuf.ByteString value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+      checkByteStringIsUtf8(value);
+      ensureExemptedMembersIsMutable();
+      exemptedMembers_.add(value);
+      onChanged();
+      return this;
+    }
+
+    @java.lang.Override
+    public final Builder setUnknownFields(final com.google.protobuf.UnknownFieldSet unknownFields) {
+      return super.setUnknownFields(unknownFields);
+    }
+
+    @java.lang.Override
+    public final Builder mergeUnknownFields(
+        final com.google.protobuf.UnknownFieldSet unknownFields) {
+      return super.mergeUnknownFields(unknownFields);
+    }
+
+    // @@protoc_insertion_point(builder_scope:google.iam.v1.AuditLogConfig)
+  }
+
+  // @@protoc_insertion_point(class_scope:google.iam.v1.AuditLogConfig)
+  private static final com.google.iam.v1.AuditLogConfig DEFAULT_INSTANCE;
+
+  static {
+    DEFAULT_INSTANCE = new com.google.iam.v1.AuditLogConfig();
+  }
+
+  public static com.google.iam.v1.AuditLogConfig getDefaultInstance() {
+    return DEFAULT_INSTANCE;
+  }
+
+  private static final com.google.protobuf.Parser PARSER =
+      new com.google.protobuf.AbstractParser() {
+        @java.lang.Override
+        public AuditLogConfig parsePartialFrom(
+            com.google.protobuf.CodedInputStream input,
+            com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+            throws com.google.protobuf.InvalidProtocolBufferException {
+          return new AuditLogConfig(input, extensionRegistry);
+        }
+      };
+
+  public static com.google.protobuf.Parser parser() {
+    return PARSER;
+  }
+
+  @java.lang.Override
+  public com.google.protobuf.Parser getParserForType() {
+    return PARSER;
+  }
+
+  @java.lang.Override
+  public com.google.iam.v1.AuditLogConfig getDefaultInstanceForType() {
+    return DEFAULT_INSTANCE;
+  }
+}
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditLogConfigOrBuilder.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditLogConfigOrBuilder.java
new file mode 100644
index 0000000000..c6371c5c0a
--- /dev/null
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/AuditLogConfigOrBuilder.java
@@ -0,0 +1,109 @@
+/*
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+// Generated by the protocol buffer compiler.  DO NOT EDIT!
+// source: google/iam/v1/policy.proto
+
+package com.google.iam.v1;
+
+public interface AuditLogConfigOrBuilder
+    extends
+    // @@protoc_insertion_point(interface_extends:google.iam.v1.AuditLogConfig)
+    com.google.protobuf.MessageOrBuilder {
+
+  /**
+   *
+   *
+   * 
+   * The log type that this config enables.
+   * 

+   *
+   * .google.iam.v1.AuditLogConfig.LogType log_type = 1;
+   *
+   * @return The enum numeric value on the wire for logType.
+   */
+  int getLogTypeValue();
+  /**
+   *
+   *
+   * 
+   * The log type that this config enables.
+   * 

+   *
+   * .google.iam.v1.AuditLogConfig.LogType log_type = 1;
+   *
+   * @return The logType.
+   */
+  com.google.iam.v1.AuditLogConfig.LogType getLogType();
+
+  /**
+   *
+   *
+   * 
+   * Specifies the identities that do not cause logging for this type of
+   * permission.
+   * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+   * 

+   *
+   * repeated string exempted_members = 2;
+   *
+   * @return A list containing the exemptedMembers.
+   */
+  java.util.List getExemptedMembersList();
+  /**
+   *
+   *
+   * 
+   * Specifies the identities that do not cause logging for this type of
+   * permission.
+   * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+   * 

+   *
+   * repeated string exempted_members = 2;
+   *
+   * @return The count of exemptedMembers.
+   */
+  int getExemptedMembersCount();
+  /**
+   *
+   *
+   * 
+   * Specifies the identities that do not cause logging for this type of
+   * permission.
+   * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+   * 

+   *
+   * repeated string exempted_members = 2;
+   *
+   * @param index The index of the element to return.
+   * @return The exemptedMembers at the given index.
+   */
+  java.lang.String getExemptedMembers(int index);
+  /**
+   *
+   *
+   * 
+   * Specifies the identities that do not cause logging for this type of
+   * permission.
+   * Follows the same format of [Binding.members][google.iam.v1.Binding.members].
+   * 

+   *
+   * repeated string exempted_members = 2;
+   *
+   * @param index The index of the value to return.
+   * @return The bytes of the exemptedMembers at the given index.
+   */
+  com.google.protobuf.ByteString getExemptedMembersBytes(int index);
+}
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/Binding.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/Binding.java
index b85e84070e..219872a2bc 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/Binding.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/Binding.java
@@ -22,7 +22,7 @@
  *
  *
  * 
- * Associates `members` with a `role`.
+ * Associates `members`, or principals, with a `role`.
  * 

  *
  * Protobuf type {@code google.iam.v1.Binding}
@@ -143,7 +143,7 @@ public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
    *
    *
    * 
-   * Role that is assigned to `members`.
+   * Role that is assigned to the list of `members`, or principals.
    * For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
    * 

    *
@@ -167,7 +167,7 @@ public java.lang.String getRole() {
    *
    *
    * 
-   * Role that is assigned to `members`.
+   * Role that is assigned to the list of `members`, or principals.
    * For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
    * 

    *
@@ -194,7 +194,7 @@ public com.google.protobuf.ByteString getRoleBytes() {
    *
    *
    * 
-   * Specifies the identities requesting access for a Cloud Platform resource.
+   * Specifies the principals requesting access for a Cloud Platform resource.
    * `members` can have the following values:
    * * `allUsers`: A special identifier that represents anyone who is
    *    on the internet; with or without a Google account.
@@ -206,6 +206,23 @@ public com.google.protobuf.ByteString getRoleBytes() {
    *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
    * * `group:{emailid}`: An email address that represents a Google group.
    *    For example, `admins@example.com`.
+   * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a user that has been recently deleted. For
+   *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+   *    recovered, this value reverts to `user:{emailid}` and the recovered user
+   *    retains the role in the binding.
+   * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+   *    unique identifier) representing a service account that has been recently
+   *    deleted. For example,
+   *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+   *    If the service account is undeleted, this value reverts to
+   *    `serviceAccount:{emailid}` and the undeleted service account retains the
+   *    role in the binding.
+   * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a Google group that has been recently
+   *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+   *    the group is recovered, this value reverts to `group:{emailid}` and the
+   *    recovered group retains the role in the binding.
    * * `domain:{domain}`: The G Suite domain (primary) that represents all the
    *    users of that domain. For example, `google.com` or `example.com`.
    * 

@@ -221,7 +238,7 @@ public com.google.protobuf.ProtocolStringList getMembersList() {
    *
    *
    * 
-   * Specifies the identities requesting access for a Cloud Platform resource.
+   * Specifies the principals requesting access for a Cloud Platform resource.
    * `members` can have the following values:
    * * `allUsers`: A special identifier that represents anyone who is
    *    on the internet; with or without a Google account.
@@ -233,6 +250,23 @@ public com.google.protobuf.ProtocolStringList getMembersList() {
    *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
    * * `group:{emailid}`: An email address that represents a Google group.
    *    For example, `admins@example.com`.
+   * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a user that has been recently deleted. For
+   *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+   *    recovered, this value reverts to `user:{emailid}` and the recovered user
+   *    retains the role in the binding.
+   * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+   *    unique identifier) representing a service account that has been recently
+   *    deleted. For example,
+   *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+   *    If the service account is undeleted, this value reverts to
+   *    `serviceAccount:{emailid}` and the undeleted service account retains the
+   *    role in the binding.
+   * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a Google group that has been recently
+   *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+   *    the group is recovered, this value reverts to `group:{emailid}` and the
+   *    recovered group retains the role in the binding.
    * * `domain:{domain}`: The G Suite domain (primary) that represents all the
    *    users of that domain. For example, `google.com` or `example.com`.
    * 

@@ -248,7 +282,7 @@ public int getMembersCount() {
    *
    *
    * 
-   * Specifies the identities requesting access for a Cloud Platform resource.
+   * Specifies the principals requesting access for a Cloud Platform resource.
    * `members` can have the following values:
    * * `allUsers`: A special identifier that represents anyone who is
    *    on the internet; with or without a Google account.
@@ -260,6 +294,23 @@ public int getMembersCount() {
    *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
    * * `group:{emailid}`: An email address that represents a Google group.
    *    For example, `admins@example.com`.
+   * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a user that has been recently deleted. For
+   *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+   *    recovered, this value reverts to `user:{emailid}` and the recovered user
+   *    retains the role in the binding.
+   * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+   *    unique identifier) representing a service account that has been recently
+   *    deleted. For example,
+   *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+   *    If the service account is undeleted, this value reverts to
+   *    `serviceAccount:{emailid}` and the undeleted service account retains the
+   *    role in the binding.
+   * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a Google group that has been recently
+   *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+   *    the group is recovered, this value reverts to `group:{emailid}` and the
+   *    recovered group retains the role in the binding.
    * * `domain:{domain}`: The G Suite domain (primary) that represents all the
    *    users of that domain. For example, `google.com` or `example.com`.
    * 

@@ -276,7 +327,7 @@ public java.lang.String getMembers(int index) {
    *
    *
    * 
-   * Specifies the identities requesting access for a Cloud Platform resource.
+   * Specifies the principals requesting access for a Cloud Platform resource.
    * `members` can have the following values:
    * * `allUsers`: A special identifier that represents anyone who is
    *    on the internet; with or without a Google account.
@@ -288,6 +339,23 @@ public java.lang.String getMembers(int index) {
    *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
    * * `group:{emailid}`: An email address that represents a Google group.
    *    For example, `admins@example.com`.
+   * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a user that has been recently deleted. For
+   *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+   *    recovered, this value reverts to `user:{emailid}` and the recovered user
+   *    retains the role in the binding.
+   * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+   *    unique identifier) representing a service account that has been recently
+   *    deleted. For example,
+   *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+   *    If the service account is undeleted, this value reverts to
+   *    `serviceAccount:{emailid}` and the undeleted service account retains the
+   *    role in the binding.
+   * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a Google group that has been recently
+   *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+   *    the group is recovered, this value reverts to `group:{emailid}` and the
+   *    recovered group retains the role in the binding.
    * * `domain:{domain}`: The G Suite domain (primary) that represents all the
    *    users of that domain. For example, `google.com` or `example.com`.
    * 

@@ -308,9 +376,14 @@ public com.google.protobuf.ByteString getMembersBytes(int index) {
    *
    * 
    * The condition that is associated with this binding.
-   * NOTE: An unsatisfied condition will not allow user access via current
-   * binding. Different bindings, including their conditions, are examined
-   * independently.
+   * If the condition evaluates to `true`, then this binding applies to the
+   * current request.
+   * If the condition evaluates to `false`, then this binding does not apply to
+   * the current request. However, a different role binding might grant the same
+   * role to one or more of the principals in this binding.
+   * To learn which resources support conditions in their IAM policies, see the
+   * [IAM
+   * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
    * 

    *
    * .google.type.Expr condition = 3;
@@ -326,9 +399,14 @@ public boolean hasCondition() {
    *
    * 
    * The condition that is associated with this binding.
-   * NOTE: An unsatisfied condition will not allow user access via current
-   * binding. Different bindings, including their conditions, are examined
-   * independently.
+   * If the condition evaluates to `true`, then this binding applies to the
+   * current request.
+   * If the condition evaluates to `false`, then this binding does not apply to
+   * the current request. However, a different role binding might grant the same
+   * role to one or more of the principals in this binding.
+   * To learn which resources support conditions in their IAM policies, see the
+   * [IAM
+   * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
    * 

    *
    * .google.type.Expr condition = 3;
@@ -344,9 +422,14 @@ public com.google.type.Expr getCondition() {
    *
    * 
    * The condition that is associated with this binding.
-   * NOTE: An unsatisfied condition will not allow user access via current
-   * binding. Different bindings, including their conditions, are examined
-   * independently.
+   * If the condition evaluates to `true`, then this binding applies to the
+   * current request.
+   * If the condition evaluates to `false`, then this binding does not apply to
+   * the current request. However, a different role binding might grant the same
+   * role to one or more of the principals in this binding.
+   * To learn which resources support conditions in their IAM policies, see the
+   * [IAM
+   * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
    * 

    *
    * .google.type.Expr condition = 3;
@@ -547,7 +630,7 @@ protected Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.Build
    *
    *
    * 
-   * Associates `members` with a `role`.
+   * Associates `members`, or principals, with a `role`.
    * 

    *
    * Protobuf type {@code google.iam.v1.Binding}
@@ -734,7 +817,7 @@ public Builder mergeFrom(
      *
      *
      * 
-     * Role that is assigned to `members`.
+     * Role that is assigned to the list of `members`, or principals.
      * For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
      * 

      *
@@ -757,7 +840,7 @@ public java.lang.String getRole() {
      *
      *
      * 
-     * Role that is assigned to `members`.
+     * Role that is assigned to the list of `members`, or principals.
      * For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
      * 

      *
@@ -780,7 +863,7 @@ public com.google.protobuf.ByteString getRoleBytes() {
      *
      *
      * 
-     * Role that is assigned to `members`.
+     * Role that is assigned to the list of `members`, or principals.
      * For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
      * 

      *
@@ -802,7 +885,7 @@ public Builder setRole(java.lang.String value) {
      *
      *
      * 
-     * Role that is assigned to `members`.
+     * Role that is assigned to the list of `members`, or principals.
      * For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
      * 

      *
@@ -820,7 +903,7 @@ public Builder clearRole() {
      *
      *
      * 
-     * Role that is assigned to `members`.
+     * Role that is assigned to the list of `members`, or principals.
      * For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
      * 

      *
@@ -853,7 +936,7 @@ private void ensureMembersIsMutable() {
      *
      *
      * 
-     * Specifies the identities requesting access for a Cloud Platform resource.
+     * Specifies the principals requesting access for a Cloud Platform resource.
      * `members` can have the following values:
      * * `allUsers`: A special identifier that represents anyone who is
      *    on the internet; with or without a Google account.
@@ -865,6 +948,23 @@ private void ensureMembersIsMutable() {
      *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
      * * `group:{emailid}`: An email address that represents a Google group.
      *    For example, `admins@example.com`.
+     * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a user that has been recently deleted. For
+     *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+     *    recovered, this value reverts to `user:{emailid}` and the recovered user
+     *    retains the role in the binding.
+     * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+     *    unique identifier) representing a service account that has been recently
+     *    deleted. For example,
+     *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+     *    If the service account is undeleted, this value reverts to
+     *    `serviceAccount:{emailid}` and the undeleted service account retains the
+     *    role in the binding.
+     * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a Google group that has been recently
+     *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+     *    the group is recovered, this value reverts to `group:{emailid}` and the
+     *    recovered group retains the role in the binding.
      * * `domain:{domain}`: The G Suite domain (primary) that represents all the
      *    users of that domain. For example, `google.com` or `example.com`.
      * 

@@ -880,7 +980,7 @@ public com.google.protobuf.ProtocolStringList getMembersList() {
      *
      *
      * 
-     * Specifies the identities requesting access for a Cloud Platform resource.
+     * Specifies the principals requesting access for a Cloud Platform resource.
      * `members` can have the following values:
      * * `allUsers`: A special identifier that represents anyone who is
      *    on the internet; with or without a Google account.
@@ -892,6 +992,23 @@ public com.google.protobuf.ProtocolStringList getMembersList() {
      *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
      * * `group:{emailid}`: An email address that represents a Google group.
      *    For example, `admins@example.com`.
+     * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a user that has been recently deleted. For
+     *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+     *    recovered, this value reverts to `user:{emailid}` and the recovered user
+     *    retains the role in the binding.
+     * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+     *    unique identifier) representing a service account that has been recently
+     *    deleted. For example,
+     *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+     *    If the service account is undeleted, this value reverts to
+     *    `serviceAccount:{emailid}` and the undeleted service account retains the
+     *    role in the binding.
+     * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a Google group that has been recently
+     *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+     *    the group is recovered, this value reverts to `group:{emailid}` and the
+     *    recovered group retains the role in the binding.
      * * `domain:{domain}`: The G Suite domain (primary) that represents all the
      *    users of that domain. For example, `google.com` or `example.com`.
      * 

@@ -907,7 +1024,7 @@ public int getMembersCount() {
      *
      *
      * 
-     * Specifies the identities requesting access for a Cloud Platform resource.
+     * Specifies the principals requesting access for a Cloud Platform resource.
      * `members` can have the following values:
      * * `allUsers`: A special identifier that represents anyone who is
      *    on the internet; with or without a Google account.
@@ -919,6 +1036,23 @@ public int getMembersCount() {
      *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
      * * `group:{emailid}`: An email address that represents a Google group.
      *    For example, `admins@example.com`.
+     * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a user that has been recently deleted. For
+     *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+     *    recovered, this value reverts to `user:{emailid}` and the recovered user
+     *    retains the role in the binding.
+     * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+     *    unique identifier) representing a service account that has been recently
+     *    deleted. For example,
+     *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+     *    If the service account is undeleted, this value reverts to
+     *    `serviceAccount:{emailid}` and the undeleted service account retains the
+     *    role in the binding.
+     * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a Google group that has been recently
+     *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+     *    the group is recovered, this value reverts to `group:{emailid}` and the
+     *    recovered group retains the role in the binding.
      * * `domain:{domain}`: The G Suite domain (primary) that represents all the
      *    users of that domain. For example, `google.com` or `example.com`.
      * 

@@ -935,7 +1069,7 @@ public java.lang.String getMembers(int index) {
      *
      *
      * 
-     * Specifies the identities requesting access for a Cloud Platform resource.
+     * Specifies the principals requesting access for a Cloud Platform resource.
      * `members` can have the following values:
      * * `allUsers`: A special identifier that represents anyone who is
      *    on the internet; with or without a Google account.
@@ -947,6 +1081,23 @@ public java.lang.String getMembers(int index) {
      *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
      * * `group:{emailid}`: An email address that represents a Google group.
      *    For example, `admins@example.com`.
+     * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a user that has been recently deleted. For
+     *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+     *    recovered, this value reverts to `user:{emailid}` and the recovered user
+     *    retains the role in the binding.
+     * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+     *    unique identifier) representing a service account that has been recently
+     *    deleted. For example,
+     *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+     *    If the service account is undeleted, this value reverts to
+     *    `serviceAccount:{emailid}` and the undeleted service account retains the
+     *    role in the binding.
+     * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a Google group that has been recently
+     *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+     *    the group is recovered, this value reverts to `group:{emailid}` and the
+     *    recovered group retains the role in the binding.
      * * `domain:{domain}`: The G Suite domain (primary) that represents all the
      *    users of that domain. For example, `google.com` or `example.com`.
      * 

@@ -963,7 +1114,7 @@ public com.google.protobuf.ByteString getMembersBytes(int index) {
      *
      *
      * 
-     * Specifies the identities requesting access for a Cloud Platform resource.
+     * Specifies the principals requesting access for a Cloud Platform resource.
      * `members` can have the following values:
      * * `allUsers`: A special identifier that represents anyone who is
      *    on the internet; with or without a Google account.
@@ -975,6 +1126,23 @@ public com.google.protobuf.ByteString getMembersBytes(int index) {
      *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
      * * `group:{emailid}`: An email address that represents a Google group.
      *    For example, `admins@example.com`.
+     * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a user that has been recently deleted. For
+     *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+     *    recovered, this value reverts to `user:{emailid}` and the recovered user
+     *    retains the role in the binding.
+     * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+     *    unique identifier) representing a service account that has been recently
+     *    deleted. For example,
+     *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+     *    If the service account is undeleted, this value reverts to
+     *    `serviceAccount:{emailid}` and the undeleted service account retains the
+     *    role in the binding.
+     * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a Google group that has been recently
+     *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+     *    the group is recovered, this value reverts to `group:{emailid}` and the
+     *    recovered group retains the role in the binding.
      * * `domain:{domain}`: The G Suite domain (primary) that represents all the
      *    users of that domain. For example, `google.com` or `example.com`.
      * 

@@ -998,7 +1166,7 @@ public Builder setMembers(int index, java.lang.String value) {
      *
      *
      * 
-     * Specifies the identities requesting access for a Cloud Platform resource.
+     * Specifies the principals requesting access for a Cloud Platform resource.
      * `members` can have the following values:
      * * `allUsers`: A special identifier that represents anyone who is
      *    on the internet; with or without a Google account.
@@ -1010,6 +1178,23 @@ public Builder setMembers(int index, java.lang.String value) {
      *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
      * * `group:{emailid}`: An email address that represents a Google group.
      *    For example, `admins@example.com`.
+     * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a user that has been recently deleted. For
+     *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+     *    recovered, this value reverts to `user:{emailid}` and the recovered user
+     *    retains the role in the binding.
+     * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+     *    unique identifier) representing a service account that has been recently
+     *    deleted. For example,
+     *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+     *    If the service account is undeleted, this value reverts to
+     *    `serviceAccount:{emailid}` and the undeleted service account retains the
+     *    role in the binding.
+     * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a Google group that has been recently
+     *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+     *    the group is recovered, this value reverts to `group:{emailid}` and the
+     *    recovered group retains the role in the binding.
      * * `domain:{domain}`: The G Suite domain (primary) that represents all the
      *    users of that domain. For example, `google.com` or `example.com`.
      * 

@@ -1032,7 +1217,7 @@ public Builder addMembers(java.lang.String value) {
      *
      *
      * 
-     * Specifies the identities requesting access for a Cloud Platform resource.
+     * Specifies the principals requesting access for a Cloud Platform resource.
      * `members` can have the following values:
      * * `allUsers`: A special identifier that represents anyone who is
      *    on the internet; with or without a Google account.
@@ -1044,6 +1229,23 @@ public Builder addMembers(java.lang.String value) {
      *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
      * * `group:{emailid}`: An email address that represents a Google group.
      *    For example, `admins@example.com`.
+     * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a user that has been recently deleted. For
+     *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+     *    recovered, this value reverts to `user:{emailid}` and the recovered user
+     *    retains the role in the binding.
+     * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+     *    unique identifier) representing a service account that has been recently
+     *    deleted. For example,
+     *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+     *    If the service account is undeleted, this value reverts to
+     *    `serviceAccount:{emailid}` and the undeleted service account retains the
+     *    role in the binding.
+     * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a Google group that has been recently
+     *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+     *    the group is recovered, this value reverts to `group:{emailid}` and the
+     *    recovered group retains the role in the binding.
      * * `domain:{domain}`: The G Suite domain (primary) that represents all the
      *    users of that domain. For example, `google.com` or `example.com`.
      * 

@@ -1063,7 +1265,7 @@ public Builder addAllMembers(java.lang.Iterable values) {
      *
      *
      * 
-     * Specifies the identities requesting access for a Cloud Platform resource.
+     * Specifies the principals requesting access for a Cloud Platform resource.
      * `members` can have the following values:
      * * `allUsers`: A special identifier that represents anyone who is
      *    on the internet; with or without a Google account.
@@ -1075,6 +1277,23 @@ public Builder addAllMembers(java.lang.Iterable values) {
      *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
      * * `group:{emailid}`: An email address that represents a Google group.
      *    For example, `admins@example.com`.
+     * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a user that has been recently deleted. For
+     *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+     *    recovered, this value reverts to `user:{emailid}` and the recovered user
+     *    retains the role in the binding.
+     * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+     *    unique identifier) representing a service account that has been recently
+     *    deleted. For example,
+     *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+     *    If the service account is undeleted, this value reverts to
+     *    `serviceAccount:{emailid}` and the undeleted service account retains the
+     *    role in the binding.
+     * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a Google group that has been recently
+     *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+     *    the group is recovered, this value reverts to `group:{emailid}` and the
+     *    recovered group retains the role in the binding.
      * * `domain:{domain}`: The G Suite domain (primary) that represents all the
      *    users of that domain. For example, `google.com` or `example.com`.
      * 

@@ -1093,7 +1312,7 @@ public Builder clearMembers() {
      *
      *
      * 
-     * Specifies the identities requesting access for a Cloud Platform resource.
+     * Specifies the principals requesting access for a Cloud Platform resource.
      * `members` can have the following values:
      * * `allUsers`: A special identifier that represents anyone who is
      *    on the internet; with or without a Google account.
@@ -1105,6 +1324,23 @@ public Builder clearMembers() {
      *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
      * * `group:{emailid}`: An email address that represents a Google group.
      *    For example, `admins@example.com`.
+     * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a user that has been recently deleted. For
+     *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+     *    recovered, this value reverts to `user:{emailid}` and the recovered user
+     *    retains the role in the binding.
+     * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+     *    unique identifier) representing a service account that has been recently
+     *    deleted. For example,
+     *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+     *    If the service account is undeleted, this value reverts to
+     *    `serviceAccount:{emailid}` and the undeleted service account retains the
+     *    role in the binding.
+     * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+     *    identifier) representing a Google group that has been recently
+     *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+     *    the group is recovered, this value reverts to `group:{emailid}` and the
+     *    recovered group retains the role in the binding.
      * * `domain:{domain}`: The G Suite domain (primary) that represents all the
      *    users of that domain. For example, `google.com` or `example.com`.
      * 

@@ -1134,9 +1370,14 @@ public Builder addMembersBytes(com.google.protobuf.ByteString value) {
      *
      * 
      * The condition that is associated with this binding.
-     * NOTE: An unsatisfied condition will not allow user access via current
-     * binding. Different bindings, including their conditions, are examined
-     * independently.
+     * If the condition evaluates to `true`, then this binding applies to the
+     * current request.
+     * If the condition evaluates to `false`, then this binding does not apply to
+     * the current request. However, a different role binding might grant the same
+     * role to one or more of the principals in this binding.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * .google.type.Expr condition = 3;
@@ -1151,9 +1392,14 @@ public boolean hasCondition() {
      *
      * 
      * The condition that is associated with this binding.
-     * NOTE: An unsatisfied condition will not allow user access via current
-     * binding. Different bindings, including their conditions, are examined
-     * independently.
+     * If the condition evaluates to `true`, then this binding applies to the
+     * current request.
+     * If the condition evaluates to `false`, then this binding does not apply to
+     * the current request. However, a different role binding might grant the same
+     * role to one or more of the principals in this binding.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * .google.type.Expr condition = 3;
@@ -1172,9 +1418,14 @@ public com.google.type.Expr getCondition() {
      *
      * 
      * The condition that is associated with this binding.
-     * NOTE: An unsatisfied condition will not allow user access via current
-     * binding. Different bindings, including their conditions, are examined
-     * independently.
+     * If the condition evaluates to `true`, then this binding applies to the
+     * current request.
+     * If the condition evaluates to `false`, then this binding does not apply to
+     * the current request. However, a different role binding might grant the same
+     * role to one or more of the principals in this binding.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * .google.type.Expr condition = 3;
@@ -1197,9 +1448,14 @@ public Builder setCondition(com.google.type.Expr value) {
      *
      * 
      * The condition that is associated with this binding.
-     * NOTE: An unsatisfied condition will not allow user access via current
-     * binding. Different bindings, including their conditions, are examined
-     * independently.
+     * If the condition evaluates to `true`, then this binding applies to the
+     * current request.
+     * If the condition evaluates to `false`, then this binding does not apply to
+     * the current request. However, a different role binding might grant the same
+     * role to one or more of the principals in this binding.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * .google.type.Expr condition = 3;
@@ -1219,9 +1475,14 @@ public Builder setCondition(com.google.type.Expr.Builder builderForValue) {
      *
      * 
      * The condition that is associated with this binding.
-     * NOTE: An unsatisfied condition will not allow user access via current
-     * binding. Different bindings, including their conditions, are examined
-     * independently.
+     * If the condition evaluates to `true`, then this binding applies to the
+     * current request.
+     * If the condition evaluates to `false`, then this binding does not apply to
+     * the current request. However, a different role binding might grant the same
+     * role to one or more of the principals in this binding.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * .google.type.Expr condition = 3;
@@ -1245,9 +1506,14 @@ public Builder mergeCondition(com.google.type.Expr value) {
      *
      * 
      * The condition that is associated with this binding.
-     * NOTE: An unsatisfied condition will not allow user access via current
-     * binding. Different bindings, including their conditions, are examined
-     * independently.
+     * If the condition evaluates to `true`, then this binding applies to the
+     * current request.
+     * If the condition evaluates to `false`, then this binding does not apply to
+     * the current request. However, a different role binding might grant the same
+     * role to one or more of the principals in this binding.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * .google.type.Expr condition = 3;
@@ -1268,9 +1534,14 @@ public Builder clearCondition() {
      *
      * 
      * The condition that is associated with this binding.
-     * NOTE: An unsatisfied condition will not allow user access via current
-     * binding. Different bindings, including their conditions, are examined
-     * independently.
+     * If the condition evaluates to `true`, then this binding applies to the
+     * current request.
+     * If the condition evaluates to `false`, then this binding does not apply to
+     * the current request. However, a different role binding might grant the same
+     * role to one or more of the principals in this binding.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * .google.type.Expr condition = 3;
@@ -1285,9 +1556,14 @@ public com.google.type.Expr.Builder getConditionBuilder() {
      *
      * 
      * The condition that is associated with this binding.
-     * NOTE: An unsatisfied condition will not allow user access via current
-     * binding. Different bindings, including their conditions, are examined
-     * independently.
+     * If the condition evaluates to `true`, then this binding applies to the
+     * current request.
+     * If the condition evaluates to `false`, then this binding does not apply to
+     * the current request. However, a different role binding might grant the same
+     * role to one or more of the principals in this binding.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * .google.type.Expr condition = 3;
@@ -1304,9 +1580,14 @@ public com.google.type.ExprOrBuilder getConditionOrBuilder() {
      *
      * 
      * The condition that is associated with this binding.
-     * NOTE: An unsatisfied condition will not allow user access via current
-     * binding. Different bindings, including their conditions, are examined
-     * independently.
+     * If the condition evaluates to `true`, then this binding applies to the
+     * current request.
+     * If the condition evaluates to `false`, then this binding does not apply to
+     * the current request. However, a different role binding might grant the same
+     * role to one or more of the principals in this binding.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * .google.type.Expr condition = 3;
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/BindingOrBuilder.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/BindingOrBuilder.java
index f51272f79b..b5e660fa3a 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/BindingOrBuilder.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/BindingOrBuilder.java
@@ -27,7 +27,7 @@ public interface BindingOrBuilder
    *
    *
    * 
-   * Role that is assigned to `members`.
+   * Role that is assigned to the list of `members`, or principals.
    * For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
    * 

    *
@@ -40,7 +40,7 @@ public interface BindingOrBuilder
    *
    *
    * 
-   * Role that is assigned to `members`.
+   * Role that is assigned to the list of `members`, or principals.
    * For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
    * 

    *
@@ -54,7 +54,7 @@ public interface BindingOrBuilder
    *
    *
    * 
-   * Specifies the identities requesting access for a Cloud Platform resource.
+   * Specifies the principals requesting access for a Cloud Platform resource.
    * `members` can have the following values:
    * * `allUsers`: A special identifier that represents anyone who is
    *    on the internet; with or without a Google account.
@@ -66,6 +66,23 @@ public interface BindingOrBuilder
    *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
    * * `group:{emailid}`: An email address that represents a Google group.
    *    For example, `admins@example.com`.
+   * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a user that has been recently deleted. For
+   *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+   *    recovered, this value reverts to `user:{emailid}` and the recovered user
+   *    retains the role in the binding.
+   * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+   *    unique identifier) representing a service account that has been recently
+   *    deleted. For example,
+   *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+   *    If the service account is undeleted, this value reverts to
+   *    `serviceAccount:{emailid}` and the undeleted service account retains the
+   *    role in the binding.
+   * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a Google group that has been recently
+   *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+   *    the group is recovered, this value reverts to `group:{emailid}` and the
+   *    recovered group retains the role in the binding.
    * * `domain:{domain}`: The G Suite domain (primary) that represents all the
    *    users of that domain. For example, `google.com` or `example.com`.
    * 

@@ -79,7 +96,7 @@ public interface BindingOrBuilder
    *
    *
    * 
-   * Specifies the identities requesting access for a Cloud Platform resource.
+   * Specifies the principals requesting access for a Cloud Platform resource.
    * `members` can have the following values:
    * * `allUsers`: A special identifier that represents anyone who is
    *    on the internet; with or without a Google account.
@@ -91,6 +108,23 @@ public interface BindingOrBuilder
    *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
    * * `group:{emailid}`: An email address that represents a Google group.
    *    For example, `admins@example.com`.
+   * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a user that has been recently deleted. For
+   *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+   *    recovered, this value reverts to `user:{emailid}` and the recovered user
+   *    retains the role in the binding.
+   * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+   *    unique identifier) representing a service account that has been recently
+   *    deleted. For example,
+   *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+   *    If the service account is undeleted, this value reverts to
+   *    `serviceAccount:{emailid}` and the undeleted service account retains the
+   *    role in the binding.
+   * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a Google group that has been recently
+   *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+   *    the group is recovered, this value reverts to `group:{emailid}` and the
+   *    recovered group retains the role in the binding.
    * * `domain:{domain}`: The G Suite domain (primary) that represents all the
    *    users of that domain. For example, `google.com` or `example.com`.
    * 

@@ -104,7 +138,7 @@ public interface BindingOrBuilder
    *
    *
    * 
-   * Specifies the identities requesting access for a Cloud Platform resource.
+   * Specifies the principals requesting access for a Cloud Platform resource.
    * `members` can have the following values:
    * * `allUsers`: A special identifier that represents anyone who is
    *    on the internet; with or without a Google account.
@@ -116,6 +150,23 @@ public interface BindingOrBuilder
    *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
    * * `group:{emailid}`: An email address that represents a Google group.
    *    For example, `admins@example.com`.
+   * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a user that has been recently deleted. For
+   *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+   *    recovered, this value reverts to `user:{emailid}` and the recovered user
+   *    retains the role in the binding.
+   * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+   *    unique identifier) representing a service account that has been recently
+   *    deleted. For example,
+   *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+   *    If the service account is undeleted, this value reverts to
+   *    `serviceAccount:{emailid}` and the undeleted service account retains the
+   *    role in the binding.
+   * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a Google group that has been recently
+   *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+   *    the group is recovered, this value reverts to `group:{emailid}` and the
+   *    recovered group retains the role in the binding.
    * * `domain:{domain}`: The G Suite domain (primary) that represents all the
    *    users of that domain. For example, `google.com` or `example.com`.
    * 

@@ -130,7 +181,7 @@ public interface BindingOrBuilder
    *
    *
    * 
-   * Specifies the identities requesting access for a Cloud Platform resource.
+   * Specifies the principals requesting access for a Cloud Platform resource.
    * `members` can have the following values:
    * * `allUsers`: A special identifier that represents anyone who is
    *    on the internet; with or without a Google account.
@@ -142,6 +193,23 @@ public interface BindingOrBuilder
    *    account. For example, `my-other-app@appspot.gserviceaccount.com`.
    * * `group:{emailid}`: An email address that represents a Google group.
    *    For example, `admins@example.com`.
+   * * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a user that has been recently deleted. For
+   *    example, `alice@example.com?uid=123456789012345678901`. If the user is
+   *    recovered, this value reverts to `user:{emailid}` and the recovered user
+   *    retains the role in the binding.
+   * * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
+   *    unique identifier) representing a service account that has been recently
+   *    deleted. For example,
+   *    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
+   *    If the service account is undeleted, this value reverts to
+   *    `serviceAccount:{emailid}` and the undeleted service account retains the
+   *    role in the binding.
+   * * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
+   *    identifier) representing a Google group that has been recently
+   *    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
+   *    the group is recovered, this value reverts to `group:{emailid}` and the
+   *    recovered group retains the role in the binding.
    * * `domain:{domain}`: The G Suite domain (primary) that represents all the
    *    users of that domain. For example, `google.com` or `example.com`.
    * 

@@ -158,9 +226,14 @@ public interface BindingOrBuilder
    *
    * 
    * The condition that is associated with this binding.
-   * NOTE: An unsatisfied condition will not allow user access via current
-   * binding. Different bindings, including their conditions, are examined
-   * independently.
+   * If the condition evaluates to `true`, then this binding applies to the
+   * current request.
+   * If the condition evaluates to `false`, then this binding does not apply to
+   * the current request. However, a different role binding might grant the same
+   * role to one or more of the principals in this binding.
+   * To learn which resources support conditions in their IAM policies, see the
+   * [IAM
+   * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
    * 

    *
    * .google.type.Expr condition = 3;
@@ -173,9 +246,14 @@ public interface BindingOrBuilder
    *
    * 
    * The condition that is associated with this binding.
-   * NOTE: An unsatisfied condition will not allow user access via current
-   * binding. Different bindings, including their conditions, are examined
-   * independently.
+   * If the condition evaluates to `true`, then this binding applies to the
+   * current request.
+   * If the condition evaluates to `false`, then this binding does not apply to
+   * the current request. However, a different role binding might grant the same
+   * role to one or more of the principals in this binding.
+   * To learn which resources support conditions in their IAM policies, see the
+   * [IAM
+   * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
    * 

    *
    * .google.type.Expr condition = 3;
@@ -188,9 +266,14 @@ public interface BindingOrBuilder
    *
    * 
    * The condition that is associated with this binding.
-   * NOTE: An unsatisfied condition will not allow user access via current
-   * binding. Different bindings, including their conditions, are examined
-   * independently.
+   * If the condition evaluates to `true`, then this binding applies to the
+   * current request.
+   * If the condition evaluates to `false`, then this binding does not apply to
+   * the current request. However, a different role binding might grant the same
+   * role to one or more of the principals in this binding.
+   * To learn which resources support conditions in their IAM policies, see the
+   * [IAM
+   * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
    * 

    *
    * .google.type.Expr condition = 3;
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetIamPolicyRequest.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetIamPolicyRequest.java
index 6f21bb3ef4..7944fffc7e 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetIamPolicyRequest.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetIamPolicyRequest.java
@@ -188,7 +188,7 @@ public com.google.protobuf.ByteString getResourceBytes() {
    *
    * 
    * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-   * `GetIamPolicy`. This field is only used by Cloud IAM.
+   * `GetIamPolicy`.
    * 

    *
    * .google.iam.v1.GetPolicyOptions options = 2;
@@ -204,7 +204,7 @@ public boolean hasOptions() {
    *
    * 
    * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-   * `GetIamPolicy`. This field is only used by Cloud IAM.
+   * `GetIamPolicy`.
    * 

    *
    * .google.iam.v1.GetPolicyOptions options = 2;
@@ -220,7 +220,7 @@ public com.google.iam.v1.GetPolicyOptions getOptions() {
    *
    * 
    * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-   * `GetIamPolicy`. This field is only used by Cloud IAM.
+   * `GetIamPolicy`.
    * 

    *
    * .google.iam.v1.GetPolicyOptions options = 2;
@@ -704,7 +704,7 @@ public Builder setResourceBytes(com.google.protobuf.ByteString value) {
      *
      * 
      * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-     * `GetIamPolicy`. This field is only used by Cloud IAM.
+     * `GetIamPolicy`.
      * 

      *
      * .google.iam.v1.GetPolicyOptions options = 2;
@@ -719,7 +719,7 @@ public boolean hasOptions() {
      *
      * 
      * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-     * `GetIamPolicy`. This field is only used by Cloud IAM.
+     * `GetIamPolicy`.
      * 

      *
      * .google.iam.v1.GetPolicyOptions options = 2;
@@ -740,7 +740,7 @@ public com.google.iam.v1.GetPolicyOptions getOptions() {
      *
      * 
      * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-     * `GetIamPolicy`. This field is only used by Cloud IAM.
+     * `GetIamPolicy`.
      * 

      *
      * .google.iam.v1.GetPolicyOptions options = 2;
@@ -763,7 +763,7 @@ public Builder setOptions(com.google.iam.v1.GetPolicyOptions value) {
      *
      * 
      * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-     * `GetIamPolicy`. This field is only used by Cloud IAM.
+     * `GetIamPolicy`.
      * 

      *
      * .google.iam.v1.GetPolicyOptions options = 2;
@@ -783,7 +783,7 @@ public Builder setOptions(com.google.iam.v1.GetPolicyOptions.Builder builderForV
      *
      * 
      * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-     * `GetIamPolicy`. This field is only used by Cloud IAM.
+     * `GetIamPolicy`.
      * 

      *
      * .google.iam.v1.GetPolicyOptions options = 2;
@@ -810,7 +810,7 @@ public Builder mergeOptions(com.google.iam.v1.GetPolicyOptions value) {
      *
      * 
      * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-     * `GetIamPolicy`. This field is only used by Cloud IAM.
+     * `GetIamPolicy`.
      * 

      *
      * .google.iam.v1.GetPolicyOptions options = 2;
@@ -831,7 +831,7 @@ public Builder clearOptions() {
      *
      * 
      * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-     * `GetIamPolicy`. This field is only used by Cloud IAM.
+     * `GetIamPolicy`.
      * 

      *
      * .google.iam.v1.GetPolicyOptions options = 2;
@@ -846,7 +846,7 @@ public com.google.iam.v1.GetPolicyOptions.Builder getOptionsBuilder() {
      *
      * 
      * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-     * `GetIamPolicy`. This field is only used by Cloud IAM.
+     * `GetIamPolicy`.
      * 

      *
      * .google.iam.v1.GetPolicyOptions options = 2;
@@ -865,7 +865,7 @@ public com.google.iam.v1.GetPolicyOptionsOrBuilder getOptionsOrBuilder() {
      *
      * 
      * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-     * `GetIamPolicy`. This field is only used by Cloud IAM.
+     * `GetIamPolicy`.
      * 

      *
      * .google.iam.v1.GetPolicyOptions options = 2;
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetIamPolicyRequestOrBuilder.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetIamPolicyRequestOrBuilder.java
index 443bbb5c2e..5f90592d42 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetIamPolicyRequestOrBuilder.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetIamPolicyRequestOrBuilder.java
@@ -59,7 +59,7 @@ public interface GetIamPolicyRequestOrBuilder
    *
    * 
    * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-   * `GetIamPolicy`. This field is only used by Cloud IAM.
+   * `GetIamPolicy`.
    * 

    *
    * .google.iam.v1.GetPolicyOptions options = 2;
@@ -72,7 +72,7 @@ public interface GetIamPolicyRequestOrBuilder
    *
    * 
    * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-   * `GetIamPolicy`. This field is only used by Cloud IAM.
+   * `GetIamPolicy`.
    * 

    *
    * .google.iam.v1.GetPolicyOptions options = 2;
@@ -85,7 +85,7 @@ public interface GetIamPolicyRequestOrBuilder
    *
    * 
    * OPTIONAL: A `GetPolicyOptions` object for specifying options to
-   * `GetIamPolicy`. This field is only used by Cloud IAM.
+   * `GetIamPolicy`.
    * 

    *
    * .google.iam.v1.GetPolicyOptions options = 2;
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetPolicyOptions.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetPolicyOptions.java
index 7054040f7b..253fa54744 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetPolicyOptions.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetPolicyOptions.java
@@ -112,12 +112,20 @@ public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
    *
    *
    * 
-   * Optional. The policy format version to be returned.
+   * Optional. The maximum policy version that will be used to format the
+   * policy.
    * Valid values are 0, 1, and 3. Requests specifying an invalid value will be
    * rejected.
-   * Requests for policies with any conditional bindings must specify version 3.
-   * Policies without any conditional bindings may specify any valid value or
-   * leave the field unset.
+   * Requests for policies with any conditional role bindings must specify
+   * version 3. Policies with no conditional role bindings may specify any valid
+   * value or leave the field unset.
+   * The policy in the response might use the policy version that you specified,
+   * or it might use a lower policy version. For example, if you specify version
+   * 3, but the policy has no conditional role bindings, the response uses
+   * version 1.
+   * To learn which resources support conditions in their IAM policies, see the
+   * [IAM
+   * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
    * 

    *
    * int32 requested_policy_version = 1;
@@ -446,12 +454,20 @@ public Builder mergeFrom(
      *
      *
      * 
-     * Optional. The policy format version to be returned.
+     * Optional. The maximum policy version that will be used to format the
+     * policy.
      * Valid values are 0, 1, and 3. Requests specifying an invalid value will be
      * rejected.
-     * Requests for policies with any conditional bindings must specify version 3.
-     * Policies without any conditional bindings may specify any valid value or
-     * leave the field unset.
+     * Requests for policies with any conditional role bindings must specify
+     * version 3. Policies with no conditional role bindings may specify any valid
+     * value or leave the field unset.
+     * The policy in the response might use the policy version that you specified,
+     * or it might use a lower policy version. For example, if you specify version
+     * 3, but the policy has no conditional role bindings, the response uses
+     * version 1.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * int32 requested_policy_version = 1;
@@ -466,12 +482,20 @@ public int getRequestedPolicyVersion() {
      *
      *
      * 
-     * Optional. The policy format version to be returned.
+     * Optional. The maximum policy version that will be used to format the
+     * policy.
      * Valid values are 0, 1, and 3. Requests specifying an invalid value will be
      * rejected.
-     * Requests for policies with any conditional bindings must specify version 3.
-     * Policies without any conditional bindings may specify any valid value or
-     * leave the field unset.
+     * Requests for policies with any conditional role bindings must specify
+     * version 3. Policies with no conditional role bindings may specify any valid
+     * value or leave the field unset.
+     * The policy in the response might use the policy version that you specified,
+     * or it might use a lower policy version. For example, if you specify version
+     * 3, but the policy has no conditional role bindings, the response uses
+     * version 1.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * int32 requested_policy_version = 1;
@@ -489,12 +513,20 @@ public Builder setRequestedPolicyVersion(int value) {
      *
      *
      * 
-     * Optional. The policy format version to be returned.
+     * Optional. The maximum policy version that will be used to format the
+     * policy.
      * Valid values are 0, 1, and 3. Requests specifying an invalid value will be
      * rejected.
-     * Requests for policies with any conditional bindings must specify version 3.
-     * Policies without any conditional bindings may specify any valid value or
-     * leave the field unset.
+     * Requests for policies with any conditional role bindings must specify
+     * version 3. Policies with no conditional role bindings may specify any valid
+     * value or leave the field unset.
+     * The policy in the response might use the policy version that you specified,
+     * or it might use a lower policy version. For example, if you specify version
+     * 3, but the policy has no conditional role bindings, the response uses
+     * version 1.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM
+     * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * int32 requested_policy_version = 1;
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetPolicyOptionsOrBuilder.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetPolicyOptionsOrBuilder.java
index ea37a837e4..1cd51a9971 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetPolicyOptionsOrBuilder.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/GetPolicyOptionsOrBuilder.java
@@ -27,12 +27,20 @@ public interface GetPolicyOptionsOrBuilder
    *
    *
    * 
-   * Optional. The policy format version to be returned.
+   * Optional. The maximum policy version that will be used to format the
+   * policy.
    * Valid values are 0, 1, and 3. Requests specifying an invalid value will be
    * rejected.
-   * Requests for policies with any conditional bindings must specify version 3.
-   * Policies without any conditional bindings may specify any valid value or
-   * leave the field unset.
+   * Requests for policies with any conditional role bindings must specify
+   * version 3. Policies with no conditional role bindings may specify any valid
+   * value or leave the field unset.
+   * The policy in the response might use the policy version that you specified,
+   * or it might use a lower policy version. For example, if you specify version
+   * 3, but the policy has no conditional role bindings, the response uses
+   * version 1.
+   * To learn which resources support conditions in their IAM policies, see the
+   * [IAM
+   * documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
    * 

    *
    * int32 requested_policy_version = 1;
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/IamPolicyProto.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/IamPolicyProto.java
index 088dcca099..57652c10d9 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/IamPolicyProto.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/IamPolicyProto.java
@@ -53,45 +53,48 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
   static {
     java.lang.String[] descriptorData = {
       "\n\036google/iam/v1/iam_policy.proto\022\rgoogle"
-          + ".iam.v1\032\033google/iam/v1/options.proto\032\032go"
-          + "ogle/iam/v1/policy.proto\032\034google/api/ann"
-          + "otations.proto\032\027google/api/client.proto\032"
-          + "\037google/api/field_behavior.proto\032\031google"
-          + "/api/resource.proto\"^\n\023SetIamPolicyReque"
-          + "st\022\033\n\010resource\030\001 \001(\tB\t\340A\002\372A\003\n\001*\022*\n\006polic"
-          + "y\030\002 \001(\0132\025.google.iam.v1.PolicyB\003\340A\002\"d\n\023G"
-          + "etIamPolicyRequest\022\033\n\010resource\030\001 \001(\tB\t\340A"
-          + "\002\372A\003\n\001*\0220\n\007options\030\002 \001(\0132\037.google.iam.v1"
-          + ".GetPolicyOptions\"R\n\031TestIamPermissionsR"
-          + "equest\022\033\n\010resource\030\001 \001(\tB\t\340A\002\372A\003\n\001*\022\030\n\013p"
-          + "ermissions\030\002 \003(\tB\003\340A\002\"1\n\032TestIamPermissi"
-          + "onsResponse\022\023\n\013permissions\030\001 \003(\t2\264\003\n\tIAM"
-          + "Policy\022t\n\014SetIamPolicy\022\".google.iam.v1.S"
-          + "etIamPolicyRequest\032\025.google.iam.v1.Polic"
-          + "y\")\202\323\344\223\002#\"\036/v1/{resource=**}:setIamPolic"
-          + "y:\001*\022t\n\014GetIamPolicy\022\".google.iam.v1.Get"
-          + "IamPolicyRequest\032\025.google.iam.v1.Policy\""
-          + ")\202\323\344\223\002#\"\036/v1/{resource=**}:getIamPolicy:"
-          + "\001*\022\232\001\n\022TestIamPermissions\022(.google.iam.v"
-          + "1.TestIamPermissionsRequest\032).google.iam"
-          + ".v1.TestIamPermissionsResponse\"/\202\323\344\223\002)\"$"
-          + "/v1/{resource=**}:testIamPermissions:\001*\032"
-          + "\036\312A\033iam-meta-api.googleapis.comB\206\001\n\021com."
-          + "google.iam.v1B\016IamPolicyProtoP\001Z0google."
-          + "golang.org/genproto/googleapis/iam/v1;ia"
-          + "m\370\001\001\252\002\023Google.Cloud.Iam.V1\312\002\023Google\\Clou"
-          + "d\\Iam\\V1b\006proto3"
+          + ".iam.v1\032\034google/api/annotations.proto\032\027g"
+          + "oogle/api/client.proto\032\037google/api/field"
+          + "_behavior.proto\032\031google/api/resource.pro"
+          + "to\032\033google/iam/v1/options.proto\032\032google/"
+          + "iam/v1/policy.proto\032 google/protobuf/fie"
+          + "ld_mask.proto\"\217\001\n\023SetIamPolicyRequest\022\033\n"
+          + "\010resource\030\001 \001(\tB\t\340A\002\372A\003\n\001*\022*\n\006policy\030\002 \001"
+          + "(\0132\025.google.iam.v1.PolicyB\003\340A\002\022/\n\013update"
+          + "_mask\030\003 \001(\0132\032.google.protobuf.FieldMask\""
+          + "d\n\023GetIamPolicyRequest\022\033\n\010resource\030\001 \001(\t"
+          + "B\t\340A\002\372A\003\n\001*\0220\n\007options\030\002 \001(\0132\037.google.ia"
+          + "m.v1.GetPolicyOptions\"R\n\031TestIamPermissi"
+          + "onsRequest\022\033\n\010resource\030\001 \001(\tB\t\340A\002\372A\003\n\001*\022"
+          + "\030\n\013permissions\030\002 \003(\tB\003\340A\002\"1\n\032TestIamPerm"
+          + "issionsResponse\022\023\n\013permissions\030\001 \003(\t2\264\003\n"
+          + "\tIAMPolicy\022t\n\014SetIamPolicy\022\".google.iam."
+          + "v1.SetIamPolicyRequest\032\025.google.iam.v1.P"
+          + "olicy\")\202\323\344\223\002#\"\036/v1/{resource=**}:setIamP"
+          + "olicy:\001*\022t\n\014GetIamPolicy\022\".google.iam.v1"
+          + ".GetIamPolicyRequest\032\025.google.iam.v1.Pol"
+          + "icy\")\202\323\344\223\002#\"\036/v1/{resource=**}:getIamPol"
+          + "icy:\001*\022\232\001\n\022TestIamPermissions\022(.google.i"
+          + "am.v1.TestIamPermissionsRequest\032).google"
+          + ".iam.v1.TestIamPermissionsResponse\"/\202\323\344\223"
+          + "\002)\"$/v1/{resource=**}:testIamPermissions"
+          + ":\001*\032\036\312A\033iam-meta-api.googleapis.comB\206\001\n\021"
+          + "com.google.iam.v1B\016IamPolicyProtoP\001Z0goo"
+          + "gle.golang.org/genproto/googleapis/iam/v"
+          + "1;iam\370\001\001\252\002\023Google.Cloud.Iam.V1\312\002\023Google\\"
+          + "Cloud\\Iam\\V1b\006proto3"
     };
     descriptor =
         com.google.protobuf.Descriptors.FileDescriptor.internalBuildGeneratedFileFrom(
             descriptorData,
             new com.google.protobuf.Descriptors.FileDescriptor[] {
-              com.google.iam.v1.OptionsProto.getDescriptor(),
-              com.google.iam.v1.PolicyProto.getDescriptor(),
               com.google.api.AnnotationsProto.getDescriptor(),
               com.google.api.ClientProto.getDescriptor(),
               com.google.api.FieldBehaviorProto.getDescriptor(),
               com.google.api.ResourceProto.getDescriptor(),
+              com.google.iam.v1.OptionsProto.getDescriptor(),
+              com.google.iam.v1.PolicyProto.getDescriptor(),
+              com.google.protobuf.FieldMaskProto.getDescriptor(),
             });
     internal_static_google_iam_v1_SetIamPolicyRequest_descriptor =
         getDescriptor().getMessageTypes().get(0);
@@ -99,7 +102,7 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
         new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
             internal_static_google_iam_v1_SetIamPolicyRequest_descriptor,
             new java.lang.String[] {
-              "Resource", "Policy",
+              "Resource", "Policy", "UpdateMask",
             });
     internal_static_google_iam_v1_GetIamPolicyRequest_descriptor =
         getDescriptor().getMessageTypes().get(1);
@@ -133,12 +136,13 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
     registry.add(com.google.api.ResourceProto.resourceReference);
     com.google.protobuf.Descriptors.FileDescriptor.internalUpdateFileDescriptor(
         descriptor, registry);
-    com.google.iam.v1.OptionsProto.getDescriptor();
-    com.google.iam.v1.PolicyProto.getDescriptor();
     com.google.api.AnnotationsProto.getDescriptor();
     com.google.api.ClientProto.getDescriptor();
     com.google.api.FieldBehaviorProto.getDescriptor();
     com.google.api.ResourceProto.getDescriptor();
+    com.google.iam.v1.OptionsProto.getDescriptor();
+    com.google.iam.v1.PolicyProto.getDescriptor();
+    com.google.protobuf.FieldMaskProto.getDescriptor();
   }
 
   // @@protoc_insertion_point(outer_class_scope)
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/OptionsProto.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/OptionsProto.java
index 02274d0dac..9c13280b2b 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/OptionsProto.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/OptionsProto.java
@@ -41,19 +41,16 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
   static {
     java.lang.String[] descriptorData = {
       "\n\033google/iam/v1/options.proto\022\rgoogle.ia"
-          + "m.v1\032\034google/api/annotations.proto\"4\n\020Ge"
-          + "tPolicyOptions\022 \n\030requested_policy_versi"
-          + "on\030\001 \001(\005B\204\001\n\021com.google.iam.v1B\014OptionsP"
-          + "rotoP\001Z0google.golang.org/genproto/googl"
-          + "eapis/iam/v1;iam\370\001\001\252\002\023Google.Cloud.Iam.V"
-          + "1\312\002\023Google\\Cloud\\Iam\\V1b\006proto3"
+          + "m.v1\"4\n\020GetPolicyOptions\022 \n\030requested_po"
+          + "licy_version\030\001 \001(\005B\204\001\n\021com.google.iam.v1"
+          + "B\014OptionsProtoP\001Z0google.golang.org/genp"
+          + "roto/googleapis/iam/v1;iam\370\001\001\252\002\023Google.C"
+          + "loud.Iam.V1\312\002\023Google\\Cloud\\Iam\\V1b\006proto"
+          + "3"
     };
     descriptor =
         com.google.protobuf.Descriptors.FileDescriptor.internalBuildGeneratedFileFrom(
-            descriptorData,
-            new com.google.protobuf.Descriptors.FileDescriptor[] {
-              com.google.api.AnnotationsProto.getDescriptor(),
-            });
+            descriptorData, new com.google.protobuf.Descriptors.FileDescriptor[] {});
     internal_static_google_iam_v1_GetPolicyOptions_descriptor =
         getDescriptor().getMessageTypes().get(0);
     internal_static_google_iam_v1_GetPolicyOptions_fieldAccessorTable =
@@ -62,7 +59,6 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
             new java.lang.String[] {
               "RequestedPolicyVersion",
             });
-    com.google.api.AnnotationsProto.getDescriptor();
   }
 
   // @@protoc_insertion_point(outer_class_scope)
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/Policy.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/Policy.java
index 3cda12f13c..ac67ceeb08 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/Policy.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/Policy.java
@@ -22,16 +22,20 @@
  *
  *
  * 
- * Defines an Identity and Access Management (IAM) policy. It is used to
- * specify access control policies for Cloud Platform resources.
+ * An Identity and Access Management (IAM) policy, which specifies access
+ * controls for Google Cloud resources.
  * A `Policy` is a collection of `bindings`. A `binding` binds one or more
- * `members` to a single `role`. Members can be user accounts, service accounts,
- * Google groups, and domains (such as G Suite). A `role` is a named list of
- * permissions (defined by IAM or configured by users). A `binding` can
- * optionally specify a `condition`, which is a logic expression that further
- * constrains the role binding based on attributes about the request and/or
- * target resource.
- * **JSON Example**
+ * `members`, or principals, to a single `role`. Principals can be user
+ * accounts, service accounts, Google groups, and domains (such as G Suite). A
+ * `role` is a named list of permissions; each `role` can be an IAM predefined
+ * role or a user-created custom role.
+ * For some types of Google Cloud resources, a `binding` can also specify a
+ * `condition`, which is a logical expression that allows access to a resource
+ * only if the expression evaluates to `true`. A condition can add constraints
+ * based on attributes of the request, the resource, or both. To learn which
+ * resources support conditions in their IAM policies, see the
+ * [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+ * **JSON example:**
  *     {
  *       "bindings": [
  *         {
@@ -45,17 +49,20 @@
  *         },
  *         {
  *           "role": "roles/resourcemanager.organizationViewer",
- *           "members": ["user:eve@example.com"],
+ *           "members": [
+ *             "user:eve@example.com"
+ *           ],
  *           "condition": {
  *             "title": "expirable access",
  *             "description": "Does not grant access after Sep 2020",
- *             "expression": "request.time <
- *             timestamp('2020-10-01T00:00:00.000Z')",
+ *             "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
  *           }
  *         }
- *       ]
+ *       ],
+ *       "etag": "BwWWja0YfJA=",
+ *       "version": 3
  *     }
- * **YAML Example**
+ * **YAML example:**
  *     bindings:
  *     - members:
  *       - user:mike@example.com
@@ -70,8 +77,10 @@
  *         title: expirable access
  *         description: Does not grant access after Sep 2020
  *         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+ *     etag: BwWWja0YfJA=
+ *     version: 3
  * For a description of IAM and its features, see the
- * [IAM developer's guide](https://cloud.google.com/iam/docs).
+ * [IAM documentation](https://cloud.google.com/iam/docs/).
  * 

  *
  * Protobuf type {@code google.iam.v1.Policy}
@@ -88,6 +97,7 @@ private Policy(com.google.protobuf.GeneratedMessageV3.Builder builder) {
 
   private Policy() {
     bindings_ = java.util.Collections.emptyList();
+    auditConfigs_ = java.util.Collections.emptyList();
     etag_ = com.google.protobuf.ByteString.EMPTY;
   }
 
@@ -141,6 +151,16 @@ private Policy(
                   input.readMessage(com.google.iam.v1.Binding.parser(), extensionRegistry));
               break;
             }
+          case 50:
+            {
+              if (!((mutable_bitField0_ & 0x00000002) != 0)) {
+                auditConfigs_ = new java.util.ArrayList();
+                mutable_bitField0_ |= 0x00000002;
+              }
+              auditConfigs_.add(
+                  input.readMessage(com.google.iam.v1.AuditConfig.parser(), extensionRegistry));
+              break;
+            }
           default:
             {
               if (!parseUnknownField(input, unknownFields, extensionRegistry, tag)) {
@@ -158,6 +178,9 @@ private Policy(
       if (((mutable_bitField0_ & 0x00000001) != 0)) {
         bindings_ = java.util.Collections.unmodifiableList(bindings_);
       }
+      if (((mutable_bitField0_ & 0x00000002) != 0)) {
+        auditConfigs_ = java.util.Collections.unmodifiableList(auditConfigs_);
+      }
       this.unknownFields = unknownFields.build();
       makeExtensionsImmutable();
     }
@@ -182,16 +205,23 @@ public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
    *
    * 
    * Specifies the format of the policy.
-   * Valid values are 0, 1, and 3. Requests specifying an invalid value will be
-   * rejected.
-   * Operations affecting conditional bindings must specify version 3. This can
-   * be either setting a conditional policy, modifying a conditional binding,
-   * or removing a binding (conditional or unconditional) from the stored
-   * conditional policy.
-   * Operations on non-conditional policies may specify any valid value or
-   * leave the field unset.
-   * If no etag is provided in the call to `setIamPolicy`, version compliance
-   * checks against the stored policy is skipped.
+   * Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
+   * are rejected.
+   * Any operation that affects conditional role bindings must specify version
+   * `3`. This requirement applies to the following operations:
+   * * Getting a policy that includes a conditional role binding
+   * * Adding a conditional role binding to a policy
+   * * Changing a conditional role binding in a policy
+   * * Removing any role binding, with or without a condition, from a policy
+   *   that includes conditions
+   * **Important:** If you use IAM Conditions, you must include the `etag` field
+   * whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+   * you to overwrite a version `3` policy with a version `1` policy, and all of
+   * the conditions in the version `3` policy are lost.
+   * If a policy does not include any conditions, operations on that policy may
+   * specify any valid version or leave the field unset.
+   * To learn which resources support conditions in their IAM policies, see the
+   * [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
    * 

    *
    * int32 version = 1;
@@ -209,9 +239,15 @@ public int getVersion() {
    *
    *
    * 
-   * Associates a list of `members` to a `role`. Optionally may specify a
-   * `condition` that determines when binding is in effect.
-   * `bindings` with no members will result in an error.
+   * Associates a list of `members`, or principals, with a `role`. Optionally,
+   * may specify a `condition` that determines how and when the `bindings` are
+   * applied. Each of the `bindings` must contain at least one principal.
+   * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+   * of these principals can be Google groups. Each occurrence of a principal
+   * counts towards these limits. For example, if the `bindings` grant 50
+   * different roles to `user:alice@example.com`, and not to any other
+   * principal, then you can add another 1,450 principals to the `bindings` in
+   * the `Policy`.
    * 

    *
    * repeated .google.iam.v1.Binding bindings = 4;
@@ -224,9 +260,15 @@ public java.util.List getBindingsList() {
    *
    *
    * 
-   * Associates a list of `members` to a `role`. Optionally may specify a
-   * `condition` that determines when binding is in effect.
-   * `bindings` with no members will result in an error.
+   * Associates a list of `members`, or principals, with a `role`. Optionally,
+   * may specify a `condition` that determines how and when the `bindings` are
+   * applied. Each of the `bindings` must contain at least one principal.
+   * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+   * of these principals can be Google groups. Each occurrence of a principal
+   * counts towards these limits. For example, if the `bindings` grant 50
+   * different roles to `user:alice@example.com`, and not to any other
+   * principal, then you can add another 1,450 principals to the `bindings` in
+   * the `Policy`.
    * 

    *
    * repeated .google.iam.v1.Binding bindings = 4;
@@ -239,9 +281,15 @@ public java.util.List getBindingsO
    *
    *
    * 
-   * Associates a list of `members` to a `role`. Optionally may specify a
-   * `condition` that determines when binding is in effect.
-   * `bindings` with no members will result in an error.
+   * Associates a list of `members`, or principals, with a `role`. Optionally,
+   * may specify a `condition` that determines how and when the `bindings` are
+   * applied. Each of the `bindings` must contain at least one principal.
+   * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+   * of these principals can be Google groups. Each occurrence of a principal
+   * counts towards these limits. For example, if the `bindings` grant 50
+   * different roles to `user:alice@example.com`, and not to any other
+   * principal, then you can add another 1,450 principals to the `bindings` in
+   * the `Policy`.
    * 

    *
    * repeated .google.iam.v1.Binding bindings = 4;
@@ -254,9 +302,15 @@ public int getBindingsCount() {
    *
    *
    * 
-   * Associates a list of `members` to a `role`. Optionally may specify a
-   * `condition` that determines when binding is in effect.
-   * `bindings` with no members will result in an error.
+   * Associates a list of `members`, or principals, with a `role`. Optionally,
+   * may specify a `condition` that determines how and when the `bindings` are
+   * applied. Each of the `bindings` must contain at least one principal.
+   * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+   * of these principals can be Google groups. Each occurrence of a principal
+   * counts towards these limits. For example, if the `bindings` grant 50
+   * different roles to `user:alice@example.com`, and not to any other
+   * principal, then you can add another 1,450 principals to the `bindings` in
+   * the `Policy`.
    * 

    *
    * repeated .google.iam.v1.Binding bindings = 4;
@@ -269,9 +323,15 @@ public com.google.iam.v1.Binding getBindings(int index) {
    *
    *
    * 
-   * Associates a list of `members` to a `role`. Optionally may specify a
-   * `condition` that determines when binding is in effect.
-   * `bindings` with no members will result in an error.
+   * Associates a list of `members`, or principals, with a `role`. Optionally,
+   * may specify a `condition` that determines how and when the `bindings` are
+   * applied. Each of the `bindings` must contain at least one principal.
+   * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+   * of these principals can be Google groups. Each occurrence of a principal
+   * counts towards these limits. For example, if the `bindings` grant 50
+   * different roles to `user:alice@example.com`, and not to any other
+   * principal, then you can add another 1,450 principals to the `bindings` in
+   * the `Policy`.
    * 

    *
    * repeated .google.iam.v1.Binding bindings = 4;
@@ -281,6 +341,75 @@ public com.google.iam.v1.BindingOrBuilder getBindingsOrBuilder(int index) {
     return bindings_.get(index);
   }
 
+  public static final int AUDIT_CONFIGS_FIELD_NUMBER = 6;
+  private java.util.List auditConfigs_;
+  /**
+   *
+   *
+   * 
+   * Specifies cloud audit logging configuration for this policy.
+   * 

+   *
+   * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+   */
+  @java.lang.Override
+  public java.util.List getAuditConfigsList() {
+    return auditConfigs_;
+  }
+  /**
+   *
+   *
+   * 
+   * Specifies cloud audit logging configuration for this policy.
+   * 

+   *
+   * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+   */
+  @java.lang.Override
+  public java.util.List
+      getAuditConfigsOrBuilderList() {
+    return auditConfigs_;
+  }
+  /**
+   *
+   *
+   * 
+   * Specifies cloud audit logging configuration for this policy.
+   * 

+   *
+   * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+   */
+  @java.lang.Override
+  public int getAuditConfigsCount() {
+    return auditConfigs_.size();
+  }
+  /**
+   *
+   *
+   * 
+   * Specifies cloud audit logging configuration for this policy.
+   * 

+   *
+   * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+   */
+  @java.lang.Override
+  public com.google.iam.v1.AuditConfig getAuditConfigs(int index) {
+    return auditConfigs_.get(index);
+  }
+  /**
+   *
+   *
+   * 
+   * Specifies cloud audit logging configuration for this policy.
+   * 

+   *
+   * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+   */
+  @java.lang.Override
+  public com.google.iam.v1.AuditConfigOrBuilder getAuditConfigsOrBuilder(int index) {
+    return auditConfigs_.get(index);
+  }
+
   public static final int ETAG_FIELD_NUMBER = 3;
   private com.google.protobuf.ByteString etag_;
   /**
@@ -294,10 +423,10 @@ public com.google.iam.v1.BindingOrBuilder getBindingsOrBuilder(int index) {
    * conditions: An `etag` is returned in the response to `getIamPolicy`, and
    * systems are expected to put that etag in the request to `setIamPolicy` to
    * ensure that their change will be applied to the same version of the policy.
-   * If no `etag` is provided in the call to `setIamPolicy`, then the existing
-   * policy is overwritten. Due to blind-set semantics of an etag-less policy,
-   * 'setIamPolicy' will not fail even if the incoming policy version does not
-   * meet the requirements for modifying the stored policy.
+   * **Important:** If you use IAM Conditions, you must include the `etag` field
+   * whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+   * you to overwrite a version `3` policy with a version `1` policy, and all of
+   * the conditions in the version `3` policy are lost.
    * 

    *
    * bytes etag = 3;
@@ -332,6 +461,9 @@ public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io
     for (int i = 0; i < bindings_.size(); i++) {
       output.writeMessage(4, bindings_.get(i));
     }
+    for (int i = 0; i < auditConfigs_.size(); i++) {
+      output.writeMessage(6, auditConfigs_.get(i));
+    }
     unknownFields.writeTo(output);
   }
 
@@ -350,6 +482,9 @@ public int getSerializedSize() {
     for (int i = 0; i < bindings_.size(); i++) {
       size += com.google.protobuf.CodedOutputStream.computeMessageSize(4, bindings_.get(i));
     }
+    for (int i = 0; i < auditConfigs_.size(); i++) {
+      size += com.google.protobuf.CodedOutputStream.computeMessageSize(6, auditConfigs_.get(i));
+    }
     size += unknownFields.getSerializedSize();
     memoizedSize = size;
     return size;
@@ -367,6 +502,7 @@ public boolean equals(final java.lang.Object obj) {
 
     if (getVersion() != other.getVersion()) return false;
     if (!getBindingsList().equals(other.getBindingsList())) return false;
+    if (!getAuditConfigsList().equals(other.getAuditConfigsList())) return false;
     if (!getEtag().equals(other.getEtag())) return false;
     if (!unknownFields.equals(other.unknownFields)) return false;
     return true;
@@ -385,6 +521,10 @@ public int hashCode() {
       hash = (37 * hash) + BINDINGS_FIELD_NUMBER;
       hash = (53 * hash) + getBindingsList().hashCode();
     }
+    if (getAuditConfigsCount() > 0) {
+      hash = (37 * hash) + AUDIT_CONFIGS_FIELD_NUMBER;
+      hash = (53 * hash) + getAuditConfigsList().hashCode();
+    }
     hash = (37 * hash) + ETAG_FIELD_NUMBER;
     hash = (53 * hash) + getEtag().hashCode();
     hash = (29 * hash) + unknownFields.hashCode();
@@ -490,16 +630,20 @@ protected Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.Build
    *
    *
    * 
-   * Defines an Identity and Access Management (IAM) policy. It is used to
-   * specify access control policies for Cloud Platform resources.
+   * An Identity and Access Management (IAM) policy, which specifies access
+   * controls for Google Cloud resources.
    * A `Policy` is a collection of `bindings`. A `binding` binds one or more
-   * `members` to a single `role`. Members can be user accounts, service accounts,
-   * Google groups, and domains (such as G Suite). A `role` is a named list of
-   * permissions (defined by IAM or configured by users). A `binding` can
-   * optionally specify a `condition`, which is a logic expression that further
-   * constrains the role binding based on attributes about the request and/or
-   * target resource.
-   * **JSON Example**
+   * `members`, or principals, to a single `role`. Principals can be user
+   * accounts, service accounts, Google groups, and domains (such as G Suite). A
+   * `role` is a named list of permissions; each `role` can be an IAM predefined
+   * role or a user-created custom role.
+   * For some types of Google Cloud resources, a `binding` can also specify a
+   * `condition`, which is a logical expression that allows access to a resource
+   * only if the expression evaluates to `true`. A condition can add constraints
+   * based on attributes of the request, the resource, or both. To learn which
+   * resources support conditions in their IAM policies, see the
+   * [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+   * **JSON example:**
    *     {
    *       "bindings": [
    *         {
@@ -513,17 +657,20 @@ protected Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.Build
    *         },
    *         {
    *           "role": "roles/resourcemanager.organizationViewer",
-   *           "members": ["user:eve@example.com"],
+   *           "members": [
+   *             "user:eve@example.com"
+   *           ],
    *           "condition": {
    *             "title": "expirable access",
    *             "description": "Does not grant access after Sep 2020",
-   *             "expression": "request.time <
-   *             timestamp('2020-10-01T00:00:00.000Z')",
+   *             "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
    *           }
    *         }
-   *       ]
+   *       ],
+   *       "etag": "BwWWja0YfJA=",
+   *       "version": 3
    *     }
-   * **YAML Example**
+   * **YAML example:**
    *     bindings:
    *     - members:
    *       - user:mike@example.com
@@ -538,8 +685,10 @@ protected Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.Build
    *         title: expirable access
    *         description: Does not grant access after Sep 2020
    *         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+   *     etag: BwWWja0YfJA=
+   *     version: 3
    * For a description of IAM and its features, see the
-   * [IAM developer's guide](https://cloud.google.com/iam/docs).
+   * [IAM documentation](https://cloud.google.com/iam/docs/).
    * 

    *
    * Protobuf type {@code google.iam.v1.Policy}
@@ -573,6 +722,7 @@ private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
     private void maybeForceBuilderInitialization() {
       if (com.google.protobuf.GeneratedMessageV3.alwaysUseFieldBuilders) {
         getBindingsFieldBuilder();
+        getAuditConfigsFieldBuilder();
       }
     }
 
@@ -587,6 +737,12 @@ public Builder clear() {
       } else {
         bindingsBuilder_.clear();
       }
+      if (auditConfigsBuilder_ == null) {
+        auditConfigs_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000002);
+      } else {
+        auditConfigsBuilder_.clear();
+      }
       etag_ = com.google.protobuf.ByteString.EMPTY;
 
       return this;
@@ -625,6 +781,15 @@ public com.google.iam.v1.Policy buildPartial() {
       } else {
         result.bindings_ = bindingsBuilder_.build();
       }
+      if (auditConfigsBuilder_ == null) {
+        if (((bitField0_ & 0x00000002) != 0)) {
+          auditConfigs_ = java.util.Collections.unmodifiableList(auditConfigs_);
+          bitField0_ = (bitField0_ & ~0x00000002);
+        }
+        result.auditConfigs_ = auditConfigs_;
+      } else {
+        result.auditConfigs_ = auditConfigsBuilder_.build();
+      }
       result.etag_ = etag_;
       onBuilt();
       return result;
@@ -705,6 +870,33 @@ public Builder mergeFrom(com.google.iam.v1.Policy other) {
           }
         }
       }
+      if (auditConfigsBuilder_ == null) {
+        if (!other.auditConfigs_.isEmpty()) {
+          if (auditConfigs_.isEmpty()) {
+            auditConfigs_ = other.auditConfigs_;
+            bitField0_ = (bitField0_ & ~0x00000002);
+          } else {
+            ensureAuditConfigsIsMutable();
+            auditConfigs_.addAll(other.auditConfigs_);
+          }
+          onChanged();
+        }
+      } else {
+        if (!other.auditConfigs_.isEmpty()) {
+          if (auditConfigsBuilder_.isEmpty()) {
+            auditConfigsBuilder_.dispose();
+            auditConfigsBuilder_ = null;
+            auditConfigs_ = other.auditConfigs_;
+            bitField0_ = (bitField0_ & ~0x00000002);
+            auditConfigsBuilder_ =
+                com.google.protobuf.GeneratedMessageV3.alwaysUseFieldBuilders
+                    ? getAuditConfigsFieldBuilder()
+                    : null;
+          } else {
+            auditConfigsBuilder_.addAllMessages(other.auditConfigs_);
+          }
+        }
+      }
       if (other.getEtag() != com.google.protobuf.ByteString.EMPTY) {
         setEtag(other.getEtag());
       }
@@ -745,16 +937,23 @@ public Builder mergeFrom(
      *
      * 
      * Specifies the format of the policy.
-     * Valid values are 0, 1, and 3. Requests specifying an invalid value will be
-     * rejected.
-     * Operations affecting conditional bindings must specify version 3. This can
-     * be either setting a conditional policy, modifying a conditional binding,
-     * or removing a binding (conditional or unconditional) from the stored
-     * conditional policy.
-     * Operations on non-conditional policies may specify any valid value or
-     * leave the field unset.
-     * If no etag is provided in the call to `setIamPolicy`, version compliance
-     * checks against the stored policy is skipped.
+     * Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
+     * are rejected.
+     * Any operation that affects conditional role bindings must specify version
+     * `3`. This requirement applies to the following operations:
+     * * Getting a policy that includes a conditional role binding
+     * * Adding a conditional role binding to a policy
+     * * Changing a conditional role binding in a policy
+     * * Removing any role binding, with or without a condition, from a policy
+     *   that includes conditions
+     * **Important:** If you use IAM Conditions, you must include the `etag` field
+     * whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+     * you to overwrite a version `3` policy with a version `1` policy, and all of
+     * the conditions in the version `3` policy are lost.
+     * If a policy does not include any conditions, operations on that policy may
+     * specify any valid version or leave the field unset.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * int32 version = 1;
@@ -770,16 +969,23 @@ public int getVersion() {
      *
      * 
      * Specifies the format of the policy.
-     * Valid values are 0, 1, and 3. Requests specifying an invalid value will be
-     * rejected.
-     * Operations affecting conditional bindings must specify version 3. This can
-     * be either setting a conditional policy, modifying a conditional binding,
-     * or removing a binding (conditional or unconditional) from the stored
-     * conditional policy.
-     * Operations on non-conditional policies may specify any valid value or
-     * leave the field unset.
-     * If no etag is provided in the call to `setIamPolicy`, version compliance
-     * checks against the stored policy is skipped.
+     * Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
+     * are rejected.
+     * Any operation that affects conditional role bindings must specify version
+     * `3`. This requirement applies to the following operations:
+     * * Getting a policy that includes a conditional role binding
+     * * Adding a conditional role binding to a policy
+     * * Changing a conditional role binding in a policy
+     * * Removing any role binding, with or without a condition, from a policy
+     *   that includes conditions
+     * **Important:** If you use IAM Conditions, you must include the `etag` field
+     * whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+     * you to overwrite a version `3` policy with a version `1` policy, and all of
+     * the conditions in the version `3` policy are lost.
+     * If a policy does not include any conditions, operations on that policy may
+     * specify any valid version or leave the field unset.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * int32 version = 1;
@@ -798,16 +1004,23 @@ public Builder setVersion(int value) {
      *
      * 
      * Specifies the format of the policy.
-     * Valid values are 0, 1, and 3. Requests specifying an invalid value will be
-     * rejected.
-     * Operations affecting conditional bindings must specify version 3. This can
-     * be either setting a conditional policy, modifying a conditional binding,
-     * or removing a binding (conditional or unconditional) from the stored
-     * conditional policy.
-     * Operations on non-conditional policies may specify any valid value or
-     * leave the field unset.
-     * If no etag is provided in the call to `setIamPolicy`, version compliance
-     * checks against the stored policy is skipped.
+     * Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
+     * are rejected.
+     * Any operation that affects conditional role bindings must specify version
+     * `3`. This requirement applies to the following operations:
+     * * Getting a policy that includes a conditional role binding
+     * * Adding a conditional role binding to a policy
+     * * Changing a conditional role binding in a policy
+     * * Removing any role binding, with or without a condition, from a policy
+     *   that includes conditions
+     * **Important:** If you use IAM Conditions, you must include the `etag` field
+     * whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+     * you to overwrite a version `3` policy with a version `1` policy, and all of
+     * the conditions in the version `3` policy are lost.
+     * If a policy does not include any conditions, operations on that policy may
+     * specify any valid version or leave the field unset.
+     * To learn which resources support conditions in their IAM policies, see the
+     * [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
      * 

      *
      * int32 version = 1;
@@ -840,9 +1053,15 @@ private void ensureBindingsIsMutable() {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -858,9 +1077,15 @@ public java.util.List getBindingsList() {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -876,9 +1101,15 @@ public int getBindingsCount() {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -894,9 +1125,15 @@ public com.google.iam.v1.Binding getBindings(int index) {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -918,9 +1155,15 @@ public Builder setBindings(int index, com.google.iam.v1.Binding value) {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -939,9 +1182,15 @@ public Builder setBindings(int index, com.google.iam.v1.Binding.Builder builderF
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -963,9 +1212,15 @@ public Builder addBindings(com.google.iam.v1.Binding value) {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -987,9 +1242,15 @@ public Builder addBindings(int index, com.google.iam.v1.Binding value) {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -1008,9 +1269,15 @@ public Builder addBindings(com.google.iam.v1.Binding.Builder builderForValue) {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -1029,9 +1296,15 @@ public Builder addBindings(int index, com.google.iam.v1.Binding.Builder builderF
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -1050,9 +1323,15 @@ public Builder addAllBindings(java.lang.Iterable
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -1071,9 +1350,15 @@ public Builder clearBindings() {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -1092,9 +1377,15 @@ public Builder removeBindings(int index) {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -1106,9 +1397,15 @@ public com.google.iam.v1.Binding.Builder getBindingsBuilder(int index) {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -1124,9 +1421,15 @@ public com.google.iam.v1.BindingOrBuilder getBindingsOrBuilder(int index) {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -1142,9 +1445,15 @@ public java.util.List getBindingsO
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -1156,9 +1465,15 @@ public com.google.iam.v1.Binding.Builder addBindingsBuilder() {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -1171,9 +1486,15 @@ public com.google.iam.v1.Binding.Builder addBindingsBuilder(int index) {
      *
      *
      * 
-     * Associates a list of `members` to a `role`. Optionally may specify a
-     * `condition` that determines when binding is in effect.
-     * `bindings` with no members will result in an error.
+     * Associates a list of `members`, or principals, with a `role`. Optionally,
+     * may specify a `condition` that determines how and when the `bindings` are
+     * applied. Each of the `bindings` must contain at least one principal.
+     * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+     * of these principals can be Google groups. Each occurrence of a principal
+     * counts towards these limits. For example, if the `bindings` grant 50
+     * different roles to `user:alice@example.com`, and not to any other
+     * principal, then you can add another 1,450 principals to the `bindings` in
+     * the `Policy`.
      * 

      *
      * repeated .google.iam.v1.Binding bindings = 4;
@@ -1199,6 +1520,354 @@ public java.util.List getBindingsBuilderList(
       return bindingsBuilder_;
     }
 
+    private java.util.List auditConfigs_ =
+        java.util.Collections.emptyList();
+
+    private void ensureAuditConfigsIsMutable() {
+      if (!((bitField0_ & 0x00000002) != 0)) {
+        auditConfigs_ = new java.util.ArrayList(auditConfigs_);
+        bitField0_ |= 0x00000002;
+      }
+    }
+
+    private com.google.protobuf.RepeatedFieldBuilderV3<
+            com.google.iam.v1.AuditConfig,
+            com.google.iam.v1.AuditConfig.Builder,
+            com.google.iam.v1.AuditConfigOrBuilder>
+        auditConfigsBuilder_;
+
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public java.util.List getAuditConfigsList() {
+      if (auditConfigsBuilder_ == null) {
+        return java.util.Collections.unmodifiableList(auditConfigs_);
+      } else {
+        return auditConfigsBuilder_.getMessageList();
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public int getAuditConfigsCount() {
+      if (auditConfigsBuilder_ == null) {
+        return auditConfigs_.size();
+      } else {
+        return auditConfigsBuilder_.getCount();
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public com.google.iam.v1.AuditConfig getAuditConfigs(int index) {
+      if (auditConfigsBuilder_ == null) {
+        return auditConfigs_.get(index);
+      } else {
+        return auditConfigsBuilder_.getMessage(index);
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public Builder setAuditConfigs(int index, com.google.iam.v1.AuditConfig value) {
+      if (auditConfigsBuilder_ == null) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        ensureAuditConfigsIsMutable();
+        auditConfigs_.set(index, value);
+        onChanged();
+      } else {
+        auditConfigsBuilder_.setMessage(index, value);
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public Builder setAuditConfigs(
+        int index, com.google.iam.v1.AuditConfig.Builder builderForValue) {
+      if (auditConfigsBuilder_ == null) {
+        ensureAuditConfigsIsMutable();
+        auditConfigs_.set(index, builderForValue.build());
+        onChanged();
+      } else {
+        auditConfigsBuilder_.setMessage(index, builderForValue.build());
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public Builder addAuditConfigs(com.google.iam.v1.AuditConfig value) {
+      if (auditConfigsBuilder_ == null) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        ensureAuditConfigsIsMutable();
+        auditConfigs_.add(value);
+        onChanged();
+      } else {
+        auditConfigsBuilder_.addMessage(value);
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public Builder addAuditConfigs(int index, com.google.iam.v1.AuditConfig value) {
+      if (auditConfigsBuilder_ == null) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        ensureAuditConfigsIsMutable();
+        auditConfigs_.add(index, value);
+        onChanged();
+      } else {
+        auditConfigsBuilder_.addMessage(index, value);
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public Builder addAuditConfigs(com.google.iam.v1.AuditConfig.Builder builderForValue) {
+      if (auditConfigsBuilder_ == null) {
+        ensureAuditConfigsIsMutable();
+        auditConfigs_.add(builderForValue.build());
+        onChanged();
+      } else {
+        auditConfigsBuilder_.addMessage(builderForValue.build());
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public Builder addAuditConfigs(
+        int index, com.google.iam.v1.AuditConfig.Builder builderForValue) {
+      if (auditConfigsBuilder_ == null) {
+        ensureAuditConfigsIsMutable();
+        auditConfigs_.add(index, builderForValue.build());
+        onChanged();
+      } else {
+        auditConfigsBuilder_.addMessage(index, builderForValue.build());
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public Builder addAllAuditConfigs(
+        java.lang.Iterable values) {
+      if (auditConfigsBuilder_ == null) {
+        ensureAuditConfigsIsMutable();
+        com.google.protobuf.AbstractMessageLite.Builder.addAll(values, auditConfigs_);
+        onChanged();
+      } else {
+        auditConfigsBuilder_.addAllMessages(values);
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public Builder clearAuditConfigs() {
+      if (auditConfigsBuilder_ == null) {
+        auditConfigs_ = java.util.Collections.emptyList();
+        bitField0_ = (bitField0_ & ~0x00000002);
+        onChanged();
+      } else {
+        auditConfigsBuilder_.clear();
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public Builder removeAuditConfigs(int index) {
+      if (auditConfigsBuilder_ == null) {
+        ensureAuditConfigsIsMutable();
+        auditConfigs_.remove(index);
+        onChanged();
+      } else {
+        auditConfigsBuilder_.remove(index);
+      }
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public com.google.iam.v1.AuditConfig.Builder getAuditConfigsBuilder(int index) {
+      return getAuditConfigsFieldBuilder().getBuilder(index);
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public com.google.iam.v1.AuditConfigOrBuilder getAuditConfigsOrBuilder(int index) {
+      if (auditConfigsBuilder_ == null) {
+        return auditConfigs_.get(index);
+      } else {
+        return auditConfigsBuilder_.getMessageOrBuilder(index);
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public java.util.List
+        getAuditConfigsOrBuilderList() {
+      if (auditConfigsBuilder_ != null) {
+        return auditConfigsBuilder_.getMessageOrBuilderList();
+      } else {
+        return java.util.Collections.unmodifiableList(auditConfigs_);
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public com.google.iam.v1.AuditConfig.Builder addAuditConfigsBuilder() {
+      return getAuditConfigsFieldBuilder()
+          .addBuilder(com.google.iam.v1.AuditConfig.getDefaultInstance());
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public com.google.iam.v1.AuditConfig.Builder addAuditConfigsBuilder(int index) {
+      return getAuditConfigsFieldBuilder()
+          .addBuilder(index, com.google.iam.v1.AuditConfig.getDefaultInstance());
+    }
+    /**
+     *
+     *
+     * 
+     * Specifies cloud audit logging configuration for this policy.
+     * 

+     *
+     * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+     */
+    public java.util.List getAuditConfigsBuilderList() {
+      return getAuditConfigsFieldBuilder().getBuilderList();
+    }
+
+    private com.google.protobuf.RepeatedFieldBuilderV3<
+            com.google.iam.v1.AuditConfig,
+            com.google.iam.v1.AuditConfig.Builder,
+            com.google.iam.v1.AuditConfigOrBuilder>
+        getAuditConfigsFieldBuilder() {
+      if (auditConfigsBuilder_ == null) {
+        auditConfigsBuilder_ =
+            new com.google.protobuf.RepeatedFieldBuilderV3<
+                com.google.iam.v1.AuditConfig,
+                com.google.iam.v1.AuditConfig.Builder,
+                com.google.iam.v1.AuditConfigOrBuilder>(
+                auditConfigs_, ((bitField0_ & 0x00000002) != 0), getParentForChildren(), isClean());
+        auditConfigs_ = null;
+      }
+      return auditConfigsBuilder_;
+    }
+
     private com.google.protobuf.ByteString etag_ = com.google.protobuf.ByteString.EMPTY;
     /**
      *
@@ -1211,10 +1880,10 @@ public java.util.List getBindingsBuilderList(
      * conditions: An `etag` is returned in the response to `getIamPolicy`, and
      * systems are expected to put that etag in the request to `setIamPolicy` to
      * ensure that their change will be applied to the same version of the policy.
-     * If no `etag` is provided in the call to `setIamPolicy`, then the existing
-     * policy is overwritten. Due to blind-set semantics of an etag-less policy,
-     * 'setIamPolicy' will not fail even if the incoming policy version does not
-     * meet the requirements for modifying the stored policy.
+     * **Important:** If you use IAM Conditions, you must include the `etag` field
+     * whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+     * you to overwrite a version `3` policy with a version `1` policy, and all of
+     * the conditions in the version `3` policy are lost.
      * 

      *
      * bytes etag = 3;
@@ -1236,10 +1905,10 @@ public com.google.protobuf.ByteString getEtag() {
      * conditions: An `etag` is returned in the response to `getIamPolicy`, and
      * systems are expected to put that etag in the request to `setIamPolicy` to
      * ensure that their change will be applied to the same version of the policy.
-     * If no `etag` is provided in the call to `setIamPolicy`, then the existing
-     * policy is overwritten. Due to blind-set semantics of an etag-less policy,
-     * 'setIamPolicy' will not fail even if the incoming policy version does not
-     * meet the requirements for modifying the stored policy.
+     * **Important:** If you use IAM Conditions, you must include the `etag` field
+     * whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+     * you to overwrite a version `3` policy with a version `1` policy, and all of
+     * the conditions in the version `3` policy are lost.
      * 

      *
      * bytes etag = 3;
@@ -1267,10 +1936,10 @@ public Builder setEtag(com.google.protobuf.ByteString value) {
      * conditions: An `etag` is returned in the response to `getIamPolicy`, and
      * systems are expected to put that etag in the request to `setIamPolicy` to
      * ensure that their change will be applied to the same version of the policy.
-     * If no `etag` is provided in the call to `setIamPolicy`, then the existing
-     * policy is overwritten. Due to blind-set semantics of an etag-less policy,
-     * 'setIamPolicy' will not fail even if the incoming policy version does not
-     * meet the requirements for modifying the stored policy.
+     * **Important:** If you use IAM Conditions, you must include the `etag` field
+     * whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+     * you to overwrite a version `3` policy with a version `1` policy, and all of
+     * the conditions in the version `3` policy are lost.
      * 

      *
      * bytes etag = 3;
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/PolicyOrBuilder.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/PolicyOrBuilder.java
index 6be361f345..571dcb8057 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/PolicyOrBuilder.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/PolicyOrBuilder.java
@@ -28,16 +28,23 @@ public interface PolicyOrBuilder
    *
    * 
    * Specifies the format of the policy.
-   * Valid values are 0, 1, and 3. Requests specifying an invalid value will be
-   * rejected.
-   * Operations affecting conditional bindings must specify version 3. This can
-   * be either setting a conditional policy, modifying a conditional binding,
-   * or removing a binding (conditional or unconditional) from the stored
-   * conditional policy.
-   * Operations on non-conditional policies may specify any valid value or
-   * leave the field unset.
-   * If no etag is provided in the call to `setIamPolicy`, version compliance
-   * checks against the stored policy is skipped.
+   * Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
+   * are rejected.
+   * Any operation that affects conditional role bindings must specify version
+   * `3`. This requirement applies to the following operations:
+   * * Getting a policy that includes a conditional role binding
+   * * Adding a conditional role binding to a policy
+   * * Changing a conditional role binding in a policy
+   * * Removing any role binding, with or without a condition, from a policy
+   *   that includes conditions
+   * **Important:** If you use IAM Conditions, you must include the `etag` field
+   * whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+   * you to overwrite a version `3` policy with a version `1` policy, and all of
+   * the conditions in the version `3` policy are lost.
+   * If a policy does not include any conditions, operations on that policy may
+   * specify any valid version or leave the field unset.
+   * To learn which resources support conditions in their IAM policies, see the
+   * [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
    * 

    *
    * int32 version = 1;
@@ -50,9 +57,15 @@ public interface PolicyOrBuilder
    *
    *
    * 
-   * Associates a list of `members` to a `role`. Optionally may specify a
-   * `condition` that determines when binding is in effect.
-   * `bindings` with no members will result in an error.
+   * Associates a list of `members`, or principals, with a `role`. Optionally,
+   * may specify a `condition` that determines how and when the `bindings` are
+   * applied. Each of the `bindings` must contain at least one principal.
+   * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+   * of these principals can be Google groups. Each occurrence of a principal
+   * counts towards these limits. For example, if the `bindings` grant 50
+   * different roles to `user:alice@example.com`, and not to any other
+   * principal, then you can add another 1,450 principals to the `bindings` in
+   * the `Policy`.
    * 

    *
    * repeated .google.iam.v1.Binding bindings = 4;
@@ -62,9 +75,15 @@ public interface PolicyOrBuilder
    *
    *
    * 
-   * Associates a list of `members` to a `role`. Optionally may specify a
-   * `condition` that determines when binding is in effect.
-   * `bindings` with no members will result in an error.
+   * Associates a list of `members`, or principals, with a `role`. Optionally,
+   * may specify a `condition` that determines how and when the `bindings` are
+   * applied. Each of the `bindings` must contain at least one principal.
+   * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+   * of these principals can be Google groups. Each occurrence of a principal
+   * counts towards these limits. For example, if the `bindings` grant 50
+   * different roles to `user:alice@example.com`, and not to any other
+   * principal, then you can add another 1,450 principals to the `bindings` in
+   * the `Policy`.
    * 

    *
    * repeated .google.iam.v1.Binding bindings = 4;
@@ -74,9 +93,15 @@ public interface PolicyOrBuilder
    *
    *
    * 
-   * Associates a list of `members` to a `role`. Optionally may specify a
-   * `condition` that determines when binding is in effect.
-   * `bindings` with no members will result in an error.
+   * Associates a list of `members`, or principals, with a `role`. Optionally,
+   * may specify a `condition` that determines how and when the `bindings` are
+   * applied. Each of the `bindings` must contain at least one principal.
+   * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+   * of these principals can be Google groups. Each occurrence of a principal
+   * counts towards these limits. For example, if the `bindings` grant 50
+   * different roles to `user:alice@example.com`, and not to any other
+   * principal, then you can add another 1,450 principals to the `bindings` in
+   * the `Policy`.
    * 

    *
    * repeated .google.iam.v1.Binding bindings = 4;
@@ -86,9 +111,15 @@ public interface PolicyOrBuilder
    *
    *
    * 
-   * Associates a list of `members` to a `role`. Optionally may specify a
-   * `condition` that determines when binding is in effect.
-   * `bindings` with no members will result in an error.
+   * Associates a list of `members`, or principals, with a `role`. Optionally,
+   * may specify a `condition` that determines how and when the `bindings` are
+   * applied. Each of the `bindings` must contain at least one principal.
+   * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+   * of these principals can be Google groups. Each occurrence of a principal
+   * counts towards these limits. For example, if the `bindings` grant 50
+   * different roles to `user:alice@example.com`, and not to any other
+   * principal, then you can add another 1,450 principals to the `bindings` in
+   * the `Policy`.
    * 

    *
    * repeated .google.iam.v1.Binding bindings = 4;
@@ -98,15 +129,72 @@ public interface PolicyOrBuilder
    *
    *
    * 
-   * Associates a list of `members` to a `role`. Optionally may specify a
-   * `condition` that determines when binding is in effect.
-   * `bindings` with no members will result in an error.
+   * Associates a list of `members`, or principals, with a `role`. Optionally,
+   * may specify a `condition` that determines how and when the `bindings` are
+   * applied. Each of the `bindings` must contain at least one principal.
+   * The `bindings` in a `Policy` can refer to up to 1,500 principals; up to 250
+   * of these principals can be Google groups. Each occurrence of a principal
+   * counts towards these limits. For example, if the `bindings` grant 50
+   * different roles to `user:alice@example.com`, and not to any other
+   * principal, then you can add another 1,450 principals to the `bindings` in
+   * the `Policy`.
    * 

    *
    * repeated .google.iam.v1.Binding bindings = 4;
    */
   com.google.iam.v1.BindingOrBuilder getBindingsOrBuilder(int index);
 
+  /**
+   *
+   *
+   * 
+   * Specifies cloud audit logging configuration for this policy.
+   * 

+   *
+   * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+   */
+  java.util.List getAuditConfigsList();
+  /**
+   *
+   *
+   * 
+   * Specifies cloud audit logging configuration for this policy.
+   * 

+   *
+   * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+   */
+  com.google.iam.v1.AuditConfig getAuditConfigs(int index);
+  /**
+   *
+   *
+   * 
+   * Specifies cloud audit logging configuration for this policy.
+   * 

+   *
+   * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+   */
+  int getAuditConfigsCount();
+  /**
+   *
+   *
+   * 
+   * Specifies cloud audit logging configuration for this policy.
+   * 

+   *
+   * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+   */
+  java.util.List getAuditConfigsOrBuilderList();
+  /**
+   *
+   *
+   * 
+   * Specifies cloud audit logging configuration for this policy.
+   * 

+   *
+   * repeated .google.iam.v1.AuditConfig audit_configs = 6;
+   */
+  com.google.iam.v1.AuditConfigOrBuilder getAuditConfigsOrBuilder(int index);
+
   /**
    *
    *
@@ -118,10 +206,10 @@ public interface PolicyOrBuilder
    * conditions: An `etag` is returned in the response to `getIamPolicy`, and
    * systems are expected to put that etag in the request to `setIamPolicy` to
    * ensure that their change will be applied to the same version of the policy.
-   * If no `etag` is provided in the call to `setIamPolicy`, then the existing
-   * policy is overwritten. Due to blind-set semantics of an etag-less policy,
-   * 'setIamPolicy' will not fail even if the incoming policy version does not
-   * meet the requirements for modifying the stored policy.
+   * **Important:** If you use IAM Conditions, you must include the `etag` field
+   * whenever you call `setIamPolicy`. If you omit this field, then IAM allows
+   * you to overwrite a version `3` policy with a version `1` policy, and all of
+   * the conditions in the version `3` policy are lost.
    * 

    *
    * bytes etag = 3;
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/PolicyProto.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/PolicyProto.java
index 2eee39d05a..8ba3e50af0 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/PolicyProto.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/PolicyProto.java
@@ -35,6 +35,14 @@ public static void registerAllExtensions(com.google.protobuf.ExtensionRegistry r
       internal_static_google_iam_v1_Binding_descriptor;
   static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
       internal_static_google_iam_v1_Binding_fieldAccessorTable;
+  static final com.google.protobuf.Descriptors.Descriptor
+      internal_static_google_iam_v1_AuditConfig_descriptor;
+  static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_google_iam_v1_AuditConfig_fieldAccessorTable;
+  static final com.google.protobuf.Descriptors.Descriptor
+      internal_static_google_iam_v1_AuditLogConfig_descriptor;
+  static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_google_iam_v1_AuditLogConfig_fieldAccessorTable;
   static final com.google.protobuf.Descriptors.Descriptor
       internal_static_google_iam_v1_PolicyDelta_descriptor;
   static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
@@ -57,42 +65,49 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
   static {
     java.lang.String[] descriptorData = {
       "\n\032google/iam/v1/policy.proto\022\rgoogle.iam"
-          + ".v1\032\026google/type/expr.proto\032\034google/api/"
-          + "annotations.proto\"Q\n\006Policy\022\017\n\007version\030\001"
-          + " \001(\005\022(\n\010bindings\030\004 \003(\0132\026.google.iam.v1.B"
-          + "inding\022\014\n\004etag\030\003 \001(\014\"N\n\007Binding\022\014\n\004role\030"
-          + "\001 \001(\t\022\017\n\007members\030\002 \003(\t\022$\n\tcondition\030\003 \001("
-          + "\0132\021.google.type.Expr\"\200\001\n\013PolicyDelta\0223\n\016"
-          + "binding_deltas\030\001 \003(\0132\033.google.iam.v1.Bin"
-          + "dingDelta\022<\n\023audit_config_deltas\030\002 \003(\0132\037"
-          + ".google.iam.v1.AuditConfigDelta\"\275\001\n\014Bind"
-          + "ingDelta\0222\n\006action\030\001 \001(\0162\".google.iam.v1"
-          + ".BindingDelta.Action\022\014\n\004role\030\002 \001(\t\022\016\n\006me"
-          + "mber\030\003 \001(\t\022$\n\tcondition\030\004 \001(\0132\021.google.t"
-          + "ype.Expr\"5\n\006Action\022\026\n\022ACTION_UNSPECIFIED"
-          + "\020\000\022\007\n\003ADD\020\001\022\n\n\006REMOVE\020\002\"\275\001\n\020AuditConfigD"
-          + "elta\0226\n\006action\030\001 \001(\0162&.google.iam.v1.Aud"
-          + "itConfigDelta.Action\022\017\n\007service\030\002 \001(\t\022\027\n"
-          + "\017exempted_member\030\003 \001(\t\022\020\n\010log_type\030\004 \001(\t"
-          + "\"5\n\006Action\022\026\n\022ACTION_UNSPECIFIED\020\000\022\007\n\003AD"
-          + "D\020\001\022\n\n\006REMOVE\020\002B\203\001\n\021com.google.iam.v1B\013P"
-          + "olicyProtoP\001Z0google.golang.org/genproto"
-          + "/googleapis/iam/v1;iam\370\001\001\252\002\023Google.Cloud"
-          + ".Iam.V1\312\002\023Google\\Cloud\\Iam\\V1b\006proto3"
+          + ".v1\032\026google/type/expr.proto\"\204\001\n\006Policy\022\017"
+          + "\n\007version\030\001 \001(\005\022(\n\010bindings\030\004 \003(\0132\026.goog"
+          + "le.iam.v1.Binding\0221\n\raudit_configs\030\006 \003(\013"
+          + "2\032.google.iam.v1.AuditConfig\022\014\n\004etag\030\003 \001"
+          + "(\014\"N\n\007Binding\022\014\n\004role\030\001 \001(\t\022\017\n\007members\030\002"
+          + " \003(\t\022$\n\tcondition\030\003 \001(\0132\021.google.type.Ex"
+          + "pr\"X\n\013AuditConfig\022\017\n\007service\030\001 \001(\t\0228\n\021au"
+          + "dit_log_configs\030\003 \003(\0132\035.google.iam.v1.Au"
+          + "ditLogConfig\"\267\001\n\016AuditLogConfig\0227\n\010log_t"
+          + "ype\030\001 \001(\0162%.google.iam.v1.AuditLogConfig"
+          + ".LogType\022\030\n\020exempted_members\030\002 \003(\t\"R\n\007Lo"
+          + "gType\022\030\n\024LOG_TYPE_UNSPECIFIED\020\000\022\016\n\nADMIN"
+          + "_READ\020\001\022\016\n\nDATA_WRITE\020\002\022\r\n\tDATA_READ\020\003\"\200"
+          + "\001\n\013PolicyDelta\0223\n\016binding_deltas\030\001 \003(\0132\033"
+          + ".google.iam.v1.BindingDelta\022<\n\023audit_con"
+          + "fig_deltas\030\002 \003(\0132\037.google.iam.v1.AuditCo"
+          + "nfigDelta\"\275\001\n\014BindingDelta\0222\n\006action\030\001 \001"
+          + "(\0162\".google.iam.v1.BindingDelta.Action\022\014"
+          + "\n\004role\030\002 \001(\t\022\016\n\006member\030\003 \001(\t\022$\n\tconditio"
+          + "n\030\004 \001(\0132\021.google.type.Expr\"5\n\006Action\022\026\n\022"
+          + "ACTION_UNSPECIFIED\020\000\022\007\n\003ADD\020\001\022\n\n\006REMOVE\020"
+          + "\002\"\275\001\n\020AuditConfigDelta\0226\n\006action\030\001 \001(\0162&"
+          + ".google.iam.v1.AuditConfigDelta.Action\022\017"
+          + "\n\007service\030\002 \001(\t\022\027\n\017exempted_member\030\003 \001(\t"
+          + "\022\020\n\010log_type\030\004 \001(\t\"5\n\006Action\022\026\n\022ACTION_U"
+          + "NSPECIFIED\020\000\022\007\n\003ADD\020\001\022\n\n\006REMOVE\020\002B\203\001\n\021co"
+          + "m.google.iam.v1B\013PolicyProtoP\001Z0google.g"
+          + "olang.org/genproto/googleapis/iam/v1;iam"
+          + "\370\001\001\252\002\023Google.Cloud.Iam.V1\312\002\023Google\\Cloud"
+          + "\\Iam\\V1b\006proto3"
     };
     descriptor =
         com.google.protobuf.Descriptors.FileDescriptor.internalBuildGeneratedFileFrom(
             descriptorData,
             new com.google.protobuf.Descriptors.FileDescriptor[] {
               com.google.type.ExprProto.getDescriptor(),
-              com.google.api.AnnotationsProto.getDescriptor(),
             });
     internal_static_google_iam_v1_Policy_descriptor = getDescriptor().getMessageTypes().get(0);
     internal_static_google_iam_v1_Policy_fieldAccessorTable =
         new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
             internal_static_google_iam_v1_Policy_descriptor,
             new java.lang.String[] {
-              "Version", "Bindings", "Etag",
+              "Version", "Bindings", "AuditConfigs", "Etag",
             });
     internal_static_google_iam_v1_Binding_descriptor = getDescriptor().getMessageTypes().get(1);
     internal_static_google_iam_v1_Binding_fieldAccessorTable =
@@ -101,7 +116,22 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
             new java.lang.String[] {
               "Role", "Members", "Condition",
             });
-    internal_static_google_iam_v1_PolicyDelta_descriptor = getDescriptor().getMessageTypes().get(2);
+    internal_static_google_iam_v1_AuditConfig_descriptor = getDescriptor().getMessageTypes().get(2);
+    internal_static_google_iam_v1_AuditConfig_fieldAccessorTable =
+        new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+            internal_static_google_iam_v1_AuditConfig_descriptor,
+            new java.lang.String[] {
+              "Service", "AuditLogConfigs",
+            });
+    internal_static_google_iam_v1_AuditLogConfig_descriptor =
+        getDescriptor().getMessageTypes().get(3);
+    internal_static_google_iam_v1_AuditLogConfig_fieldAccessorTable =
+        new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+            internal_static_google_iam_v1_AuditLogConfig_descriptor,
+            new java.lang.String[] {
+              "LogType", "ExemptedMembers",
+            });
+    internal_static_google_iam_v1_PolicyDelta_descriptor = getDescriptor().getMessageTypes().get(4);
     internal_static_google_iam_v1_PolicyDelta_fieldAccessorTable =
         new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
             internal_static_google_iam_v1_PolicyDelta_descriptor,
@@ -109,7 +139,7 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
               "BindingDeltas", "AuditConfigDeltas",
             });
     internal_static_google_iam_v1_BindingDelta_descriptor =
-        getDescriptor().getMessageTypes().get(3);
+        getDescriptor().getMessageTypes().get(5);
     internal_static_google_iam_v1_BindingDelta_fieldAccessorTable =
         new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
             internal_static_google_iam_v1_BindingDelta_descriptor,
@@ -117,7 +147,7 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
               "Action", "Role", "Member", "Condition",
             });
     internal_static_google_iam_v1_AuditConfigDelta_descriptor =
-        getDescriptor().getMessageTypes().get(4);
+        getDescriptor().getMessageTypes().get(6);
     internal_static_google_iam_v1_AuditConfigDelta_fieldAccessorTable =
         new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
             internal_static_google_iam_v1_AuditConfigDelta_descriptor,
@@ -125,7 +155,6 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
               "Action", "Service", "ExemptedMember", "LogType",
             });
     com.google.type.ExprProto.getDescriptor();
-    com.google.api.AnnotationsProto.getDescriptor();
   }
 
   // @@protoc_insertion_point(outer_class_scope)
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/SetIamPolicyRequest.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/SetIamPolicyRequest.java
index 91de98ad27..69e7e674b0 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/SetIamPolicyRequest.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/SetIamPolicyRequest.java
@@ -89,6 +89,21 @@ private SetIamPolicyRequest(
                 policy_ = subBuilder.buildPartial();
               }
 
+              break;
+            }
+          case 26:
+            {
+              com.google.protobuf.FieldMask.Builder subBuilder = null;
+              if (updateMask_ != null) {
+                subBuilder = updateMask_.toBuilder();
+              }
+              updateMask_ =
+                  input.readMessage(com.google.protobuf.FieldMask.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(updateMask_);
+                updateMask_ = subBuilder.buildPartial();
+              }
+
               break;
             }
           default:
@@ -235,6 +250,61 @@ public com.google.iam.v1.PolicyOrBuilder getPolicyOrBuilder() {
     return getPolicy();
   }
 
+  public static final int UPDATE_MASK_FIELD_NUMBER = 3;
+  private com.google.protobuf.FieldMask updateMask_;
+  /**
+   *
+   *
+   * 
+   * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+   * the fields in the mask will be modified. If no mask is provided, the
+   * following default mask is used:
+   * `paths: "bindings, etag"`
+   * 

+   *
+   * .google.protobuf.FieldMask update_mask = 3;
+   *
+   * @return Whether the updateMask field is set.
+   */
+  @java.lang.Override
+  public boolean hasUpdateMask() {
+    return updateMask_ != null;
+  }
+  /**
+   *
+   *
+   * 
+   * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+   * the fields in the mask will be modified. If no mask is provided, the
+   * following default mask is used:
+   * `paths: "bindings, etag"`
+   * 

+   *
+   * .google.protobuf.FieldMask update_mask = 3;
+   *
+   * @return The updateMask.
+   */
+  @java.lang.Override
+  public com.google.protobuf.FieldMask getUpdateMask() {
+    return updateMask_ == null ? com.google.protobuf.FieldMask.getDefaultInstance() : updateMask_;
+  }
+  /**
+   *
+   *
+   * 
+   * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+   * the fields in the mask will be modified. If no mask is provided, the
+   * following default mask is used:
+   * `paths: "bindings, etag"`
+   * 

+   *
+   * .google.protobuf.FieldMask update_mask = 3;
+   */
+  @java.lang.Override
+  public com.google.protobuf.FieldMaskOrBuilder getUpdateMaskOrBuilder() {
+    return getUpdateMask();
+  }
+
   private byte memoizedIsInitialized = -1;
 
   @java.lang.Override
@@ -255,6 +325,9 @@ public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io
     if (policy_ != null) {
       output.writeMessage(2, getPolicy());
     }
+    if (updateMask_ != null) {
+      output.writeMessage(3, getUpdateMask());
+    }
     unknownFields.writeTo(output);
   }
 
@@ -270,6 +343,9 @@ public int getSerializedSize() {
     if (policy_ != null) {
       size += com.google.protobuf.CodedOutputStream.computeMessageSize(2, getPolicy());
     }
+    if (updateMask_ != null) {
+      size += com.google.protobuf.CodedOutputStream.computeMessageSize(3, getUpdateMask());
+    }
     size += unknownFields.getSerializedSize();
     memoizedSize = size;
     return size;
@@ -290,6 +366,10 @@ public boolean equals(final java.lang.Object obj) {
     if (hasPolicy()) {
       if (!getPolicy().equals(other.getPolicy())) return false;
     }
+    if (hasUpdateMask() != other.hasUpdateMask()) return false;
+    if (hasUpdateMask()) {
+      if (!getUpdateMask().equals(other.getUpdateMask())) return false;
+    }
     if (!unknownFields.equals(other.unknownFields)) return false;
     return true;
   }
@@ -307,6 +387,10 @@ public int hashCode() {
       hash = (37 * hash) + POLICY_FIELD_NUMBER;
       hash = (53 * hash) + getPolicy().hashCode();
     }
+    if (hasUpdateMask()) {
+      hash = (37 * hash) + UPDATE_MASK_FIELD_NUMBER;
+      hash = (53 * hash) + getUpdateMask().hashCode();
+    }
     hash = (29 * hash) + unknownFields.hashCode();
     memoizedHashCode = hash;
     return hash;
@@ -459,6 +543,12 @@ public Builder clear() {
         policy_ = null;
         policyBuilder_ = null;
       }
+      if (updateMaskBuilder_ == null) {
+        updateMask_ = null;
+      } else {
+        updateMask_ = null;
+        updateMaskBuilder_ = null;
+      }
       return this;
     }
 
@@ -492,6 +582,11 @@ public com.google.iam.v1.SetIamPolicyRequest buildPartial() {
       } else {
         result.policy_ = policyBuilder_.build();
       }
+      if (updateMaskBuilder_ == null) {
+        result.updateMask_ = updateMask_;
+      } else {
+        result.updateMask_ = updateMaskBuilder_.build();
+      }
       onBuilt();
       return result;
     }
@@ -548,6 +643,9 @@ public Builder mergeFrom(com.google.iam.v1.SetIamPolicyRequest other) {
       if (other.hasPolicy()) {
         mergePolicy(other.getPolicy());
       }
+      if (other.hasUpdateMask()) {
+        mergeUpdateMask(other.getUpdateMask());
+      }
       this.mergeUnknownFields(other.unknownFields);
       onChanged();
       return this;
@@ -902,6 +1000,216 @@ public com.google.iam.v1.PolicyOrBuilder getPolicyOrBuilder() {
       return policyBuilder_;
     }
 
+    private com.google.protobuf.FieldMask updateMask_;
+    private com.google.protobuf.SingleFieldBuilderV3<
+            com.google.protobuf.FieldMask,
+            com.google.protobuf.FieldMask.Builder,
+            com.google.protobuf.FieldMaskOrBuilder>
+        updateMaskBuilder_;
+    /**
+     *
+     *
+     * 
+     * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+     * the fields in the mask will be modified. If no mask is provided, the
+     * following default mask is used:
+     * `paths: "bindings, etag"`
+     * 

+     *
+     * .google.protobuf.FieldMask update_mask = 3;
+     *
+     * @return Whether the updateMask field is set.
+     */
+    public boolean hasUpdateMask() {
+      return updateMaskBuilder_ != null || updateMask_ != null;
+    }
+    /**
+     *
+     *
+     * 
+     * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+     * the fields in the mask will be modified. If no mask is provided, the
+     * following default mask is used:
+     * `paths: "bindings, etag"`
+     * 

+     *
+     * .google.protobuf.FieldMask update_mask = 3;
+     *
+     * @return The updateMask.
+     */
+    public com.google.protobuf.FieldMask getUpdateMask() {
+      if (updateMaskBuilder_ == null) {
+        return updateMask_ == null
+            ? com.google.protobuf.FieldMask.getDefaultInstance()
+            : updateMask_;
+      } else {
+        return updateMaskBuilder_.getMessage();
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+     * the fields in the mask will be modified. If no mask is provided, the
+     * following default mask is used:
+     * `paths: "bindings, etag"`
+     * 

+     *
+     * .google.protobuf.FieldMask update_mask = 3;
+     */
+    public Builder setUpdateMask(com.google.protobuf.FieldMask value) {
+      if (updateMaskBuilder_ == null) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        updateMask_ = value;
+        onChanged();
+      } else {
+        updateMaskBuilder_.setMessage(value);
+      }
+
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+     * the fields in the mask will be modified. If no mask is provided, the
+     * following default mask is used:
+     * `paths: "bindings, etag"`
+     * 

+     *
+     * .google.protobuf.FieldMask update_mask = 3;
+     */
+    public Builder setUpdateMask(com.google.protobuf.FieldMask.Builder builderForValue) {
+      if (updateMaskBuilder_ == null) {
+        updateMask_ = builderForValue.build();
+        onChanged();
+      } else {
+        updateMaskBuilder_.setMessage(builderForValue.build());
+      }
+
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+     * the fields in the mask will be modified. If no mask is provided, the
+     * following default mask is used:
+     * `paths: "bindings, etag"`
+     * 

+     *
+     * .google.protobuf.FieldMask update_mask = 3;
+     */
+    public Builder mergeUpdateMask(com.google.protobuf.FieldMask value) {
+      if (updateMaskBuilder_ == null) {
+        if (updateMask_ != null) {
+          updateMask_ =
+              com.google.protobuf.FieldMask.newBuilder(updateMask_).mergeFrom(value).buildPartial();
+        } else {
+          updateMask_ = value;
+        }
+        onChanged();
+      } else {
+        updateMaskBuilder_.mergeFrom(value);
+      }
+
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+     * the fields in the mask will be modified. If no mask is provided, the
+     * following default mask is used:
+     * `paths: "bindings, etag"`
+     * 

+     *
+     * .google.protobuf.FieldMask update_mask = 3;
+     */
+    public Builder clearUpdateMask() {
+      if (updateMaskBuilder_ == null) {
+        updateMask_ = null;
+        onChanged();
+      } else {
+        updateMask_ = null;
+        updateMaskBuilder_ = null;
+      }
+
+      return this;
+    }
+    /**
+     *
+     *
+     * 
+     * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+     * the fields in the mask will be modified. If no mask is provided, the
+     * following default mask is used:
+     * `paths: "bindings, etag"`
+     * 

+     *
+     * .google.protobuf.FieldMask update_mask = 3;
+     */
+    public com.google.protobuf.FieldMask.Builder getUpdateMaskBuilder() {
+
+      onChanged();
+      return getUpdateMaskFieldBuilder().getBuilder();
+    }
+    /**
+     *
+     *
+     * 
+     * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+     * the fields in the mask will be modified. If no mask is provided, the
+     * following default mask is used:
+     * `paths: "bindings, etag"`
+     * 

+     *
+     * .google.protobuf.FieldMask update_mask = 3;
+     */
+    public com.google.protobuf.FieldMaskOrBuilder getUpdateMaskOrBuilder() {
+      if (updateMaskBuilder_ != null) {
+        return updateMaskBuilder_.getMessageOrBuilder();
+      } else {
+        return updateMask_ == null
+            ? com.google.protobuf.FieldMask.getDefaultInstance()
+            : updateMask_;
+      }
+    }
+    /**
+     *
+     *
+     * 
+     * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+     * the fields in the mask will be modified. If no mask is provided, the
+     * following default mask is used:
+     * `paths: "bindings, etag"`
+     * 

+     *
+     * .google.protobuf.FieldMask update_mask = 3;
+     */
+    private com.google.protobuf.SingleFieldBuilderV3<
+            com.google.protobuf.FieldMask,
+            com.google.protobuf.FieldMask.Builder,
+            com.google.protobuf.FieldMaskOrBuilder>
+        getUpdateMaskFieldBuilder() {
+      if (updateMaskBuilder_ == null) {
+        updateMaskBuilder_ =
+            new com.google.protobuf.SingleFieldBuilderV3<
+                com.google.protobuf.FieldMask,
+                com.google.protobuf.FieldMask.Builder,
+                com.google.protobuf.FieldMaskOrBuilder>(
+                getUpdateMask(), getParentForChildren(), isClean());
+        updateMask_ = null;
+      }
+      return updateMaskBuilder_;
+    }
+
     @java.lang.Override
     public final Builder setUnknownFields(final com.google.protobuf.UnknownFieldSet unknownFields) {
       return super.setUnknownFields(unknownFields);
diff --git a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/SetIamPolicyRequestOrBuilder.java b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/SetIamPolicyRequestOrBuilder.java
index 135cf6dcd8..48ab0dff5d 100644
--- a/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/SetIamPolicyRequestOrBuilder.java
+++ b/java-iam/proto-google-iam-v1/src/main/java/com/google/iam/v1/SetIamPolicyRequestOrBuilder.java
@@ -97,4 +97,48 @@ public interface SetIamPolicyRequestOrBuilder
    * .google.iam.v1.Policy policy = 2 [(.google.api.field_behavior) = REQUIRED];
    */
   com.google.iam.v1.PolicyOrBuilder getPolicyOrBuilder();
+
+  /**
+   *
+   *
+   * 
+   * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+   * the fields in the mask will be modified. If no mask is provided, the
+   * following default mask is used:
+   * `paths: "bindings, etag"`
+   * 

+   *
+   * .google.protobuf.FieldMask update_mask = 3;
+   *
+   * @return Whether the updateMask field is set.
+   */
+  boolean hasUpdateMask();
+  /**
+   *
+   *
+   * 
+   * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+   * the fields in the mask will be modified. If no mask is provided, the
+   * following default mask is used:
+   * `paths: "bindings, etag"`
+   * 

+   *
+   * .google.protobuf.FieldMask update_mask = 3;
+   *
+   * @return The updateMask.
+   */
+  com.google.protobuf.FieldMask getUpdateMask();
+  /**
+   *
+   *
+   * 
+   * OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
+   * the fields in the mask will be modified. If no mask is provided, the
+   * following default mask is used:
+   * `paths: "bindings, etag"`
+   * 

+   *
+   * .google.protobuf.FieldMask update_mask = 3;
+   */
+  com.google.protobuf.FieldMaskOrBuilder getUpdateMaskOrBuilder();
 }