diff --git a/google-api-grpc/grpc-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsGrpc.java b/google-api-grpc/grpc-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsGrpc.java
index 64f247bfb9a2..86bdbda03ac8 100644
--- a/google-api-grpc/grpc-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsGrpc.java
+++ b/google-api-grpc/grpc-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsGrpc.java
@@ -266,6 +266,74 @@ private IAMCredentialsGrpc() {}
     return getSignJwtMethod;
   }
 
+  @io.grpc.ExperimentalApi("https://github.com/grpc/grpc-java/issues/1901")
+  @java.lang.Deprecated // Use {@link #getGenerateIdentityBindingAccessTokenMethod()} instead.
+  public static final io.grpc.MethodDescriptor<
+          com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest,
+          com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse>
+      METHOD_GENERATE_IDENTITY_BINDING_ACCESS_TOKEN =
+          getGenerateIdentityBindingAccessTokenMethodHelper();
+
+  private static volatile io.grpc.MethodDescriptor<
+          com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest,
+          com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse>
+      getGenerateIdentityBindingAccessTokenMethod;
+
+  @io.grpc.ExperimentalApi("https://github.com/grpc/grpc-java/issues/1901")
+  public static io.grpc.MethodDescriptor<
+          com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest,
+          com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse>
+      getGenerateIdentityBindingAccessTokenMethod() {
+    return getGenerateIdentityBindingAccessTokenMethodHelper();
+  }
+
+  private static io.grpc.MethodDescriptor<
+          com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest,
+          com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse>
+      getGenerateIdentityBindingAccessTokenMethodHelper() {
+    io.grpc.MethodDescriptor<
+            com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest,
+            com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse>
+        getGenerateIdentityBindingAccessTokenMethod;
+    if ((getGenerateIdentityBindingAccessTokenMethod =
+            IAMCredentialsGrpc.getGenerateIdentityBindingAccessTokenMethod)
+        == null) {
+      synchronized (IAMCredentialsGrpc.class) {
+        if ((getGenerateIdentityBindingAccessTokenMethod =
+                IAMCredentialsGrpc.getGenerateIdentityBindingAccessTokenMethod)
+            == null) {
+          IAMCredentialsGrpc.getGenerateIdentityBindingAccessTokenMethod =
+              getGenerateIdentityBindingAccessTokenMethod =
+                  io.grpc.MethodDescriptor
+                      .<com.google.cloud.iam.credentials.v1
+                              .GenerateIdentityBindingAccessTokenRequest,
+                          com.google.cloud.iam.credentials.v1
+                              .GenerateIdentityBindingAccessTokenResponse>
+                          newBuilder()
+                      .setType(io.grpc.MethodDescriptor.MethodType.UNARY)
+                      .setFullMethodName(
+                          generateFullMethodName(
+                              "google.iam.credentials.v1.IAMCredentials",
+                              "GenerateIdentityBindingAccessToken"))
+                      .setSampledToLocalTracing(true)
+                      .setRequestMarshaller(
+                          io.grpc.protobuf.ProtoUtils.marshaller(
+                              com.google.cloud.iam.credentials.v1
+                                  .GenerateIdentityBindingAccessTokenRequest.getDefaultInstance()))
+                      .setResponseMarshaller(
+                          io.grpc.protobuf.ProtoUtils.marshaller(
+                              com.google.cloud.iam.credentials.v1
+                                  .GenerateIdentityBindingAccessTokenResponse.getDefaultInstance()))
+                      .setSchemaDescriptor(
+                          new IAMCredentialsMethodDescriptorSupplier(
+                              "GenerateIdentityBindingAccessToken"))
+                      .build();
+        }
+      }
+    }
+    return getGenerateIdentityBindingAccessTokenMethod;
+  }
+
   /** Creates a new async stub that supports all call types for the service */
   public static IAMCredentialsStub newStub(io.grpc.Channel channel) {
     return new IAMCredentialsStub(channel);
@@ -355,6 +423,23 @@ public void signJwt(
       asyncUnimplementedUnaryCall(getSignJwtMethodHelper(), responseObserver);
     }
 
+    /**
+     *
+     *
+     * <pre>
+     * Exchange a JWT signed by third party identity provider to an OAuth 2.0
+     * access token
+     * </pre>
+     */
+    public void generateIdentityBindingAccessToken(
+        com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest request,
+        io.grpc.stub.StreamObserver<
+                com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse>
+            responseObserver) {
+      asyncUnimplementedUnaryCall(
+          getGenerateIdentityBindingAccessTokenMethodHelper(), responseObserver);
+    }
+
     @java.lang.Override
     public final io.grpc.ServerServiceDefinition bindService() {
       return io.grpc.ServerServiceDefinition.builder(getServiceDescriptor())
@@ -386,6 +471,14 @@ public final io.grpc.ServerServiceDefinition bindService() {
                       com.google.cloud.iam.credentials.v1.SignJwtRequest,
                       com.google.cloud.iam.credentials.v1.SignJwtResponse>(
                       this, METHODID_SIGN_JWT)))
+          .addMethod(
+              getGenerateIdentityBindingAccessTokenMethodHelper(),
+              asyncUnaryCall(
+                  new MethodHandlers<
+                      com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest,
+                      com.google.cloud.iam.credentials.v1
+                          .GenerateIdentityBindingAccessTokenResponse>(
+                      this, METHODID_GENERATE_IDENTITY_BINDING_ACCESS_TOKEN)))
           .build();
     }
   }
@@ -486,6 +579,26 @@ public void signJwt(
           request,
           responseObserver);
     }
+
+    /**
+     *
+     *
+     * <pre>
+     * Exchange a JWT signed by third party identity provider to an OAuth 2.0
+     * access token
+     * </pre>
+     */
+    public void generateIdentityBindingAccessToken(
+        com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest request,
+        io.grpc.stub.StreamObserver<
+                com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse>
+            responseObserver) {
+      asyncUnaryCall(
+          getChannel()
+              .newCall(getGenerateIdentityBindingAccessTokenMethodHelper(), getCallOptions()),
+          request,
+          responseObserver);
+    }
   }
 
   /**
@@ -567,6 +680,24 @@ public com.google.cloud.iam.credentials.v1.SignJwtResponse signJwt(
         com.google.cloud.iam.credentials.v1.SignJwtRequest request) {
       return blockingUnaryCall(getChannel(), getSignJwtMethodHelper(), getCallOptions(), request);
     }
+
+    /**
+     *
+     *
+     * <pre>
+     * Exchange a JWT signed by third party identity provider to an OAuth 2.0
+     * access token
+     * </pre>
+     */
+    public com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+        generateIdentityBindingAccessToken(
+            com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest request) {
+      return blockingUnaryCall(
+          getChannel(),
+          getGenerateIdentityBindingAccessTokenMethodHelper(),
+          getCallOptions(),
+          request);
+    }
   }
 
   /**
@@ -655,12 +786,31 @@ protected IAMCredentialsFutureStub build(
       return futureUnaryCall(
           getChannel().newCall(getSignJwtMethodHelper(), getCallOptions()), request);
     }
+
+    /**
+     *
+     *
+     * <pre>
+     * Exchange a JWT signed by third party identity provider to an OAuth 2.0
+     * access token
+     * </pre>
+     */
+    public com.google.common.util.concurrent.ListenableFuture<
+            com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse>
+        generateIdentityBindingAccessToken(
+            com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest request) {
+      return futureUnaryCall(
+          getChannel()
+              .newCall(getGenerateIdentityBindingAccessTokenMethodHelper(), getCallOptions()),
+          request);
+    }
   }
 
   private static final int METHODID_GENERATE_ACCESS_TOKEN = 0;
   private static final int METHODID_GENERATE_ID_TOKEN = 1;
   private static final int METHODID_SIGN_BLOB = 2;
   private static final int METHODID_SIGN_JWT = 3;
+  private static final int METHODID_GENERATE_IDENTITY_BINDING_ACCESS_TOKEN = 4;
 
   private static final class MethodHandlers<Req, Resp>
       implements io.grpc.stub.ServerCalls.UnaryMethod<Req, Resp>,
@@ -705,6 +855,15 @@ public void invoke(Req request, io.grpc.stub.StreamObserver<Resp> responseObserv
               (io.grpc.stub.StreamObserver<com.google.cloud.iam.credentials.v1.SignJwtResponse>)
                   responseObserver);
           break;
+        case METHODID_GENERATE_IDENTITY_BINDING_ACCESS_TOKEN:
+          serviceImpl.generateIdentityBindingAccessToken(
+              (com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest)
+                  request,
+              (io.grpc.stub.StreamObserver<
+                      com.google.cloud.iam.credentials.v1
+                          .GenerateIdentityBindingAccessTokenResponse>)
+                  responseObserver);
+          break;
         default:
           throw new AssertionError();
       }
@@ -773,6 +932,7 @@ public static io.grpc.ServiceDescriptor getServiceDescriptor() {
                       .addMethod(getGenerateIdTokenMethodHelper())
                       .addMethod(getSignBlobMethodHelper())
                       .addMethod(getSignJwtMethodHelper())
+                      .addMethod(getGenerateIdentityBindingAccessTokenMethodHelper())
                       .build();
         }
       }
diff --git a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenRequest.java b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenRequest.java
new file mode 100644
index 000000000000..9886d1c699fd
--- /dev/null
+++ b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenRequest.java
@@ -0,0 +1,1367 @@
+// Generated by the protocol buffer compiler.  DO NOT EDIT!
+// source: google/iam/credentials/v1/common.proto
+
+package com.google.cloud.iam.credentials.v1;
+
+/** Protobuf type {@code google.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest} */
+public final class GenerateIdentityBindingAccessTokenRequest
+    extends com.google.protobuf.GeneratedMessageV3
+    implements
+    // @@protoc_insertion_point(message_implements:google.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest)
+    GenerateIdentityBindingAccessTokenRequestOrBuilder {
+  private static final long serialVersionUID = 0L;
+  // Use GenerateIdentityBindingAccessTokenRequest.newBuilder() to construct.
+  private GenerateIdentityBindingAccessTokenRequest(
+      com.google.protobuf.GeneratedMessageV3.Builder<?> builder) {
+    super(builder);
+  }
+
+  private GenerateIdentityBindingAccessTokenRequest() {
+    name_ = "";
+    scope_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+    jwt_ = "";
+  }
+
+  @java.lang.Override
+  public final com.google.protobuf.UnknownFieldSet getUnknownFields() {
+    return this.unknownFields;
+  }
+
+  private GenerateIdentityBindingAccessTokenRequest(
+      com.google.protobuf.CodedInputStream input,
+      com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    this();
+    if (extensionRegistry == null) {
+      throw new java.lang.NullPointerException();
+    }
+    int mutable_bitField0_ = 0;
+    com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+        com.google.protobuf.UnknownFieldSet.newBuilder();
+    try {
+      boolean done = false;
+      while (!done) {
+        int tag = input.readTag();
+        switch (tag) {
+          case 0:
+            done = true;
+            break;
+          case 10:
+            {
+              java.lang.String s = input.readStringRequireUtf8();
+
+              name_ = s;
+              break;
+            }
+          case 18:
+            {
+              java.lang.String s = input.readStringRequireUtf8();
+              if (!((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+                scope_ = new com.google.protobuf.LazyStringArrayList();
+                mutable_bitField0_ |= 0x00000002;
+              }
+              scope_.add(s);
+              break;
+            }
+          case 26:
+            {
+              java.lang.String s = input.readStringRequireUtf8();
+
+              jwt_ = s;
+              break;
+            }
+          default:
+            {
+              if (!parseUnknownFieldProto3(input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+        }
+      }
+    } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+      throw e.setUnfinishedMessage(this);
+    } catch (java.io.IOException e) {
+      throw new com.google.protobuf.InvalidProtocolBufferException(e).setUnfinishedMessage(this);
+    } finally {
+      if (((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
+        scope_ = scope_.getUnmodifiableView();
+      }
+      this.unknownFields = unknownFields.build();
+      makeExtensionsImmutable();
+    }
+  }
+
+  public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
+    return com.google.cloud.iam.credentials.v1.IAMCredentialsCommonProto
+        .internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenRequest_descriptor;
+  }
+
+  @java.lang.Override
+  protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internalGetFieldAccessorTable() {
+    return com.google.cloud.iam.credentials.v1.IAMCredentialsCommonProto
+        .internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenRequest_fieldAccessorTable
+        .ensureFieldAccessorsInitialized(
+            com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest.class,
+            com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest.Builder
+                .class);
+  }
+
+  private int bitField0_;
+  public static final int NAME_FIELD_NUMBER = 1;
+  private volatile java.lang.Object name_;
+  /**
+   *
+   *
+   * <pre>
+   * The resource name of the service account for which the credentials
+   * are requested, in the following format:
+   * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+   * </pre>
+   *
+   * <code>string name = 1;</code>
+   */
+  public java.lang.String getName() {
+    java.lang.Object ref = name_;
+    if (ref instanceof java.lang.String) {
+      return (java.lang.String) ref;
+    } else {
+      com.google.protobuf.ByteString bs = (com.google.protobuf.ByteString) ref;
+      java.lang.String s = bs.toStringUtf8();
+      name_ = s;
+      return s;
+    }
+  }
+  /**
+   *
+   *
+   * <pre>
+   * The resource name of the service account for which the credentials
+   * are requested, in the following format:
+   * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+   * </pre>
+   *
+   * <code>string name = 1;</code>
+   */
+  public com.google.protobuf.ByteString getNameBytes() {
+    java.lang.Object ref = name_;
+    if (ref instanceof java.lang.String) {
+      com.google.protobuf.ByteString b =
+          com.google.protobuf.ByteString.copyFromUtf8((java.lang.String) ref);
+      name_ = b;
+      return b;
+    } else {
+      return (com.google.protobuf.ByteString) ref;
+    }
+  }
+
+  public static final int SCOPE_FIELD_NUMBER = 2;
+  private com.google.protobuf.LazyStringList scope_;
+  /**
+   *
+   *
+   * <pre>
+   * Code to identify the scopes to be included in the OAuth 2.0 access token.
+   * See https://developers.google.com/identity/protocols/googlescopes for more
+   * information.
+   * At least one value required.
+   * </pre>
+   *
+   * <code>repeated string scope = 2;</code>
+   */
+  public com.google.protobuf.ProtocolStringList getScopeList() {
+    return scope_;
+  }
+  /**
+   *
+   *
+   * <pre>
+   * Code to identify the scopes to be included in the OAuth 2.0 access token.
+   * See https://developers.google.com/identity/protocols/googlescopes for more
+   * information.
+   * At least one value required.
+   * </pre>
+   *
+   * <code>repeated string scope = 2;</code>
+   */
+  public int getScopeCount() {
+    return scope_.size();
+  }
+  /**
+   *
+   *
+   * <pre>
+   * Code to identify the scopes to be included in the OAuth 2.0 access token.
+   * See https://developers.google.com/identity/protocols/googlescopes for more
+   * information.
+   * At least one value required.
+   * </pre>
+   *
+   * <code>repeated string scope = 2;</code>
+   */
+  public java.lang.String getScope(int index) {
+    return scope_.get(index);
+  }
+  /**
+   *
+   *
+   * <pre>
+   * Code to identify the scopes to be included in the OAuth 2.0 access token.
+   * See https://developers.google.com/identity/protocols/googlescopes for more
+   * information.
+   * At least one value required.
+   * </pre>
+   *
+   * <code>repeated string scope = 2;</code>
+   */
+  public com.google.protobuf.ByteString getScopeBytes(int index) {
+    return scope_.getByteString(index);
+  }
+
+  public static final int JWT_FIELD_NUMBER = 3;
+  private volatile java.lang.Object jwt_;
+  /**
+   *
+   *
+   * <pre>
+   * Required. Input token.
+   * Must be in JWT format according to
+   * RFC7523 (https://tools.ietf.org/html/rfc7523)
+   * and must have 'kid' field in the header.
+   * Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+   * Mandatory payload fields (along the lines of RFC 7523, section 3):
+   * - iss: issuer of the token. Must provide a discovery document at
+   *        $iss/.well-known/openid-configuration . The document needs to be
+   *        formatted according to section 4.2 of the OpenID Connect Discovery
+   *        1.0 specification.
+   * - iat: Issue time in seconds since epoch. Must be in the past.
+   * - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+   *        after iat. We recommend to create tokens that last shorter than 6
+   *        hours to improve security unless business reasons mandate longer
+   *        expiration times. Shorter token lifetimes are generally more secure
+   *        since tokens that have been exfiltrated by attackers can be used for
+   *        a shorter time. you can configure the maximum lifetime of the
+   *        incoming token in the configuration of the mapper.
+   *        The resulting Google token will expire within an hour or at "exp",
+   *        whichever is earlier.
+   * - sub: JWT subject, identity asserted in the JWT.
+   * - aud: Configured in the mapper policy. By default the service account
+   *        email.
+   * Claims from the incoming token can be transferred into the output token
+   * accoding to the mapper configuration. The outgoing claim size is limited.
+   * Outgoing claims size must be less than 4kB serialized as JSON without
+   * whitespace.
+   * Example header:
+   * {
+   *   "alg": "RS256",
+   *   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+   * }
+   * Example payload:
+   * {
+   *   "iss": "https://accounts.google.com",
+   *   "iat": 1517963104,
+   *   "exp": 1517966704,
+   *   "aud": "https://iamcredentials.googleapis.com/",
+   *   "sub": "113475438248934895348",
+   *   "my_claims": {
+   *     "additional_claim": "value"
+   *   }
+   * }
+   * </pre>
+   *
+   * <code>string jwt = 3;</code>
+   */
+  public java.lang.String getJwt() {
+    java.lang.Object ref = jwt_;
+    if (ref instanceof java.lang.String) {
+      return (java.lang.String) ref;
+    } else {
+      com.google.protobuf.ByteString bs = (com.google.protobuf.ByteString) ref;
+      java.lang.String s = bs.toStringUtf8();
+      jwt_ = s;
+      return s;
+    }
+  }
+  /**
+   *
+   *
+   * <pre>
+   * Required. Input token.
+   * Must be in JWT format according to
+   * RFC7523 (https://tools.ietf.org/html/rfc7523)
+   * and must have 'kid' field in the header.
+   * Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+   * Mandatory payload fields (along the lines of RFC 7523, section 3):
+   * - iss: issuer of the token. Must provide a discovery document at
+   *        $iss/.well-known/openid-configuration . The document needs to be
+   *        formatted according to section 4.2 of the OpenID Connect Discovery
+   *        1.0 specification.
+   * - iat: Issue time in seconds since epoch. Must be in the past.
+   * - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+   *        after iat. We recommend to create tokens that last shorter than 6
+   *        hours to improve security unless business reasons mandate longer
+   *        expiration times. Shorter token lifetimes are generally more secure
+   *        since tokens that have been exfiltrated by attackers can be used for
+   *        a shorter time. you can configure the maximum lifetime of the
+   *        incoming token in the configuration of the mapper.
+   *        The resulting Google token will expire within an hour or at "exp",
+   *        whichever is earlier.
+   * - sub: JWT subject, identity asserted in the JWT.
+   * - aud: Configured in the mapper policy. By default the service account
+   *        email.
+   * Claims from the incoming token can be transferred into the output token
+   * accoding to the mapper configuration. The outgoing claim size is limited.
+   * Outgoing claims size must be less than 4kB serialized as JSON without
+   * whitespace.
+   * Example header:
+   * {
+   *   "alg": "RS256",
+   *   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+   * }
+   * Example payload:
+   * {
+   *   "iss": "https://accounts.google.com",
+   *   "iat": 1517963104,
+   *   "exp": 1517966704,
+   *   "aud": "https://iamcredentials.googleapis.com/",
+   *   "sub": "113475438248934895348",
+   *   "my_claims": {
+   *     "additional_claim": "value"
+   *   }
+   * }
+   * </pre>
+   *
+   * <code>string jwt = 3;</code>
+   */
+  public com.google.protobuf.ByteString getJwtBytes() {
+    java.lang.Object ref = jwt_;
+    if (ref instanceof java.lang.String) {
+      com.google.protobuf.ByteString b =
+          com.google.protobuf.ByteString.copyFromUtf8((java.lang.String) ref);
+      jwt_ = b;
+      return b;
+    } else {
+      return (com.google.protobuf.ByteString) ref;
+    }
+  }
+
+  private byte memoizedIsInitialized = -1;
+
+  @java.lang.Override
+  public final boolean isInitialized() {
+    byte isInitialized = memoizedIsInitialized;
+    if (isInitialized == 1) return true;
+    if (isInitialized == 0) return false;
+
+    memoizedIsInitialized = 1;
+    return true;
+  }
+
+  @java.lang.Override
+  public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException {
+    if (!getNameBytes().isEmpty()) {
+      com.google.protobuf.GeneratedMessageV3.writeString(output, 1, name_);
+    }
+    for (int i = 0; i < scope_.size(); i++) {
+      com.google.protobuf.GeneratedMessageV3.writeString(output, 2, scope_.getRaw(i));
+    }
+    if (!getJwtBytes().isEmpty()) {
+      com.google.protobuf.GeneratedMessageV3.writeString(output, 3, jwt_);
+    }
+    unknownFields.writeTo(output);
+  }
+
+  @java.lang.Override
+  public int getSerializedSize() {
+    int size = memoizedSize;
+    if (size != -1) return size;
+
+    size = 0;
+    if (!getNameBytes().isEmpty()) {
+      size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, name_);
+    }
+    {
+      int dataSize = 0;
+      for (int i = 0; i < scope_.size(); i++) {
+        dataSize += computeStringSizeNoTag(scope_.getRaw(i));
+      }
+      size += dataSize;
+      size += 1 * getScopeList().size();
+    }
+    if (!getJwtBytes().isEmpty()) {
+      size += com.google.protobuf.GeneratedMessageV3.computeStringSize(3, jwt_);
+    }
+    size += unknownFields.getSerializedSize();
+    memoizedSize = size;
+    return size;
+  }
+
+  @java.lang.Override
+  public boolean equals(final java.lang.Object obj) {
+    if (obj == this) {
+      return true;
+    }
+    if (!(obj
+        instanceof com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest)) {
+      return super.equals(obj);
+    }
+    com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest other =
+        (com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest) obj;
+
+    boolean result = true;
+    result = result && getName().equals(other.getName());
+    result = result && getScopeList().equals(other.getScopeList());
+    result = result && getJwt().equals(other.getJwt());
+    result = result && unknownFields.equals(other.unknownFields);
+    return result;
+  }
+
+  @java.lang.Override
+  public int hashCode() {
+    if (memoizedHashCode != 0) {
+      return memoizedHashCode;
+    }
+    int hash = 41;
+    hash = (19 * hash) + getDescriptor().hashCode();
+    hash = (37 * hash) + NAME_FIELD_NUMBER;
+    hash = (53 * hash) + getName().hashCode();
+    if (getScopeCount() > 0) {
+      hash = (37 * hash) + SCOPE_FIELD_NUMBER;
+      hash = (53 * hash) + getScopeList().hashCode();
+    }
+    hash = (37 * hash) + JWT_FIELD_NUMBER;
+    hash = (53 * hash) + getJwt().hashCode();
+    hash = (29 * hash) + unknownFields.hashCode();
+    memoizedHashCode = hash;
+    return hash;
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseFrom(java.nio.ByteBuffer data)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseFrom(
+          java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseFrom(com.google.protobuf.ByteString data)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseFrom(
+          com.google.protobuf.ByteString data,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseFrom(java.io.InputStream input) throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseFrom(
+          java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseDelimitedFrom(java.io.InputStream input) throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(PARSER, input);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseDelimitedFrom(
+          java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseFrom(com.google.protobuf.CodedInputStream input) throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      parseFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  @java.lang.Override
+  public Builder newBuilderForType() {
+    return newBuilder();
+  }
+
+  public static Builder newBuilder() {
+    return DEFAULT_INSTANCE.toBuilder();
+  }
+
+  public static Builder newBuilder(
+      com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest prototype) {
+    return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+  }
+
+  @java.lang.Override
+  public Builder toBuilder() {
+    return this == DEFAULT_INSTANCE ? new Builder() : new Builder().mergeFrom(this);
+  }
+
+  @java.lang.Override
+  protected Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+    Builder builder = new Builder(parent);
+    return builder;
+  }
+  /** Protobuf type {@code google.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest} */
+  public static final class Builder extends com.google.protobuf.GeneratedMessageV3.Builder<Builder>
+      implements
+      // @@protoc_insertion_point(builder_implements:google.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest)
+      com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequestOrBuilder {
+    public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
+      return com.google.cloud.iam.credentials.v1.IAMCredentialsCommonProto
+          .internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenRequest_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return com.google.cloud.iam.credentials.v1.IAMCredentialsCommonProto
+          .internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenRequest_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest.class,
+              com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest.Builder
+                  .class);
+    }
+
+    // Construct using
+    // com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest.newBuilder()
+    private Builder() {
+      maybeForceBuilderInitialization();
+    }
+
+    private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      super(parent);
+      maybeForceBuilderInitialization();
+    }
+
+    private void maybeForceBuilderInitialization() {
+      if (com.google.protobuf.GeneratedMessageV3.alwaysUseFieldBuilders) {}
+    }
+
+    @java.lang.Override
+    public Builder clear() {
+      super.clear();
+      name_ = "";
+
+      scope_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+      bitField0_ = (bitField0_ & ~0x00000002);
+      jwt_ = "";
+
+      return this;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
+      return com.google.cloud.iam.credentials.v1.IAMCredentialsCommonProto
+          .internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenRequest_descriptor;
+    }
+
+    @java.lang.Override
+    public com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+        getDefaultInstanceForType() {
+      return com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+          .getDefaultInstance();
+    }
+
+    @java.lang.Override
+    public com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest build() {
+      com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest result =
+          buildPartial();
+      if (!result.isInitialized()) {
+        throw newUninitializedMessageException(result);
+      }
+      return result;
+    }
+
+    @java.lang.Override
+    public com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+        buildPartial() {
+      com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest result =
+          new com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest(this);
+      int from_bitField0_ = bitField0_;
+      int to_bitField0_ = 0;
+      result.name_ = name_;
+      if (((bitField0_ & 0x00000002) == 0x00000002)) {
+        scope_ = scope_.getUnmodifiableView();
+        bitField0_ = (bitField0_ & ~0x00000002);
+      }
+      result.scope_ = scope_;
+      result.jwt_ = jwt_;
+      result.bitField0_ = to_bitField0_;
+      onBuilt();
+      return result;
+    }
+
+    @java.lang.Override
+    public Builder clone() {
+      return (Builder) super.clone();
+    }
+
+    @java.lang.Override
+    public Builder setField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) {
+      return (Builder) super.setField(field, value);
+    }
+
+    @java.lang.Override
+    public Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field) {
+      return (Builder) super.clearField(field);
+    }
+
+    @java.lang.Override
+    public Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+      return (Builder) super.clearOneof(oneof);
+    }
+
+    @java.lang.Override
+    public Builder setRepeatedField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) {
+      return (Builder) super.setRepeatedField(field, index, value);
+    }
+
+    @java.lang.Override
+    public Builder addRepeatedField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) {
+      return (Builder) super.addRepeatedField(field, value);
+    }
+
+    @java.lang.Override
+    public Builder mergeFrom(com.google.protobuf.Message other) {
+      if (other
+          instanceof
+          com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest) {
+        return mergeFrom(
+            (com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest) other);
+      } else {
+        super.mergeFrom(other);
+        return this;
+      }
+    }
+
+    public Builder mergeFrom(
+        com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest other) {
+      if (other
+          == com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+              .getDefaultInstance()) return this;
+      if (!other.getName().isEmpty()) {
+        name_ = other.name_;
+        onChanged();
+      }
+      if (!other.scope_.isEmpty()) {
+        if (scope_.isEmpty()) {
+          scope_ = other.scope_;
+          bitField0_ = (bitField0_ & ~0x00000002);
+        } else {
+          ensureScopeIsMutable();
+          scope_.addAll(other.scope_);
+        }
+        onChanged();
+      }
+      if (!other.getJwt().isEmpty()) {
+        jwt_ = other.jwt_;
+        onChanged();
+      }
+      this.mergeUnknownFields(other.unknownFields);
+      onChanged();
+      return this;
+    }
+
+    @java.lang.Override
+    public final boolean isInitialized() {
+      return true;
+    }
+
+    @java.lang.Override
+    public Builder mergeFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest parsedMessage =
+          null;
+      try {
+        parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        parsedMessage =
+            (com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest)
+                e.getUnfinishedMessage();
+        throw e.unwrapIOException();
+      } finally {
+        if (parsedMessage != null) {
+          mergeFrom(parsedMessage);
+        }
+      }
+      return this;
+    }
+
+    private int bitField0_;
+
+    private java.lang.Object name_ = "";
+    /**
+     *
+     *
+     * <pre>
+     * The resource name of the service account for which the credentials
+     * are requested, in the following format:
+     * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+     * </pre>
+     *
+     * <code>string name = 1;</code>
+     */
+    public java.lang.String getName() {
+      java.lang.Object ref = name_;
+      if (!(ref instanceof java.lang.String)) {
+        com.google.protobuf.ByteString bs = (com.google.protobuf.ByteString) ref;
+        java.lang.String s = bs.toStringUtf8();
+        name_ = s;
+        return s;
+      } else {
+        return (java.lang.String) ref;
+      }
+    }
+    /**
+     *
+     *
+     * <pre>
+     * The resource name of the service account for which the credentials
+     * are requested, in the following format:
+     * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+     * </pre>
+     *
+     * <code>string name = 1;</code>
+     */
+    public com.google.protobuf.ByteString getNameBytes() {
+      java.lang.Object ref = name_;
+      if (ref instanceof String) {
+        com.google.protobuf.ByteString b =
+            com.google.protobuf.ByteString.copyFromUtf8((java.lang.String) ref);
+        name_ = b;
+        return b;
+      } else {
+        return (com.google.protobuf.ByteString) ref;
+      }
+    }
+    /**
+     *
+     *
+     * <pre>
+     * The resource name of the service account for which the credentials
+     * are requested, in the following format:
+     * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+     * </pre>
+     *
+     * <code>string name = 1;</code>
+     */
+    public Builder setName(java.lang.String value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+
+      name_ = value;
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * The resource name of the service account for which the credentials
+     * are requested, in the following format:
+     * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+     * </pre>
+     *
+     * <code>string name = 1;</code>
+     */
+    public Builder clearName() {
+
+      name_ = getDefaultInstance().getName();
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * The resource name of the service account for which the credentials
+     * are requested, in the following format:
+     * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+     * </pre>
+     *
+     * <code>string name = 1;</code>
+     */
+    public Builder setNameBytes(com.google.protobuf.ByteString value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+      checkByteStringIsUtf8(value);
+
+      name_ = value;
+      onChanged();
+      return this;
+    }
+
+    private com.google.protobuf.LazyStringList scope_ =
+        com.google.protobuf.LazyStringArrayList.EMPTY;
+
+    private void ensureScopeIsMutable() {
+      if (!((bitField0_ & 0x00000002) == 0x00000002)) {
+        scope_ = new com.google.protobuf.LazyStringArrayList(scope_);
+        bitField0_ |= 0x00000002;
+      }
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Code to identify the scopes to be included in the OAuth 2.0 access token.
+     * See https://developers.google.com/identity/protocols/googlescopes for more
+     * information.
+     * At least one value required.
+     * </pre>
+     *
+     * <code>repeated string scope = 2;</code>
+     */
+    public com.google.protobuf.ProtocolStringList getScopeList() {
+      return scope_.getUnmodifiableView();
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Code to identify the scopes to be included in the OAuth 2.0 access token.
+     * See https://developers.google.com/identity/protocols/googlescopes for more
+     * information.
+     * At least one value required.
+     * </pre>
+     *
+     * <code>repeated string scope = 2;</code>
+     */
+    public int getScopeCount() {
+      return scope_.size();
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Code to identify the scopes to be included in the OAuth 2.0 access token.
+     * See https://developers.google.com/identity/protocols/googlescopes for more
+     * information.
+     * At least one value required.
+     * </pre>
+     *
+     * <code>repeated string scope = 2;</code>
+     */
+    public java.lang.String getScope(int index) {
+      return scope_.get(index);
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Code to identify the scopes to be included in the OAuth 2.0 access token.
+     * See https://developers.google.com/identity/protocols/googlescopes for more
+     * information.
+     * At least one value required.
+     * </pre>
+     *
+     * <code>repeated string scope = 2;</code>
+     */
+    public com.google.protobuf.ByteString getScopeBytes(int index) {
+      return scope_.getByteString(index);
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Code to identify the scopes to be included in the OAuth 2.0 access token.
+     * See https://developers.google.com/identity/protocols/googlescopes for more
+     * information.
+     * At least one value required.
+     * </pre>
+     *
+     * <code>repeated string scope = 2;</code>
+     */
+    public Builder setScope(int index, java.lang.String value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+      ensureScopeIsMutable();
+      scope_.set(index, value);
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Code to identify the scopes to be included in the OAuth 2.0 access token.
+     * See https://developers.google.com/identity/protocols/googlescopes for more
+     * information.
+     * At least one value required.
+     * </pre>
+     *
+     * <code>repeated string scope = 2;</code>
+     */
+    public Builder addScope(java.lang.String value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+      ensureScopeIsMutable();
+      scope_.add(value);
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Code to identify the scopes to be included in the OAuth 2.0 access token.
+     * See https://developers.google.com/identity/protocols/googlescopes for more
+     * information.
+     * At least one value required.
+     * </pre>
+     *
+     * <code>repeated string scope = 2;</code>
+     */
+    public Builder addAllScope(java.lang.Iterable<java.lang.String> values) {
+      ensureScopeIsMutable();
+      com.google.protobuf.AbstractMessageLite.Builder.addAll(values, scope_);
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Code to identify the scopes to be included in the OAuth 2.0 access token.
+     * See https://developers.google.com/identity/protocols/googlescopes for more
+     * information.
+     * At least one value required.
+     * </pre>
+     *
+     * <code>repeated string scope = 2;</code>
+     */
+    public Builder clearScope() {
+      scope_ = com.google.protobuf.LazyStringArrayList.EMPTY;
+      bitField0_ = (bitField0_ & ~0x00000002);
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Code to identify the scopes to be included in the OAuth 2.0 access token.
+     * See https://developers.google.com/identity/protocols/googlescopes for more
+     * information.
+     * At least one value required.
+     * </pre>
+     *
+     * <code>repeated string scope = 2;</code>
+     */
+    public Builder addScopeBytes(com.google.protobuf.ByteString value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+      checkByteStringIsUtf8(value);
+      ensureScopeIsMutable();
+      scope_.add(value);
+      onChanged();
+      return this;
+    }
+
+    private java.lang.Object jwt_ = "";
+    /**
+     *
+     *
+     * <pre>
+     * Required. Input token.
+     * Must be in JWT format according to
+     * RFC7523 (https://tools.ietf.org/html/rfc7523)
+     * and must have 'kid' field in the header.
+     * Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+     * Mandatory payload fields (along the lines of RFC 7523, section 3):
+     * - iss: issuer of the token. Must provide a discovery document at
+     *        $iss/.well-known/openid-configuration . The document needs to be
+     *        formatted according to section 4.2 of the OpenID Connect Discovery
+     *        1.0 specification.
+     * - iat: Issue time in seconds since epoch. Must be in the past.
+     * - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+     *        after iat. We recommend to create tokens that last shorter than 6
+     *        hours to improve security unless business reasons mandate longer
+     *        expiration times. Shorter token lifetimes are generally more secure
+     *        since tokens that have been exfiltrated by attackers can be used for
+     *        a shorter time. you can configure the maximum lifetime of the
+     *        incoming token in the configuration of the mapper.
+     *        The resulting Google token will expire within an hour or at "exp",
+     *        whichever is earlier.
+     * - sub: JWT subject, identity asserted in the JWT.
+     * - aud: Configured in the mapper policy. By default the service account
+     *        email.
+     * Claims from the incoming token can be transferred into the output token
+     * accoding to the mapper configuration. The outgoing claim size is limited.
+     * Outgoing claims size must be less than 4kB serialized as JSON without
+     * whitespace.
+     * Example header:
+     * {
+     *   "alg": "RS256",
+     *   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+     * }
+     * Example payload:
+     * {
+     *   "iss": "https://accounts.google.com",
+     *   "iat": 1517963104,
+     *   "exp": 1517966704,
+     *   "aud": "https://iamcredentials.googleapis.com/",
+     *   "sub": "113475438248934895348",
+     *   "my_claims": {
+     *     "additional_claim": "value"
+     *   }
+     * }
+     * </pre>
+     *
+     * <code>string jwt = 3;</code>
+     */
+    public java.lang.String getJwt() {
+      java.lang.Object ref = jwt_;
+      if (!(ref instanceof java.lang.String)) {
+        com.google.protobuf.ByteString bs = (com.google.protobuf.ByteString) ref;
+        java.lang.String s = bs.toStringUtf8();
+        jwt_ = s;
+        return s;
+      } else {
+        return (java.lang.String) ref;
+      }
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Required. Input token.
+     * Must be in JWT format according to
+     * RFC7523 (https://tools.ietf.org/html/rfc7523)
+     * and must have 'kid' field in the header.
+     * Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+     * Mandatory payload fields (along the lines of RFC 7523, section 3):
+     * - iss: issuer of the token. Must provide a discovery document at
+     *        $iss/.well-known/openid-configuration . The document needs to be
+     *        formatted according to section 4.2 of the OpenID Connect Discovery
+     *        1.0 specification.
+     * - iat: Issue time in seconds since epoch. Must be in the past.
+     * - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+     *        after iat. We recommend to create tokens that last shorter than 6
+     *        hours to improve security unless business reasons mandate longer
+     *        expiration times. Shorter token lifetimes are generally more secure
+     *        since tokens that have been exfiltrated by attackers can be used for
+     *        a shorter time. you can configure the maximum lifetime of the
+     *        incoming token in the configuration of the mapper.
+     *        The resulting Google token will expire within an hour or at "exp",
+     *        whichever is earlier.
+     * - sub: JWT subject, identity asserted in the JWT.
+     * - aud: Configured in the mapper policy. By default the service account
+     *        email.
+     * Claims from the incoming token can be transferred into the output token
+     * accoding to the mapper configuration. The outgoing claim size is limited.
+     * Outgoing claims size must be less than 4kB serialized as JSON without
+     * whitespace.
+     * Example header:
+     * {
+     *   "alg": "RS256",
+     *   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+     * }
+     * Example payload:
+     * {
+     *   "iss": "https://accounts.google.com",
+     *   "iat": 1517963104,
+     *   "exp": 1517966704,
+     *   "aud": "https://iamcredentials.googleapis.com/",
+     *   "sub": "113475438248934895348",
+     *   "my_claims": {
+     *     "additional_claim": "value"
+     *   }
+     * }
+     * </pre>
+     *
+     * <code>string jwt = 3;</code>
+     */
+    public com.google.protobuf.ByteString getJwtBytes() {
+      java.lang.Object ref = jwt_;
+      if (ref instanceof String) {
+        com.google.protobuf.ByteString b =
+            com.google.protobuf.ByteString.copyFromUtf8((java.lang.String) ref);
+        jwt_ = b;
+        return b;
+      } else {
+        return (com.google.protobuf.ByteString) ref;
+      }
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Required. Input token.
+     * Must be in JWT format according to
+     * RFC7523 (https://tools.ietf.org/html/rfc7523)
+     * and must have 'kid' field in the header.
+     * Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+     * Mandatory payload fields (along the lines of RFC 7523, section 3):
+     * - iss: issuer of the token. Must provide a discovery document at
+     *        $iss/.well-known/openid-configuration . The document needs to be
+     *        formatted according to section 4.2 of the OpenID Connect Discovery
+     *        1.0 specification.
+     * - iat: Issue time in seconds since epoch. Must be in the past.
+     * - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+     *        after iat. We recommend to create tokens that last shorter than 6
+     *        hours to improve security unless business reasons mandate longer
+     *        expiration times. Shorter token lifetimes are generally more secure
+     *        since tokens that have been exfiltrated by attackers can be used for
+     *        a shorter time. you can configure the maximum lifetime of the
+     *        incoming token in the configuration of the mapper.
+     *        The resulting Google token will expire within an hour or at "exp",
+     *        whichever is earlier.
+     * - sub: JWT subject, identity asserted in the JWT.
+     * - aud: Configured in the mapper policy. By default the service account
+     *        email.
+     * Claims from the incoming token can be transferred into the output token
+     * accoding to the mapper configuration. The outgoing claim size is limited.
+     * Outgoing claims size must be less than 4kB serialized as JSON without
+     * whitespace.
+     * Example header:
+     * {
+     *   "alg": "RS256",
+     *   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+     * }
+     * Example payload:
+     * {
+     *   "iss": "https://accounts.google.com",
+     *   "iat": 1517963104,
+     *   "exp": 1517966704,
+     *   "aud": "https://iamcredentials.googleapis.com/",
+     *   "sub": "113475438248934895348",
+     *   "my_claims": {
+     *     "additional_claim": "value"
+     *   }
+     * }
+     * </pre>
+     *
+     * <code>string jwt = 3;</code>
+     */
+    public Builder setJwt(java.lang.String value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+
+      jwt_ = value;
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Required. Input token.
+     * Must be in JWT format according to
+     * RFC7523 (https://tools.ietf.org/html/rfc7523)
+     * and must have 'kid' field in the header.
+     * Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+     * Mandatory payload fields (along the lines of RFC 7523, section 3):
+     * - iss: issuer of the token. Must provide a discovery document at
+     *        $iss/.well-known/openid-configuration . The document needs to be
+     *        formatted according to section 4.2 of the OpenID Connect Discovery
+     *        1.0 specification.
+     * - iat: Issue time in seconds since epoch. Must be in the past.
+     * - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+     *        after iat. We recommend to create tokens that last shorter than 6
+     *        hours to improve security unless business reasons mandate longer
+     *        expiration times. Shorter token lifetimes are generally more secure
+     *        since tokens that have been exfiltrated by attackers can be used for
+     *        a shorter time. you can configure the maximum lifetime of the
+     *        incoming token in the configuration of the mapper.
+     *        The resulting Google token will expire within an hour or at "exp",
+     *        whichever is earlier.
+     * - sub: JWT subject, identity asserted in the JWT.
+     * - aud: Configured in the mapper policy. By default the service account
+     *        email.
+     * Claims from the incoming token can be transferred into the output token
+     * accoding to the mapper configuration. The outgoing claim size is limited.
+     * Outgoing claims size must be less than 4kB serialized as JSON without
+     * whitespace.
+     * Example header:
+     * {
+     *   "alg": "RS256",
+     *   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+     * }
+     * Example payload:
+     * {
+     *   "iss": "https://accounts.google.com",
+     *   "iat": 1517963104,
+     *   "exp": 1517966704,
+     *   "aud": "https://iamcredentials.googleapis.com/",
+     *   "sub": "113475438248934895348",
+     *   "my_claims": {
+     *     "additional_claim": "value"
+     *   }
+     * }
+     * </pre>
+     *
+     * <code>string jwt = 3;</code>
+     */
+    public Builder clearJwt() {
+
+      jwt_ = getDefaultInstance().getJwt();
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Required. Input token.
+     * Must be in JWT format according to
+     * RFC7523 (https://tools.ietf.org/html/rfc7523)
+     * and must have 'kid' field in the header.
+     * Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+     * Mandatory payload fields (along the lines of RFC 7523, section 3):
+     * - iss: issuer of the token. Must provide a discovery document at
+     *        $iss/.well-known/openid-configuration . The document needs to be
+     *        formatted according to section 4.2 of the OpenID Connect Discovery
+     *        1.0 specification.
+     * - iat: Issue time in seconds since epoch. Must be in the past.
+     * - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+     *        after iat. We recommend to create tokens that last shorter than 6
+     *        hours to improve security unless business reasons mandate longer
+     *        expiration times. Shorter token lifetimes are generally more secure
+     *        since tokens that have been exfiltrated by attackers can be used for
+     *        a shorter time. you can configure the maximum lifetime of the
+     *        incoming token in the configuration of the mapper.
+     *        The resulting Google token will expire within an hour or at "exp",
+     *        whichever is earlier.
+     * - sub: JWT subject, identity asserted in the JWT.
+     * - aud: Configured in the mapper policy. By default the service account
+     *        email.
+     * Claims from the incoming token can be transferred into the output token
+     * accoding to the mapper configuration. The outgoing claim size is limited.
+     * Outgoing claims size must be less than 4kB serialized as JSON without
+     * whitespace.
+     * Example header:
+     * {
+     *   "alg": "RS256",
+     *   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+     * }
+     * Example payload:
+     * {
+     *   "iss": "https://accounts.google.com",
+     *   "iat": 1517963104,
+     *   "exp": 1517966704,
+     *   "aud": "https://iamcredentials.googleapis.com/",
+     *   "sub": "113475438248934895348",
+     *   "my_claims": {
+     *     "additional_claim": "value"
+     *   }
+     * }
+     * </pre>
+     *
+     * <code>string jwt = 3;</code>
+     */
+    public Builder setJwtBytes(com.google.protobuf.ByteString value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+      checkByteStringIsUtf8(value);
+
+      jwt_ = value;
+      onChanged();
+      return this;
+    }
+
+    @java.lang.Override
+    public final Builder setUnknownFields(final com.google.protobuf.UnknownFieldSet unknownFields) {
+      return super.setUnknownFieldsProto3(unknownFields);
+    }
+
+    @java.lang.Override
+    public final Builder mergeUnknownFields(
+        final com.google.protobuf.UnknownFieldSet unknownFields) {
+      return super.mergeUnknownFields(unknownFields);
+    }
+
+    // @@protoc_insertion_point(builder_scope:google.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest)
+  }
+
+  // @@protoc_insertion_point(class_scope:google.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest)
+  private static final com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      DEFAULT_INSTANCE;
+
+  static {
+    DEFAULT_INSTANCE =
+        new com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest();
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      getDefaultInstance() {
+    return DEFAULT_INSTANCE;
+  }
+
+  private static final com.google.protobuf.Parser<GenerateIdentityBindingAccessTokenRequest>
+      PARSER =
+          new com.google.protobuf.AbstractParser<GenerateIdentityBindingAccessTokenRequest>() {
+            @java.lang.Override
+            public GenerateIdentityBindingAccessTokenRequest parsePartialFrom(
+                com.google.protobuf.CodedInputStream input,
+                com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+                throws com.google.protobuf.InvalidProtocolBufferException {
+              return new GenerateIdentityBindingAccessTokenRequest(input, extensionRegistry);
+            }
+          };
+
+  public static com.google.protobuf.Parser<GenerateIdentityBindingAccessTokenRequest> parser() {
+    return PARSER;
+  }
+
+  @java.lang.Override
+  public com.google.protobuf.Parser<GenerateIdentityBindingAccessTokenRequest> getParserForType() {
+    return PARSER;
+  }
+
+  @java.lang.Override
+  public com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest
+      getDefaultInstanceForType() {
+    return DEFAULT_INSTANCE;
+  }
+}
diff --git a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenRequestOrBuilder.java b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenRequestOrBuilder.java
new file mode 100644
index 000000000000..53834cd8da29
--- /dev/null
+++ b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenRequestOrBuilder.java
@@ -0,0 +1,193 @@
+// Generated by the protocol buffer compiler.  DO NOT EDIT!
+// source: google/iam/credentials/v1/common.proto
+
+package com.google.cloud.iam.credentials.v1;
+
+public interface GenerateIdentityBindingAccessTokenRequestOrBuilder
+    extends
+    // @@protoc_insertion_point(interface_extends:google.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest)
+    com.google.protobuf.MessageOrBuilder {
+
+  /**
+   *
+   *
+   * <pre>
+   * The resource name of the service account for which the credentials
+   * are requested, in the following format:
+   * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+   * </pre>
+   *
+   * <code>string name = 1;</code>
+   */
+  java.lang.String getName();
+  /**
+   *
+   *
+   * <pre>
+   * The resource name of the service account for which the credentials
+   * are requested, in the following format:
+   * `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+   * </pre>
+   *
+   * <code>string name = 1;</code>
+   */
+  com.google.protobuf.ByteString getNameBytes();
+
+  /**
+   *
+   *
+   * <pre>
+   * Code to identify the scopes to be included in the OAuth 2.0 access token.
+   * See https://developers.google.com/identity/protocols/googlescopes for more
+   * information.
+   * At least one value required.
+   * </pre>
+   *
+   * <code>repeated string scope = 2;</code>
+   */
+  java.util.List<java.lang.String> getScopeList();
+  /**
+   *
+   *
+   * <pre>
+   * Code to identify the scopes to be included in the OAuth 2.0 access token.
+   * See https://developers.google.com/identity/protocols/googlescopes for more
+   * information.
+   * At least one value required.
+   * </pre>
+   *
+   * <code>repeated string scope = 2;</code>
+   */
+  int getScopeCount();
+  /**
+   *
+   *
+   * <pre>
+   * Code to identify the scopes to be included in the OAuth 2.0 access token.
+   * See https://developers.google.com/identity/protocols/googlescopes for more
+   * information.
+   * At least one value required.
+   * </pre>
+   *
+   * <code>repeated string scope = 2;</code>
+   */
+  java.lang.String getScope(int index);
+  /**
+   *
+   *
+   * <pre>
+   * Code to identify the scopes to be included in the OAuth 2.0 access token.
+   * See https://developers.google.com/identity/protocols/googlescopes for more
+   * information.
+   * At least one value required.
+   * </pre>
+   *
+   * <code>repeated string scope = 2;</code>
+   */
+  com.google.protobuf.ByteString getScopeBytes(int index);
+
+  /**
+   *
+   *
+   * <pre>
+   * Required. Input token.
+   * Must be in JWT format according to
+   * RFC7523 (https://tools.ietf.org/html/rfc7523)
+   * and must have 'kid' field in the header.
+   * Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+   * Mandatory payload fields (along the lines of RFC 7523, section 3):
+   * - iss: issuer of the token. Must provide a discovery document at
+   *        $iss/.well-known/openid-configuration . The document needs to be
+   *        formatted according to section 4.2 of the OpenID Connect Discovery
+   *        1.0 specification.
+   * - iat: Issue time in seconds since epoch. Must be in the past.
+   * - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+   *        after iat. We recommend to create tokens that last shorter than 6
+   *        hours to improve security unless business reasons mandate longer
+   *        expiration times. Shorter token lifetimes are generally more secure
+   *        since tokens that have been exfiltrated by attackers can be used for
+   *        a shorter time. you can configure the maximum lifetime of the
+   *        incoming token in the configuration of the mapper.
+   *        The resulting Google token will expire within an hour or at "exp",
+   *        whichever is earlier.
+   * - sub: JWT subject, identity asserted in the JWT.
+   * - aud: Configured in the mapper policy. By default the service account
+   *        email.
+   * Claims from the incoming token can be transferred into the output token
+   * accoding to the mapper configuration. The outgoing claim size is limited.
+   * Outgoing claims size must be less than 4kB serialized as JSON without
+   * whitespace.
+   * Example header:
+   * {
+   *   "alg": "RS256",
+   *   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+   * }
+   * Example payload:
+   * {
+   *   "iss": "https://accounts.google.com",
+   *   "iat": 1517963104,
+   *   "exp": 1517966704,
+   *   "aud": "https://iamcredentials.googleapis.com/",
+   *   "sub": "113475438248934895348",
+   *   "my_claims": {
+   *     "additional_claim": "value"
+   *   }
+   * }
+   * </pre>
+   *
+   * <code>string jwt = 3;</code>
+   */
+  java.lang.String getJwt();
+  /**
+   *
+   *
+   * <pre>
+   * Required. Input token.
+   * Must be in JWT format according to
+   * RFC7523 (https://tools.ietf.org/html/rfc7523)
+   * and must have 'kid' field in the header.
+   * Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+   * Mandatory payload fields (along the lines of RFC 7523, section 3):
+   * - iss: issuer of the token. Must provide a discovery document at
+   *        $iss/.well-known/openid-configuration . The document needs to be
+   *        formatted according to section 4.2 of the OpenID Connect Discovery
+   *        1.0 specification.
+   * - iat: Issue time in seconds since epoch. Must be in the past.
+   * - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+   *        after iat. We recommend to create tokens that last shorter than 6
+   *        hours to improve security unless business reasons mandate longer
+   *        expiration times. Shorter token lifetimes are generally more secure
+   *        since tokens that have been exfiltrated by attackers can be used for
+   *        a shorter time. you can configure the maximum lifetime of the
+   *        incoming token in the configuration of the mapper.
+   *        The resulting Google token will expire within an hour or at "exp",
+   *        whichever is earlier.
+   * - sub: JWT subject, identity asserted in the JWT.
+   * - aud: Configured in the mapper policy. By default the service account
+   *        email.
+   * Claims from the incoming token can be transferred into the output token
+   * accoding to the mapper configuration. The outgoing claim size is limited.
+   * Outgoing claims size must be less than 4kB serialized as JSON without
+   * whitespace.
+   * Example header:
+   * {
+   *   "alg": "RS256",
+   *   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+   * }
+   * Example payload:
+   * {
+   *   "iss": "https://accounts.google.com",
+   *   "iat": 1517963104,
+   *   "exp": 1517966704,
+   *   "aud": "https://iamcredentials.googleapis.com/",
+   *   "sub": "113475438248934895348",
+   *   "my_claims": {
+   *     "additional_claim": "value"
+   *   }
+   * }
+   * </pre>
+   *
+   * <code>string jwt = 3;</code>
+   */
+  com.google.protobuf.ByteString getJwtBytes();
+}
diff --git a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenResponse.java b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenResponse.java
new file mode 100644
index 000000000000..bad691fb19aa
--- /dev/null
+++ b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenResponse.java
@@ -0,0 +1,887 @@
+// Generated by the protocol buffer compiler.  DO NOT EDIT!
+// source: google/iam/credentials/v1/common.proto
+
+package com.google.cloud.iam.credentials.v1;
+
+/** Protobuf type {@code google.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse} */
+public final class GenerateIdentityBindingAccessTokenResponse
+    extends com.google.protobuf.GeneratedMessageV3
+    implements
+    // @@protoc_insertion_point(message_implements:google.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse)
+    GenerateIdentityBindingAccessTokenResponseOrBuilder {
+  private static final long serialVersionUID = 0L;
+  // Use GenerateIdentityBindingAccessTokenResponse.newBuilder() to construct.
+  private GenerateIdentityBindingAccessTokenResponse(
+      com.google.protobuf.GeneratedMessageV3.Builder<?> builder) {
+    super(builder);
+  }
+
+  private GenerateIdentityBindingAccessTokenResponse() {
+    accessToken_ = "";
+  }
+
+  @java.lang.Override
+  public final com.google.protobuf.UnknownFieldSet getUnknownFields() {
+    return this.unknownFields;
+  }
+
+  private GenerateIdentityBindingAccessTokenResponse(
+      com.google.protobuf.CodedInputStream input,
+      com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+      throws com.google.protobuf.InvalidProtocolBufferException {
+    this();
+    if (extensionRegistry == null) {
+      throw new java.lang.NullPointerException();
+    }
+    int mutable_bitField0_ = 0;
+    com.google.protobuf.UnknownFieldSet.Builder unknownFields =
+        com.google.protobuf.UnknownFieldSet.newBuilder();
+    try {
+      boolean done = false;
+      while (!done) {
+        int tag = input.readTag();
+        switch (tag) {
+          case 0:
+            done = true;
+            break;
+          case 10:
+            {
+              java.lang.String s = input.readStringRequireUtf8();
+
+              accessToken_ = s;
+              break;
+            }
+          case 18:
+            {
+              com.google.protobuf.Timestamp.Builder subBuilder = null;
+              if (expireTime_ != null) {
+                subBuilder = expireTime_.toBuilder();
+              }
+              expireTime_ =
+                  input.readMessage(com.google.protobuf.Timestamp.parser(), extensionRegistry);
+              if (subBuilder != null) {
+                subBuilder.mergeFrom(expireTime_);
+                expireTime_ = subBuilder.buildPartial();
+              }
+
+              break;
+            }
+          default:
+            {
+              if (!parseUnknownFieldProto3(input, unknownFields, extensionRegistry, tag)) {
+                done = true;
+              }
+              break;
+            }
+        }
+      }
+    } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+      throw e.setUnfinishedMessage(this);
+    } catch (java.io.IOException e) {
+      throw new com.google.protobuf.InvalidProtocolBufferException(e).setUnfinishedMessage(this);
+    } finally {
+      this.unknownFields = unknownFields.build();
+      makeExtensionsImmutable();
+    }
+  }
+
+  public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
+    return com.google.cloud.iam.credentials.v1.IAMCredentialsCommonProto
+        .internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenResponse_descriptor;
+  }
+
+  @java.lang.Override
+  protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internalGetFieldAccessorTable() {
+    return com.google.cloud.iam.credentials.v1.IAMCredentialsCommonProto
+        .internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenResponse_fieldAccessorTable
+        .ensureFieldAccessorsInitialized(
+            com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse.class,
+            com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse.Builder
+                .class);
+  }
+
+  public static final int ACCESS_TOKEN_FIELD_NUMBER = 1;
+  private volatile java.lang.Object accessToken_;
+  /**
+   *
+   *
+   * <pre>
+   * The OAuth 2.0 access token.
+   * </pre>
+   *
+   * <code>string access_token = 1;</code>
+   */
+  public java.lang.String getAccessToken() {
+    java.lang.Object ref = accessToken_;
+    if (ref instanceof java.lang.String) {
+      return (java.lang.String) ref;
+    } else {
+      com.google.protobuf.ByteString bs = (com.google.protobuf.ByteString) ref;
+      java.lang.String s = bs.toStringUtf8();
+      accessToken_ = s;
+      return s;
+    }
+  }
+  /**
+   *
+   *
+   * <pre>
+   * The OAuth 2.0 access token.
+   * </pre>
+   *
+   * <code>string access_token = 1;</code>
+   */
+  public com.google.protobuf.ByteString getAccessTokenBytes() {
+    java.lang.Object ref = accessToken_;
+    if (ref instanceof java.lang.String) {
+      com.google.protobuf.ByteString b =
+          com.google.protobuf.ByteString.copyFromUtf8((java.lang.String) ref);
+      accessToken_ = b;
+      return b;
+    } else {
+      return (com.google.protobuf.ByteString) ref;
+    }
+  }
+
+  public static final int EXPIRE_TIME_FIELD_NUMBER = 2;
+  private com.google.protobuf.Timestamp expireTime_;
+  /**
+   *
+   *
+   * <pre>
+   * Token expiration time.
+   * The expiration time is always set.
+   * </pre>
+   *
+   * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+   */
+  public boolean hasExpireTime() {
+    return expireTime_ != null;
+  }
+  /**
+   *
+   *
+   * <pre>
+   * Token expiration time.
+   * The expiration time is always set.
+   * </pre>
+   *
+   * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+   */
+  public com.google.protobuf.Timestamp getExpireTime() {
+    return expireTime_ == null ? com.google.protobuf.Timestamp.getDefaultInstance() : expireTime_;
+  }
+  /**
+   *
+   *
+   * <pre>
+   * Token expiration time.
+   * The expiration time is always set.
+   * </pre>
+   *
+   * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+   */
+  public com.google.protobuf.TimestampOrBuilder getExpireTimeOrBuilder() {
+    return getExpireTime();
+  }
+
+  private byte memoizedIsInitialized = -1;
+
+  @java.lang.Override
+  public final boolean isInitialized() {
+    byte isInitialized = memoizedIsInitialized;
+    if (isInitialized == 1) return true;
+    if (isInitialized == 0) return false;
+
+    memoizedIsInitialized = 1;
+    return true;
+  }
+
+  @java.lang.Override
+  public void writeTo(com.google.protobuf.CodedOutputStream output) throws java.io.IOException {
+    if (!getAccessTokenBytes().isEmpty()) {
+      com.google.protobuf.GeneratedMessageV3.writeString(output, 1, accessToken_);
+    }
+    if (expireTime_ != null) {
+      output.writeMessage(2, getExpireTime());
+    }
+    unknownFields.writeTo(output);
+  }
+
+  @java.lang.Override
+  public int getSerializedSize() {
+    int size = memoizedSize;
+    if (size != -1) return size;
+
+    size = 0;
+    if (!getAccessTokenBytes().isEmpty()) {
+      size += com.google.protobuf.GeneratedMessageV3.computeStringSize(1, accessToken_);
+    }
+    if (expireTime_ != null) {
+      size += com.google.protobuf.CodedOutputStream.computeMessageSize(2, getExpireTime());
+    }
+    size += unknownFields.getSerializedSize();
+    memoizedSize = size;
+    return size;
+  }
+
+  @java.lang.Override
+  public boolean equals(final java.lang.Object obj) {
+    if (obj == this) {
+      return true;
+    }
+    if (!(obj
+        instanceof
+        com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse)) {
+      return super.equals(obj);
+    }
+    com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse other =
+        (com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse) obj;
+
+    boolean result = true;
+    result = result && getAccessToken().equals(other.getAccessToken());
+    result = result && (hasExpireTime() == other.hasExpireTime());
+    if (hasExpireTime()) {
+      result = result && getExpireTime().equals(other.getExpireTime());
+    }
+    result = result && unknownFields.equals(other.unknownFields);
+    return result;
+  }
+
+  @java.lang.Override
+  public int hashCode() {
+    if (memoizedHashCode != 0) {
+      return memoizedHashCode;
+    }
+    int hash = 41;
+    hash = (19 * hash) + getDescriptor().hashCode();
+    hash = (37 * hash) + ACCESS_TOKEN_FIELD_NUMBER;
+    hash = (53 * hash) + getAccessToken().hashCode();
+    if (hasExpireTime()) {
+      hash = (37 * hash) + EXPIRE_TIME_FIELD_NUMBER;
+      hash = (53 * hash) + getExpireTime().hashCode();
+    }
+    hash = (29 * hash) + unknownFields.hashCode();
+    memoizedHashCode = hash;
+    return hash;
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseFrom(java.nio.ByteBuffer data)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseFrom(
+          java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseFrom(com.google.protobuf.ByteString data)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseFrom(
+          com.google.protobuf.ByteString data,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws com.google.protobuf.InvalidProtocolBufferException {
+    return PARSER.parseFrom(data, extensionRegistry);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseFrom(java.io.InputStream input) throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseFrom(
+          java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseDelimitedFrom(java.io.InputStream input) throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(PARSER, input);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseDelimitedFrom(
+          java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseDelimitedWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseFrom(com.google.protobuf.CodedInputStream input) throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(PARSER, input);
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      parseFrom(
+          com.google.protobuf.CodedInputStream input,
+          com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+          throws java.io.IOException {
+    return com.google.protobuf.GeneratedMessageV3.parseWithIOException(
+        PARSER, input, extensionRegistry);
+  }
+
+  @java.lang.Override
+  public Builder newBuilderForType() {
+    return newBuilder();
+  }
+
+  public static Builder newBuilder() {
+    return DEFAULT_INSTANCE.toBuilder();
+  }
+
+  public static Builder newBuilder(
+      com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse prototype) {
+    return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
+  }
+
+  @java.lang.Override
+  public Builder toBuilder() {
+    return this == DEFAULT_INSTANCE ? new Builder() : new Builder().mergeFrom(this);
+  }
+
+  @java.lang.Override
+  protected Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+    Builder builder = new Builder(parent);
+    return builder;
+  }
+  /** Protobuf type {@code google.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse} */
+  public static final class Builder extends com.google.protobuf.GeneratedMessageV3.Builder<Builder>
+      implements
+      // @@protoc_insertion_point(builder_implements:google.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse)
+      com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponseOrBuilder {
+    public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() {
+      return com.google.cloud.iam.credentials.v1.IAMCredentialsCommonProto
+          .internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenResponse_descriptor;
+    }
+
+    @java.lang.Override
+    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+        internalGetFieldAccessorTable() {
+      return com.google.cloud.iam.credentials.v1.IAMCredentialsCommonProto
+          .internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenResponse_fieldAccessorTable
+          .ensureFieldAccessorsInitialized(
+              com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse.class,
+              com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse.Builder
+                  .class);
+    }
+
+    // Construct using
+    // com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse.newBuilder()
+    private Builder() {
+      maybeForceBuilderInitialization();
+    }
+
+    private Builder(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
+      super(parent);
+      maybeForceBuilderInitialization();
+    }
+
+    private void maybeForceBuilderInitialization() {
+      if (com.google.protobuf.GeneratedMessageV3.alwaysUseFieldBuilders) {}
+    }
+
+    @java.lang.Override
+    public Builder clear() {
+      super.clear();
+      accessToken_ = "";
+
+      if (expireTimeBuilder_ == null) {
+        expireTime_ = null;
+      } else {
+        expireTime_ = null;
+        expireTimeBuilder_ = null;
+      }
+      return this;
+    }
+
+    @java.lang.Override
+    public com.google.protobuf.Descriptors.Descriptor getDescriptorForType() {
+      return com.google.cloud.iam.credentials.v1.IAMCredentialsCommonProto
+          .internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenResponse_descriptor;
+    }
+
+    @java.lang.Override
+    public com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+        getDefaultInstanceForType() {
+      return com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+          .getDefaultInstance();
+    }
+
+    @java.lang.Override
+    public com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse build() {
+      com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse result =
+          buildPartial();
+      if (!result.isInitialized()) {
+        throw newUninitializedMessageException(result);
+      }
+      return result;
+    }
+
+    @java.lang.Override
+    public com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+        buildPartial() {
+      com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse result =
+          new com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse(this);
+      result.accessToken_ = accessToken_;
+      if (expireTimeBuilder_ == null) {
+        result.expireTime_ = expireTime_;
+      } else {
+        result.expireTime_ = expireTimeBuilder_.build();
+      }
+      onBuilt();
+      return result;
+    }
+
+    @java.lang.Override
+    public Builder clone() {
+      return (Builder) super.clone();
+    }
+
+    @java.lang.Override
+    public Builder setField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) {
+      return (Builder) super.setField(field, value);
+    }
+
+    @java.lang.Override
+    public Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field) {
+      return (Builder) super.clearField(field);
+    }
+
+    @java.lang.Override
+    public Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof) {
+      return (Builder) super.clearOneof(oneof);
+    }
+
+    @java.lang.Override
+    public Builder setRepeatedField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, int index, java.lang.Object value) {
+      return (Builder) super.setRepeatedField(field, index, value);
+    }
+
+    @java.lang.Override
+    public Builder addRepeatedField(
+        com.google.protobuf.Descriptors.FieldDescriptor field, java.lang.Object value) {
+      return (Builder) super.addRepeatedField(field, value);
+    }
+
+    @java.lang.Override
+    public Builder mergeFrom(com.google.protobuf.Message other) {
+      if (other
+          instanceof
+          com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse) {
+        return mergeFrom(
+            (com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse) other);
+      } else {
+        super.mergeFrom(other);
+        return this;
+      }
+    }
+
+    public Builder mergeFrom(
+        com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse other) {
+      if (other
+          == com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+              .getDefaultInstance()) return this;
+      if (!other.getAccessToken().isEmpty()) {
+        accessToken_ = other.accessToken_;
+        onChanged();
+      }
+      if (other.hasExpireTime()) {
+        mergeExpireTime(other.getExpireTime());
+      }
+      this.mergeUnknownFields(other.unknownFields);
+      onChanged();
+      return this;
+    }
+
+    @java.lang.Override
+    public final boolean isInitialized() {
+      return true;
+    }
+
+    @java.lang.Override
+    public Builder mergeFrom(
+        com.google.protobuf.CodedInputStream input,
+        com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+        throws java.io.IOException {
+      com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse parsedMessage =
+          null;
+      try {
+        parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
+      } catch (com.google.protobuf.InvalidProtocolBufferException e) {
+        parsedMessage =
+            (com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse)
+                e.getUnfinishedMessage();
+        throw e.unwrapIOException();
+      } finally {
+        if (parsedMessage != null) {
+          mergeFrom(parsedMessage);
+        }
+      }
+      return this;
+    }
+
+    private java.lang.Object accessToken_ = "";
+    /**
+     *
+     *
+     * <pre>
+     * The OAuth 2.0 access token.
+     * </pre>
+     *
+     * <code>string access_token = 1;</code>
+     */
+    public java.lang.String getAccessToken() {
+      java.lang.Object ref = accessToken_;
+      if (!(ref instanceof java.lang.String)) {
+        com.google.protobuf.ByteString bs = (com.google.protobuf.ByteString) ref;
+        java.lang.String s = bs.toStringUtf8();
+        accessToken_ = s;
+        return s;
+      } else {
+        return (java.lang.String) ref;
+      }
+    }
+    /**
+     *
+     *
+     * <pre>
+     * The OAuth 2.0 access token.
+     * </pre>
+     *
+     * <code>string access_token = 1;</code>
+     */
+    public com.google.protobuf.ByteString getAccessTokenBytes() {
+      java.lang.Object ref = accessToken_;
+      if (ref instanceof String) {
+        com.google.protobuf.ByteString b =
+            com.google.protobuf.ByteString.copyFromUtf8((java.lang.String) ref);
+        accessToken_ = b;
+        return b;
+      } else {
+        return (com.google.protobuf.ByteString) ref;
+      }
+    }
+    /**
+     *
+     *
+     * <pre>
+     * The OAuth 2.0 access token.
+     * </pre>
+     *
+     * <code>string access_token = 1;</code>
+     */
+    public Builder setAccessToken(java.lang.String value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+
+      accessToken_ = value;
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * The OAuth 2.0 access token.
+     * </pre>
+     *
+     * <code>string access_token = 1;</code>
+     */
+    public Builder clearAccessToken() {
+
+      accessToken_ = getDefaultInstance().getAccessToken();
+      onChanged();
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * The OAuth 2.0 access token.
+     * </pre>
+     *
+     * <code>string access_token = 1;</code>
+     */
+    public Builder setAccessTokenBytes(com.google.protobuf.ByteString value) {
+      if (value == null) {
+        throw new NullPointerException();
+      }
+      checkByteStringIsUtf8(value);
+
+      accessToken_ = value;
+      onChanged();
+      return this;
+    }
+
+    private com.google.protobuf.Timestamp expireTime_ = null;
+    private com.google.protobuf.SingleFieldBuilderV3<
+            com.google.protobuf.Timestamp,
+            com.google.protobuf.Timestamp.Builder,
+            com.google.protobuf.TimestampOrBuilder>
+        expireTimeBuilder_;
+    /**
+     *
+     *
+     * <pre>
+     * Token expiration time.
+     * The expiration time is always set.
+     * </pre>
+     *
+     * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+     */
+    public boolean hasExpireTime() {
+      return expireTimeBuilder_ != null || expireTime_ != null;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Token expiration time.
+     * The expiration time is always set.
+     * </pre>
+     *
+     * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+     */
+    public com.google.protobuf.Timestamp getExpireTime() {
+      if (expireTimeBuilder_ == null) {
+        return expireTime_ == null
+            ? com.google.protobuf.Timestamp.getDefaultInstance()
+            : expireTime_;
+      } else {
+        return expireTimeBuilder_.getMessage();
+      }
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Token expiration time.
+     * The expiration time is always set.
+     * </pre>
+     *
+     * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+     */
+    public Builder setExpireTime(com.google.protobuf.Timestamp value) {
+      if (expireTimeBuilder_ == null) {
+        if (value == null) {
+          throw new NullPointerException();
+        }
+        expireTime_ = value;
+        onChanged();
+      } else {
+        expireTimeBuilder_.setMessage(value);
+      }
+
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Token expiration time.
+     * The expiration time is always set.
+     * </pre>
+     *
+     * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+     */
+    public Builder setExpireTime(com.google.protobuf.Timestamp.Builder builderForValue) {
+      if (expireTimeBuilder_ == null) {
+        expireTime_ = builderForValue.build();
+        onChanged();
+      } else {
+        expireTimeBuilder_.setMessage(builderForValue.build());
+      }
+
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Token expiration time.
+     * The expiration time is always set.
+     * </pre>
+     *
+     * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+     */
+    public Builder mergeExpireTime(com.google.protobuf.Timestamp value) {
+      if (expireTimeBuilder_ == null) {
+        if (expireTime_ != null) {
+          expireTime_ =
+              com.google.protobuf.Timestamp.newBuilder(expireTime_).mergeFrom(value).buildPartial();
+        } else {
+          expireTime_ = value;
+        }
+        onChanged();
+      } else {
+        expireTimeBuilder_.mergeFrom(value);
+      }
+
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Token expiration time.
+     * The expiration time is always set.
+     * </pre>
+     *
+     * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+     */
+    public Builder clearExpireTime() {
+      if (expireTimeBuilder_ == null) {
+        expireTime_ = null;
+        onChanged();
+      } else {
+        expireTime_ = null;
+        expireTimeBuilder_ = null;
+      }
+
+      return this;
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Token expiration time.
+     * The expiration time is always set.
+     * </pre>
+     *
+     * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+     */
+    public com.google.protobuf.Timestamp.Builder getExpireTimeBuilder() {
+
+      onChanged();
+      return getExpireTimeFieldBuilder().getBuilder();
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Token expiration time.
+     * The expiration time is always set.
+     * </pre>
+     *
+     * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+     */
+    public com.google.protobuf.TimestampOrBuilder getExpireTimeOrBuilder() {
+      if (expireTimeBuilder_ != null) {
+        return expireTimeBuilder_.getMessageOrBuilder();
+      } else {
+        return expireTime_ == null
+            ? com.google.protobuf.Timestamp.getDefaultInstance()
+            : expireTime_;
+      }
+    }
+    /**
+     *
+     *
+     * <pre>
+     * Token expiration time.
+     * The expiration time is always set.
+     * </pre>
+     *
+     * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+     */
+    private com.google.protobuf.SingleFieldBuilderV3<
+            com.google.protobuf.Timestamp,
+            com.google.protobuf.Timestamp.Builder,
+            com.google.protobuf.TimestampOrBuilder>
+        getExpireTimeFieldBuilder() {
+      if (expireTimeBuilder_ == null) {
+        expireTimeBuilder_ =
+            new com.google.protobuf.SingleFieldBuilderV3<
+                com.google.protobuf.Timestamp,
+                com.google.protobuf.Timestamp.Builder,
+                com.google.protobuf.TimestampOrBuilder>(
+                getExpireTime(), getParentForChildren(), isClean());
+        expireTime_ = null;
+      }
+      return expireTimeBuilder_;
+    }
+
+    @java.lang.Override
+    public final Builder setUnknownFields(final com.google.protobuf.UnknownFieldSet unknownFields) {
+      return super.setUnknownFieldsProto3(unknownFields);
+    }
+
+    @java.lang.Override
+    public final Builder mergeUnknownFields(
+        final com.google.protobuf.UnknownFieldSet unknownFields) {
+      return super.mergeUnknownFields(unknownFields);
+    }
+
+    // @@protoc_insertion_point(builder_scope:google.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse)
+  }
+
+  // @@protoc_insertion_point(class_scope:google.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse)
+  private static final com.google.cloud.iam.credentials.v1
+          .GenerateIdentityBindingAccessTokenResponse
+      DEFAULT_INSTANCE;
+
+  static {
+    DEFAULT_INSTANCE =
+        new com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse();
+  }
+
+  public static com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      getDefaultInstance() {
+    return DEFAULT_INSTANCE;
+  }
+
+  private static final com.google.protobuf.Parser<GenerateIdentityBindingAccessTokenResponse>
+      PARSER =
+          new com.google.protobuf.AbstractParser<GenerateIdentityBindingAccessTokenResponse>() {
+            @java.lang.Override
+            public GenerateIdentityBindingAccessTokenResponse parsePartialFrom(
+                com.google.protobuf.CodedInputStream input,
+                com.google.protobuf.ExtensionRegistryLite extensionRegistry)
+                throws com.google.protobuf.InvalidProtocolBufferException {
+              return new GenerateIdentityBindingAccessTokenResponse(input, extensionRegistry);
+            }
+          };
+
+  public static com.google.protobuf.Parser<GenerateIdentityBindingAccessTokenResponse> parser() {
+    return PARSER;
+  }
+
+  @java.lang.Override
+  public com.google.protobuf.Parser<GenerateIdentityBindingAccessTokenResponse> getParserForType() {
+    return PARSER;
+  }
+
+  @java.lang.Override
+  public com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse
+      getDefaultInstanceForType() {
+    return DEFAULT_INSTANCE;
+  }
+}
diff --git a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenResponseOrBuilder.java b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenResponseOrBuilder.java
new file mode 100644
index 000000000000..b13564dc00de
--- /dev/null
+++ b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/GenerateIdentityBindingAccessTokenResponseOrBuilder.java
@@ -0,0 +1,65 @@
+// Generated by the protocol buffer compiler.  DO NOT EDIT!
+// source: google/iam/credentials/v1/common.proto
+
+package com.google.cloud.iam.credentials.v1;
+
+public interface GenerateIdentityBindingAccessTokenResponseOrBuilder
+    extends
+    // @@protoc_insertion_point(interface_extends:google.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse)
+    com.google.protobuf.MessageOrBuilder {
+
+  /**
+   *
+   *
+   * <pre>
+   * The OAuth 2.0 access token.
+   * </pre>
+   *
+   * <code>string access_token = 1;</code>
+   */
+  java.lang.String getAccessToken();
+  /**
+   *
+   *
+   * <pre>
+   * The OAuth 2.0 access token.
+   * </pre>
+   *
+   * <code>string access_token = 1;</code>
+   */
+  com.google.protobuf.ByteString getAccessTokenBytes();
+
+  /**
+   *
+   *
+   * <pre>
+   * Token expiration time.
+   * The expiration time is always set.
+   * </pre>
+   *
+   * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+   */
+  boolean hasExpireTime();
+  /**
+   *
+   *
+   * <pre>
+   * Token expiration time.
+   * The expiration time is always set.
+   * </pre>
+   *
+   * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+   */
+  com.google.protobuf.Timestamp getExpireTime();
+  /**
+   *
+   *
+   * <pre>
+   * Token expiration time.
+   * The expiration time is always set.
+   * </pre>
+   *
+   * <code>.google.protobuf.Timestamp expire_time = 2;</code>
+   */
+  com.google.protobuf.TimestampOrBuilder getExpireTimeOrBuilder();
+}
diff --git a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsCommonProto.java b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsCommonProto.java
index 1913fb615541..a6aa1762c332 100644
--- a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsCommonProto.java
+++ b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsCommonProto.java
@@ -44,6 +44,14 @@ public static void registerAllExtensions(com.google.protobuf.ExtensionRegistry r
       internal_static_google_iam_credentials_v1_GenerateIdTokenResponse_descriptor;
   static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
       internal_static_google_iam_credentials_v1_GenerateIdTokenResponse_fieldAccessorTable;
+  static final com.google.protobuf.Descriptors.Descriptor
+      internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenRequest_descriptor;
+  static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenRequest_fieldAccessorTable;
+  static final com.google.protobuf.Descriptors.Descriptor
+      internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenResponse_descriptor;
+  static final com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
+      internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenResponse_fieldAccessorTable;
 
   public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
     return descriptor;
@@ -71,11 +79,16 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
           + "\030\002 \001(\t\"b\n\026GenerateIdTokenRequest\022\014\n\004name"
           + "\030\001 \001(\t\022\021\n\tdelegates\030\002 \003(\t\022\020\n\010audience\030\003 "
           + "\001(\t\022\025\n\rinclude_email\030\004 \001(\010\"(\n\027GenerateId"
-          + "TokenResponse\022\r\n\005token\030\001 \001(\tB\213\001\n#com.goo"
-          + "gle.cloud.iam.credentials.v1B\031IAMCredent"
-          + "ialsCommonProtoP\001ZDgoogle.golang.org/gen"
-          + "proto/googleapis/iam/credentials/v1;cred"
-          + "entials\370\001\001b\006proto3"
+          + "TokenResponse\022\r\n\005token\030\001 \001(\t\"U\n)Generate"
+          + "IdentityBindingAccessTokenRequest\022\014\n\004nam"
+          + "e\030\001 \001(\t\022\r\n\005scope\030\002 \003(\t\022\013\n\003jwt\030\003 \001(\t\"s\n*G"
+          + "enerateIdentityBindingAccessTokenRespons"
+          + "e\022\024\n\014access_token\030\001 \001(\t\022/\n\013expire_time\030\002"
+          + " \001(\0132\032.google.protobuf.TimestampB\213\001\n#com"
+          + ".google.cloud.iam.credentials.v1B\031IAMCre"
+          + "dentialsCommonProtoP\001ZDgoogle.golang.org"
+          + "/genproto/googleapis/iam/credentials/v1;"
+          + "credentials\370\001\001b\006proto3"
     };
     com.google.protobuf.Descriptors.FileDescriptor.InternalDescriptorAssigner assigner =
         new com.google.protobuf.Descriptors.FileDescriptor.InternalDescriptorAssigner() {
@@ -156,6 +169,22 @@ public com.google.protobuf.ExtensionRegistry assignDescriptors(
             new java.lang.String[] {
               "Token",
             });
+    internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenRequest_descriptor =
+        getDescriptor().getMessageTypes().get(8);
+    internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenRequest_fieldAccessorTable =
+        new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+            internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenRequest_descriptor,
+            new java.lang.String[] {
+              "Name", "Scope", "Jwt",
+            });
+    internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenResponse_descriptor =
+        getDescriptor().getMessageTypes().get(9);
+    internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenResponse_fieldAccessorTable =
+        new com.google.protobuf.GeneratedMessageV3.FieldAccessorTable(
+            internal_static_google_iam_credentials_v1_GenerateIdentityBindingAccessTokenResponse_descriptor,
+            new java.lang.String[] {
+              "AccessToken", "ExpireTime",
+            });
     com.google.protobuf.DurationProto.getDescriptor();
     com.google.protobuf.TimestampProto.getDescriptor();
   }
diff --git a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsProto.java b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsProto.java
index 6bd5863e9bb7..7ce6a8abdc5f 100644
--- a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsProto.java
+++ b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/java/com/google/cloud/iam/credentials/v1/IAMCredentialsProto.java
@@ -23,7 +23,7 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
       "\n.google/iam/credentials/v1/iamcredentia"
           + "ls.proto\022\031google.iam.credentials.v1\032\034goo"
           + "gle/api/annotations.proto\032&google/iam/cr"
-          + "edentials/v1/common.proto2\340\005\n\016IAMCredent"
+          + "edentials/v1/common.proto2\353\007\n\016IAMCredent"
           + "ials\022\314\001\n\023GenerateAccessToken\0225.google.ia"
           + "m.credentials.v1.GenerateAccessTokenRequ"
           + "est\0326.google.iam.credentials.v1.Generate"
@@ -42,10 +42,17 @@ public static com.google.protobuf.Descriptors.FileDescriptor getDescriptor() {
           + "ls.v1.SignJwtRequest\032*.google.iam.creden"
           + "tials.v1.SignJwtResponse\":\202\323\344\223\0024\"//v1/{n"
           + "ame=projects/*/serviceAccounts/*}:signJw"
-          + "t:\001*B\205\001\n#com.google.cloud.iam.credential"
-          + "s.v1B\023IAMCredentialsProtoP\001ZDgoogle.gola"
-          + "ng.org/genproto/googleapis/iam/credentia"
-          + "ls/v1;credentials\370\001\001b\006proto3"
+          + "t:\001*\022\210\002\n\"GenerateIdentityBindingAccessTo"
+          + "ken\022D.google.iam.credentials.v1.Generate"
+          + "IdentityBindingAccessTokenRequest\032E.goog"
+          + "le.iam.credentials.v1.GenerateIdentityBi"
+          + "ndingAccessTokenResponse\"U\202\323\344\223\002O\"J/v1/{n"
+          + "ame=projects/*/serviceAccounts/*}:genera"
+          + "teIdentityBindingAccessToken:\001*B\205\001\n#com."
+          + "google.cloud.iam.credentials.v1B\023IAMCred"
+          + "entialsProtoP\001ZDgoogle.golang.org/genpro"
+          + "to/googleapis/iam/credentials/v1;credent"
+          + "ials\370\001\001b\006proto3"
     };
     com.google.protobuf.Descriptors.FileDescriptor.InternalDescriptorAssigner assigner =
         new com.google.protobuf.Descriptors.FileDescriptor.InternalDescriptorAssigner() {
diff --git a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/proto/google/iam/credentials/v1/common.proto b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/proto/google/iam/credentials/v1/common.proto
index 4fb12530ce00..fa382a99ec4a 100644
--- a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/proto/google/iam/credentials/v1/common.proto
+++ b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/proto/google/iam/credentials/v1/common.proto
@@ -154,3 +154,71 @@ message GenerateIdTokenResponse {
   string token = 1;
 }
 
+message GenerateIdentityBindingAccessTokenRequest {
+  // The resource name of the service account for which the credentials
+  // are requested, in the following format:
+  // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+  string name = 1;
+
+  // Code to identify the scopes to be included in the OAuth 2.0 access token.
+  // See https://developers.google.com/identity/protocols/googlescopes for more
+  // information.
+  // At least one value required.
+  repeated string scope = 2;
+
+  // Required. Input token.
+  // Must be in JWT format according to
+  // RFC7523 (https://tools.ietf.org/html/rfc7523)
+  // and must have 'kid' field in the header.
+  // Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon).
+  // Mandatory payload fields (along the lines of RFC 7523, section 3):
+  // - iss: issuer of the token. Must provide a discovery document at
+  //        $iss/.well-known/openid-configuration . The document needs to be
+  //        formatted according to section 4.2 of the OpenID Connect Discovery
+  //        1.0 specification.
+  // - iat: Issue time in seconds since epoch. Must be in the past.
+  // - exp: Expiration time in seconds since epoch. Must be less than 48 hours
+  //        after iat. We recommend to create tokens that last shorter than 6
+  //        hours to improve security unless business reasons mandate longer
+  //        expiration times. Shorter token lifetimes are generally more secure
+  //        since tokens that have been exfiltrated by attackers can be used for
+  //        a shorter time. you can configure the maximum lifetime of the
+  //        incoming token in the configuration of the mapper.
+  //        The resulting Google token will expire within an hour or at "exp",
+  //        whichever is earlier.
+  // - sub: JWT subject, identity asserted in the JWT.
+  // - aud: Configured in the mapper policy. By default the service account
+  //        email.
+  //
+  // Claims from the incoming token can be transferred into the output token
+  // accoding to the mapper configuration. The outgoing claim size is limited.
+  // Outgoing claims size must be less than 4kB serialized as JSON without
+  // whitespace.
+  //
+  // Example header:
+  // {
+  //   "alg": "RS256",
+  //   "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8"
+  // }
+  // Example payload:
+  // {
+  //   "iss": "https://accounts.google.com",
+  //   "iat": 1517963104,
+  //   "exp": 1517966704,
+  //   "aud": "https://iamcredentials.googleapis.com/",
+  //   "sub": "113475438248934895348",
+  //   "my_claims": {
+  //     "additional_claim": "value"
+  //   }
+  // }
+  string jwt = 3;
+}
+
+message GenerateIdentityBindingAccessTokenResponse {
+  // The OAuth 2.0 access token.
+  string access_token = 1;
+
+  // Token expiration time.
+  // The expiration time is always set.
+  google.protobuf.Timestamp expire_time = 2;
+}
diff --git a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/proto/google/iam/credentials/v1/iamcredentials.proto b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/proto/google/iam/credentials/v1/iamcredentials.proto
index 9ab1c3240c19..91902dfd2b06 100644
--- a/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/proto/google/iam/credentials/v1/iamcredentials.proto
+++ b/google-api-grpc/proto-google-cloud-iamcredentials-v1/src/main/proto/google/iam/credentials/v1/iamcredentials.proto
@@ -67,4 +67,15 @@ service IAMCredentials {
       body: "*"
     };
   }
+
+  // Exchange a JWT signed by third party identity provider to an OAuth 2.0
+  // access token
+  rpc GenerateIdentityBindingAccessToken(
+      GenerateIdentityBindingAccessTokenRequest)
+      returns (GenerateIdentityBindingAccessTokenResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=projects/*/serviceAccounts/*}:generateIdentityBindingAccessToken"
+      body: "*"
+    };
+  }
 }
diff --git a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/IamCredentialsClient.java b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/IamCredentialsClient.java
index 9886cba6df55..318ad4fb44e5 100644
--- a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/IamCredentialsClient.java
+++ b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/IamCredentialsClient.java
@@ -550,6 +550,118 @@ public final UnaryCallable<SignJwtRequest, SignJwtResponse> signJwtCallable() {
     return stub.signJwtCallable();
   }
 
+  // AUTO-GENERATED DOCUMENTATION AND METHOD
+  /**
+   * Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
+   *
+   * <p>Sample code:
+   *
+   * <pre><code>
+   * try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
+   *   String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+   *   List&lt;String&gt; scope = new ArrayList&lt;&gt;();
+   *   String jwt = "";
+   *   GenerateIdentityBindingAccessTokenResponse response = iamCredentialsClient.generateIdentityBindingAccessToken(formattedName, scope, jwt);
+   * }
+   * </code></pre>
+   *
+   * @param name The resource name of the service account for which the credentials are requested,
+   *     in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
+   * @param scope Code to identify the scopes to be included in the OAuth 2.0 access token. See
+   *     https://developers.google.com/identity/protocols/googlescopes for more information. At
+   *     least one value required.
+   * @param jwt Required. Input token. Must be in JWT format according to RFC7523
+   *     (https://tools.ietf.org/html/rfc7523) and must have 'kid' field in the header. Supported
+   *     signing algorithms: RS256 (RS512, ES256, ES512 coming soon). Mandatory payload fields
+   *     (along the lines of RFC 7523, section 3): - iss: issuer of the token. Must provide a
+   *     discovery document at $iss/.well-known/openid-configuration . The document needs to be
+   *     formatted according to section 4.2 of the OpenID Connect Discovery 1.0 specification. -
+   *     iat: Issue time in seconds since epoch. Must be in the past. - exp: Expiration time in
+   *     seconds since epoch. Must be less than 48 hours after iat. We recommend to create tokens
+   *     that last shorter than 6 hours to improve security unless business reasons mandate longer
+   *     expiration times. Shorter token lifetimes are generally more secure since tokens that have
+   *     been exfiltrated by attackers can be used for a shorter time. you can configure the maximum
+   *     lifetime of the incoming token in the configuration of the mapper. The resulting Google
+   *     token will expire within an hour or at "exp", whichever is earlier. - sub: JWT subject,
+   *     identity asserted in the JWT. - aud: Configured in the mapper policy. By default the
+   *     service account email.
+   *     <p>Claims from the incoming token can be transferred into the output token accoding to the
+   *     mapper configuration. The outgoing claim size is limited. Outgoing claims size must be less
+   *     than 4kB serialized as JSON without whitespace.
+   *     <p>Example header: { "alg": "RS256", "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8" }
+   *     Example payload: { "iss": "https://accounts.google.com", "iat": 1517963104, "exp":
+   *     1517966704, "aud": "https://iamcredentials.googleapis.com/", "sub":
+   *     "113475438248934895348", "my_claims": { "additional_claim": "value" } }
+   * @throws com.google.api.gax.rpc.ApiException if the remote call fails
+   */
+  public final GenerateIdentityBindingAccessTokenResponse generateIdentityBindingAccessToken(
+      String name, List<String> scope, String jwt) {
+    SERVICE_ACCOUNT_PATH_TEMPLATE.validate(name, "generateIdentityBindingAccessToken");
+    GenerateIdentityBindingAccessTokenRequest request =
+        GenerateIdentityBindingAccessTokenRequest.newBuilder()
+            .setName(name)
+            .addAllScope(scope)
+            .setJwt(jwt)
+            .build();
+    return generateIdentityBindingAccessToken(request);
+  }
+
+  // AUTO-GENERATED DOCUMENTATION AND METHOD
+  /**
+   * Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
+   *
+   * <p>Sample code:
+   *
+   * <pre><code>
+   * try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
+   *   String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+   *   List&lt;String&gt; scope = new ArrayList&lt;&gt;();
+   *   String jwt = "";
+   *   GenerateIdentityBindingAccessTokenRequest request = GenerateIdentityBindingAccessTokenRequest.newBuilder()
+   *     .setName(formattedName)
+   *     .addAllScope(scope)
+   *     .setJwt(jwt)
+   *     .build();
+   *   GenerateIdentityBindingAccessTokenResponse response = iamCredentialsClient.generateIdentityBindingAccessToken(request);
+   * }
+   * </code></pre>
+   *
+   * @param request The request object containing all of the parameters for the API call.
+   * @throws com.google.api.gax.rpc.ApiException if the remote call fails
+   */
+  public final GenerateIdentityBindingAccessTokenResponse generateIdentityBindingAccessToken(
+      GenerateIdentityBindingAccessTokenRequest request) {
+    return generateIdentityBindingAccessTokenCallable().call(request);
+  }
+
+  // AUTO-GENERATED DOCUMENTATION AND METHOD
+  /**
+   * Exchange a JWT signed by third party identity provider to an OAuth 2.0 access token
+   *
+   * <p>Sample code:
+   *
+   * <pre><code>
+   * try (IamCredentialsClient iamCredentialsClient = IamCredentialsClient.create()) {
+   *   String formattedName = IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+   *   List&lt;String&gt; scope = new ArrayList&lt;&gt;();
+   *   String jwt = "";
+   *   GenerateIdentityBindingAccessTokenRequest request = GenerateIdentityBindingAccessTokenRequest.newBuilder()
+   *     .setName(formattedName)
+   *     .addAllScope(scope)
+   *     .setJwt(jwt)
+   *     .build();
+   *   ApiFuture&lt;GenerateIdentityBindingAccessTokenResponse&gt; future = iamCredentialsClient.generateIdentityBindingAccessTokenCallable().futureCall(request);
+   *   // Do something
+   *   GenerateIdentityBindingAccessTokenResponse response = future.get();
+   * }
+   * </code></pre>
+   */
+  public final UnaryCallable<
+          GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+      generateIdentityBindingAccessTokenCallable() {
+    return stub.generateIdentityBindingAccessTokenCallable();
+  }
+
   @Override
   public final void close() {
     stub.close();
diff --git a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/IamCredentialsSettings.java b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/IamCredentialsSettings.java
index 363a5a534f1c..8ddcd066b153 100644
--- a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/IamCredentialsSettings.java
+++ b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/IamCredentialsSettings.java
@@ -82,6 +82,14 @@ public UnaryCallSettings<SignJwtRequest, SignJwtResponse> signJwtSettings() {
     return ((IamCredentialsStubSettings) getStubSettings()).signJwtSettings();
   }
 
+  /** Returns the object with the settings used for calls to generateIdentityBindingAccessToken. */
+  public UnaryCallSettings<
+          GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+      generateIdentityBindingAccessTokenSettings() {
+    return ((IamCredentialsStubSettings) getStubSettings())
+        .generateIdentityBindingAccessTokenSettings();
+  }
+
   public static final IamCredentialsSettings create(IamCredentialsStubSettings stub)
       throws IOException {
     return new IamCredentialsSettings.Builder(stub.toBuilder()).build();
@@ -201,6 +209,15 @@ public UnaryCallSettings.Builder<SignJwtRequest, SignJwtResponse> signJwtSetting
       return getStubSettingsBuilder().signJwtSettings();
     }
 
+    /**
+     * Returns the builder for the settings used for calls to generateIdentityBindingAccessToken.
+     */
+    public UnaryCallSettings.Builder<
+            GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+        generateIdentityBindingAccessTokenSettings() {
+      return getStubSettingsBuilder().generateIdentityBindingAccessTokenSettings();
+    }
+
     @Override
     public IamCredentialsSettings build() throws IOException {
       return new IamCredentialsSettings(this);
diff --git a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/GrpcIamCredentialsStub.java b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/GrpcIamCredentialsStub.java
index bed050b4a10e..7d633fa7386a 100644
--- a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/GrpcIamCredentialsStub.java
+++ b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/GrpcIamCredentialsStub.java
@@ -26,6 +26,8 @@
 import com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse;
 import com.google.cloud.iam.credentials.v1.GenerateIdTokenRequest;
 import com.google.cloud.iam.credentials.v1.GenerateIdTokenResponse;
+import com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest;
+import com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse;
 import com.google.cloud.iam.credentials.v1.SignBlobRequest;
 import com.google.cloud.iam.credentials.v1.SignBlobResponse;
 import com.google.cloud.iam.credentials.v1.SignJwtRequest;
@@ -81,6 +83,23 @@ public class GrpcIamCredentialsStub extends IamCredentialsStub {
           .setRequestMarshaller(ProtoUtils.marshaller(SignJwtRequest.getDefaultInstance()))
           .setResponseMarshaller(ProtoUtils.marshaller(SignJwtResponse.getDefaultInstance()))
           .build();
+  private static final MethodDescriptor<
+          GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+      generateIdentityBindingAccessTokenMethodDescriptor =
+          MethodDescriptor
+              .<GenerateIdentityBindingAccessTokenRequest,
+                  GenerateIdentityBindingAccessTokenResponse>
+                  newBuilder()
+              .setType(MethodDescriptor.MethodType.UNARY)
+              .setFullMethodName(
+                  "google.iam.credentials.v1.IAMCredentials/GenerateIdentityBindingAccessToken")
+              .setRequestMarshaller(
+                  ProtoUtils.marshaller(
+                      GenerateIdentityBindingAccessTokenRequest.getDefaultInstance()))
+              .setResponseMarshaller(
+                  ProtoUtils.marshaller(
+                      GenerateIdentityBindingAccessTokenResponse.getDefaultInstance()))
+              .build();
 
   private final BackgroundResource backgroundResources;
 
@@ -90,6 +109,9 @@ public class GrpcIamCredentialsStub extends IamCredentialsStub {
       generateIdTokenCallable;
   private final UnaryCallable<SignBlobRequest, SignBlobResponse> signBlobCallable;
   private final UnaryCallable<SignJwtRequest, SignJwtResponse> signJwtCallable;
+  private final UnaryCallable<
+          GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+      generateIdentityBindingAccessTokenCallable;
 
   private final GrpcStubCallableFactory callableFactory;
 
@@ -150,6 +172,15 @@ protected GrpcIamCredentialsStub(
         GrpcCallSettings.<SignJwtRequest, SignJwtResponse>newBuilder()
             .setMethodDescriptor(signJwtMethodDescriptor)
             .build();
+    GrpcCallSettings<
+            GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+        generateIdentityBindingAccessTokenTransportSettings =
+            GrpcCallSettings
+                .<GenerateIdentityBindingAccessTokenRequest,
+                    GenerateIdentityBindingAccessTokenResponse>
+                    newBuilder()
+                .setMethodDescriptor(generateIdentityBindingAccessTokenMethodDescriptor)
+                .build();
 
     this.generateAccessTokenCallable =
         callableFactory.createUnaryCallable(
@@ -165,6 +196,11 @@ protected GrpcIamCredentialsStub(
     this.signJwtCallable =
         callableFactory.createUnaryCallable(
             signJwtTransportSettings, settings.signJwtSettings(), clientContext);
+    this.generateIdentityBindingAccessTokenCallable =
+        callableFactory.createUnaryCallable(
+            generateIdentityBindingAccessTokenTransportSettings,
+            settings.generateIdentityBindingAccessTokenSettings(),
+            clientContext);
 
     backgroundResources = new BackgroundResourceAggregation(clientContext.getBackgroundResources());
   }
@@ -186,6 +222,12 @@ public UnaryCallable<SignJwtRequest, SignJwtResponse> signJwtCallable() {
     return signJwtCallable;
   }
 
+  public UnaryCallable<
+          GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+      generateIdentityBindingAccessTokenCallable() {
+    return generateIdentityBindingAccessTokenCallable;
+  }
+
   @Override
   public final void close() {
     shutdown();
diff --git a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/IamCredentialsStub.java b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/IamCredentialsStub.java
index b6c99ff4bb74..c8f06442cdb6 100644
--- a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/IamCredentialsStub.java
+++ b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/IamCredentialsStub.java
@@ -22,6 +22,8 @@
 import com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse;
 import com.google.cloud.iam.credentials.v1.GenerateIdTokenRequest;
 import com.google.cloud.iam.credentials.v1.GenerateIdTokenResponse;
+import com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest;
+import com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse;
 import com.google.cloud.iam.credentials.v1.SignBlobRequest;
 import com.google.cloud.iam.credentials.v1.SignBlobResponse;
 import com.google.cloud.iam.credentials.v1.SignJwtRequest;
@@ -55,6 +57,13 @@ public UnaryCallable<SignJwtRequest, SignJwtResponse> signJwtCallable() {
     throw new UnsupportedOperationException("Not implemented: signJwtCallable()");
   }
 
+  public UnaryCallable<
+          GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+      generateIdentityBindingAccessTokenCallable() {
+    throw new UnsupportedOperationException(
+        "Not implemented: generateIdentityBindingAccessTokenCallable()");
+  }
+
   @Override
   public abstract void close();
 }
diff --git a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/IamCredentialsStubSettings.java b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/IamCredentialsStubSettings.java
index e6b865af9447..e2b3a0656e90 100644
--- a/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/IamCredentialsStubSettings.java
+++ b/google-cloud-clients/google-cloud-iamcredentials/src/main/java/com/google/cloud/iam/credentials/v1/stub/IamCredentialsStubSettings.java
@@ -34,6 +34,8 @@
 import com.google.cloud.iam.credentials.v1.GenerateAccessTokenResponse;
 import com.google.cloud.iam.credentials.v1.GenerateIdTokenRequest;
 import com.google.cloud.iam.credentials.v1.GenerateIdTokenResponse;
+import com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenRequest;
+import com.google.cloud.iam.credentials.v1.GenerateIdentityBindingAccessTokenResponse;
 import com.google.cloud.iam.credentials.v1.SignBlobRequest;
 import com.google.cloud.iam.credentials.v1.SignBlobResponse;
 import com.google.cloud.iam.credentials.v1.SignJwtRequest;
@@ -87,6 +89,9 @@ public class IamCredentialsStubSettings extends StubSettings<IamCredentialsStubS
       generateIdTokenSettings;
   private final UnaryCallSettings<SignBlobRequest, SignBlobResponse> signBlobSettings;
   private final UnaryCallSettings<SignJwtRequest, SignJwtResponse> signJwtSettings;
+  private final UnaryCallSettings<
+          GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+      generateIdentityBindingAccessTokenSettings;
 
   /** Returns the object with the settings used for calls to generateAccessToken. */
   public UnaryCallSettings<GenerateAccessTokenRequest, GenerateAccessTokenResponse>
@@ -110,6 +115,13 @@ public UnaryCallSettings<SignJwtRequest, SignJwtResponse> signJwtSettings() {
     return signJwtSettings;
   }
 
+  /** Returns the object with the settings used for calls to generateIdentityBindingAccessToken. */
+  public UnaryCallSettings<
+          GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+      generateIdentityBindingAccessTokenSettings() {
+    return generateIdentityBindingAccessTokenSettings;
+  }
+
   @BetaApi("A restructuring of stub classes is planned, so this may break in the future")
   public IamCredentialsStub createStub() throws IOException {
     if (getTransportChannelProvider()
@@ -182,6 +194,8 @@ protected IamCredentialsStubSettings(Builder settingsBuilder) throws IOException
     generateIdTokenSettings = settingsBuilder.generateIdTokenSettings().build();
     signBlobSettings = settingsBuilder.signBlobSettings().build();
     signJwtSettings = settingsBuilder.signJwtSettings().build();
+    generateIdentityBindingAccessTokenSettings =
+        settingsBuilder.generateIdentityBindingAccessTokenSettings().build();
   }
 
   /** Builder for IamCredentialsStubSettings. */
@@ -194,6 +208,9 @@ public static class Builder extends StubSettings.Builder<IamCredentialsStubSetti
         generateIdTokenSettings;
     private final UnaryCallSettings.Builder<SignBlobRequest, SignBlobResponse> signBlobSettings;
     private final UnaryCallSettings.Builder<SignJwtRequest, SignJwtResponse> signJwtSettings;
+    private final UnaryCallSettings.Builder<
+            GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+        generateIdentityBindingAccessTokenSettings;
 
     private static final ImmutableMap<String, ImmutableSet<StatusCode.Code>>
         RETRYABLE_CODE_DEFINITIONS;
@@ -244,12 +261,15 @@ protected Builder(ClientContext clientContext) {
 
       signJwtSettings = UnaryCallSettings.newUnaryCallSettingsBuilder();
 
+      generateIdentityBindingAccessTokenSettings = UnaryCallSettings.newUnaryCallSettingsBuilder();
+
       unaryMethodSettingsBuilders =
           ImmutableList.<UnaryCallSettings.Builder<?, ?>>of(
               generateAccessTokenSettings,
               generateIdTokenSettings,
               signBlobSettings,
-              signJwtSettings);
+              signJwtSettings,
+              generateIdentityBindingAccessTokenSettings);
 
       initDefaults(this);
     }
@@ -285,6 +305,11 @@ private static Builder initDefaults(Builder builder) {
           .setRetryableCodes(RETRYABLE_CODE_DEFINITIONS.get("idempotent"))
           .setRetrySettings(RETRY_PARAM_DEFINITIONS.get("default"));
 
+      builder
+          .generateIdentityBindingAccessTokenSettings()
+          .setRetryableCodes(RETRYABLE_CODE_DEFINITIONS.get("idempotent"))
+          .setRetrySettings(RETRY_PARAM_DEFINITIONS.get("default"));
+
       return builder;
     }
 
@@ -295,13 +320,16 @@ protected Builder(IamCredentialsStubSettings settings) {
       generateIdTokenSettings = settings.generateIdTokenSettings.toBuilder();
       signBlobSettings = settings.signBlobSettings.toBuilder();
       signJwtSettings = settings.signJwtSettings.toBuilder();
+      generateIdentityBindingAccessTokenSettings =
+          settings.generateIdentityBindingAccessTokenSettings.toBuilder();
 
       unaryMethodSettingsBuilders =
           ImmutableList.<UnaryCallSettings.Builder<?, ?>>of(
               generateAccessTokenSettings,
               generateIdTokenSettings,
               signBlobSettings,
-              signJwtSettings);
+              signJwtSettings,
+              generateIdentityBindingAccessTokenSettings);
     }
 
     // NEXT_MAJOR_VER: remove 'throws Exception'
@@ -342,6 +370,15 @@ public UnaryCallSettings.Builder<SignJwtRequest, SignJwtResponse> signJwtSetting
       return signJwtSettings;
     }
 
+    /**
+     * Returns the builder for the settings used for calls to generateIdentityBindingAccessToken.
+     */
+    public UnaryCallSettings.Builder<
+            GenerateIdentityBindingAccessTokenRequest, GenerateIdentityBindingAccessTokenResponse>
+        generateIdentityBindingAccessTokenSettings() {
+      return generateIdentityBindingAccessTokenSettings;
+    }
+
     @Override
     public IamCredentialsStubSettings build() throws IOException {
       return new IamCredentialsStubSettings(this);
diff --git a/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/IamCredentialsClientTest.java b/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/IamCredentialsClientTest.java
index 8f275a594bfc..772298437149 100644
--- a/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/IamCredentialsClientTest.java
+++ b/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/IamCredentialsClientTest.java
@@ -276,4 +276,54 @@ public void signJwtExceptionTest() throws Exception {
       // Expected exception
     }
   }
+
+  @Test
+  @SuppressWarnings("all")
+  public void generateIdentityBindingAccessTokenTest() {
+    String accessToken = "accessToken-1938933922";
+    GenerateIdentityBindingAccessTokenResponse expectedResponse =
+        GenerateIdentityBindingAccessTokenResponse.newBuilder().setAccessToken(accessToken).build();
+    mockIAMCredentials.addResponse(expectedResponse);
+
+    String formattedName =
+        IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+    List<String> scope = new ArrayList<>();
+    String jwt = "jwt105671";
+
+    GenerateIdentityBindingAccessTokenResponse actualResponse =
+        client.generateIdentityBindingAccessToken(formattedName, scope, jwt);
+    Assert.assertEquals(expectedResponse, actualResponse);
+
+    List<GeneratedMessageV3> actualRequests = mockIAMCredentials.getRequests();
+    Assert.assertEquals(1, actualRequests.size());
+    GenerateIdentityBindingAccessTokenRequest actualRequest =
+        (GenerateIdentityBindingAccessTokenRequest) actualRequests.get(0);
+
+    Assert.assertEquals(formattedName, actualRequest.getName());
+    Assert.assertEquals(scope, actualRequest.getScopeList());
+    Assert.assertEquals(jwt, actualRequest.getJwt());
+    Assert.assertTrue(
+        channelProvider.isHeaderSent(
+            ApiClientHeaderProvider.getDefaultApiClientHeaderKey(),
+            GaxGrpcProperties.getDefaultApiClientHeaderPattern()));
+  }
+
+  @Test
+  @SuppressWarnings("all")
+  public void generateIdentityBindingAccessTokenExceptionTest() throws Exception {
+    StatusRuntimeException exception = new StatusRuntimeException(Status.INVALID_ARGUMENT);
+    mockIAMCredentials.addException(exception);
+
+    try {
+      String formattedName =
+          IamCredentialsClient.formatServiceAccountName("[PROJECT]", "[SERVICE_ACCOUNT]");
+      List<String> scope = new ArrayList<>();
+      String jwt = "jwt105671";
+
+      client.generateIdentityBindingAccessToken(formattedName, scope, jwt);
+      Assert.fail("No exception raised");
+    } catch (InvalidArgumentException e) {
+      // Expected exception
+    }
+  }
 }
diff --git a/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/MockIAMCredentialsImpl.java b/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/MockIAMCredentialsImpl.java
index b9f106d5d1c6..e44b8a4c179e 100644
--- a/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/MockIAMCredentialsImpl.java
+++ b/google-cloud-clients/google-cloud-iamcredentials/src/test/java/com/google/cloud/iam/credentials/v1/MockIAMCredentialsImpl.java
@@ -114,4 +114,20 @@ public void signJwt(SignJwtRequest request, StreamObserver<SignJwtResponse> resp
       responseObserver.onError(new IllegalArgumentException("Unrecognized response type"));
     }
   }
+
+  @Override
+  public void generateIdentityBindingAccessToken(
+      GenerateIdentityBindingAccessTokenRequest request,
+      StreamObserver<GenerateIdentityBindingAccessTokenResponse> responseObserver) {
+    Object response = responses.remove();
+    if (response instanceof GenerateIdentityBindingAccessTokenResponse) {
+      requests.add(request);
+      responseObserver.onNext((GenerateIdentityBindingAccessTokenResponse) response);
+      responseObserver.onCompleted();
+    } else if (response instanceof Exception) {
+      responseObserver.onError((Exception) response);
+    } else {
+      responseObserver.onError(new IllegalArgumentException("Unrecognized response type"));
+    }
+  }
 }
diff --git a/google-cloud-clients/google-cloud-iamcredentials/synth.metadata b/google-cloud-clients/google-cloud-iamcredentials/synth.metadata
index 4541e1ba854a..0f4f16349096 100644
--- a/google-cloud-clients/google-cloud-iamcredentials/synth.metadata
+++ b/google-cloud-clients/google-cloud-iamcredentials/synth.metadata
@@ -1,19 +1,19 @@
 {
-  "updateTime": "2018-12-12T22:58:16.947668Z",
+  "updateTime": "2019-01-03T17:46:37.271512Z",
   "sources": [
     {
       "generator": {
         "name": "artman",
-        "version": "0.16.2",
-        "dockerImage": "googleapis/artman@sha256:2f6b261ee7fe1aedf238991c93a20b3820de37a343d0cacf3e3e9555c2aaf2ea"
+        "version": "0.16.4",
+        "dockerImage": "googleapis/artman@sha256:8b45fae963557c3299921037ecbb86f0689f41b1b4aea73408ebc50562cb2857"
       }
     },
     {
       "git": {
         "name": "googleapis",
         "remote": "https://github.com/googleapis/googleapis.git",
-        "sha": "a207551d5190d2dc915ea261f19ce83eeee000d3",
-        "internalRef": "225249459"
+        "sha": "2a5caab4315cb5ab3d5c97c90c6d4e9441052b16",
+        "internalRef": "227195651"
       }
     }
   ],