add contrib/python/yandexcloud to import

03b7d3cad2237366b55b393e18d4dc5eb222798c

16 files changed, 1892 insertions, 0 deletions

diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group.proto
new file mode 100644
index 0000000000..b793223590
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group.proto
@@ -0,0 +1,27 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+// A Group resource.
+// For more information, see [Groups](/docs/organization/operations/manage-groups).
+message Group {
+    // ID of the group.
+    string id = 1;
+
+    // ID of the organization that the group belongs to.
+    string organization_id = 2;
+
+    // Creation timestamp.
+    google.protobuf.Timestamp created_at = 3;
+
+    // Name of the group.
+    string name = 4;
+
+    // Description of the group.
+    string description = 5;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group_mapping.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group_mapping.proto
new file mode 100644
index 0000000000..634d4a219f
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group_mapping.proto
@@ -0,0 +1,25 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+// Group mapping represents which external (federated) groups should match which internal (cloud) groups
+message GroupMappingItem {
+  // External group id (received from identity provider)
+  string external_group_id = 1 [(required) = true, (length) = "<=1000"];
+  // Internal cloud group id
+  string internal_group_id = 2 [(required) = true, (length) = "<=50"];
+}
+
+// Group synchronization status for a specific federation
+// Absence of this object for a federation means that there is no group synchronization set of for the federation.
+message GroupMapping {
+  // Federation id
+  string federation_id = 1;
+  // Flag to show whether group synchronization should be enabled for this federation.
+  bool enabled = 2;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group_mapping_service.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group_mapping_service.proto
new file mode 100644
index 0000000000..985fadcf1c
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group_mapping_service.proto
@@ -0,0 +1,177 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "google/protobuf/field_mask.proto";
+import "yandex/cloud/api/operation.proto";
+import "yandex/cloud/operation/operation.proto";
+import "yandex/cloud/organizationmanager/v1/group_mapping.proto";
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+// RPC service dedicated for federation group mapping.
+service GroupMappingService {
+  // Returns a group mapping configured for the specific federation
+  // If a federation does not exist this call will return an error
+  //    NOT_FOUND will be returned
+  // If a federation exist, but has not ever been configured for group mapping
+  //   the call FAILED_PRECONDITION will be returned.
+  rpc Get(GetGroupMappingRequest) returns (GetGroupMappingResponse);
+  // Adds a group mapping for a federation
+  // If mapping already exist, ALREADY_EXISTS will be returned
+  rpc Create(CreateGroupMappingRequest) returns (operation.Operation) {
+    option (yandex.cloud.api.operation) = {
+      metadata: "CreateGroupMappingMetadata"
+      response: "GroupMapping"
+    };
+  }
+  // Updates an existing group mapping for a federation
+  // Errors:
+  // - if federation is not found
+  // In case of any error, no changes are applied to existing group mapping
+  //
+  // This call is idempotent. The following actions do nothing:
+  // - enabling when already enabled
+  // - disabling when disabled
+  // Such parts of request will be ignored. Others will be applied.
+  rpc Update(UpdateGroupMappingRequest) returns (operation.Operation) {
+    option (yandex.cloud.api.operation) = {
+      metadata: "UpdateGroupMappingMetadata"
+      response: "GroupMapping"
+    };
+  }
+  // Deletes a group mapping. This will remove all the mapping items
+  // cascade.
+  rpc Delete(DeleteGroupMappingRequest) returns (operation.Operation) {
+    option (yandex.cloud.api.operation) = {
+      metadata: "DeleteGroupMappingMetadata"
+      response: "google.protobuf.Empty"
+    };
+  }
+  // Returns all the group mappings items
+  //
+  // Filtering is only supported by external_group_id or internal_group_id
+  rpc ListItems(ListGroupMappingItemsRequest) returns (ListGroupMappingItemsResponse);
+  // Updates group mapping items for a specified federation
+  // Errors:
+  // - if federation is not found
+  // - if internal group in the mapping added does not exist
+  // In case of any error, no changes are applied to existing group mapping
+  //
+  // This call is idempotent. The following actions do nothing:
+  // - adding group mapping items that are already present
+  // - removing group mapping items that are not present
+  // Such parts of request will be ignored. Others will be applied.
+  rpc UpdateItems(UpdateGroupMappingItemsRequest) returns (operation.Operation) {
+    option (yandex.cloud.api.operation) = {
+      metadata: "UpdateGroupMappingItemsMetadata"
+      response: "UpdateGroupMappingItemsResponse"
+    };
+  }
+}
+
+message GetGroupMappingRequest {
+  string federation_id = 1 [
+    (required) = true,
+    (length) = "<=50"
+  ];
+}
+
+message GetGroupMappingResponse {
+  GroupMapping group_mapping = 1;
+}
+
+message CreateGroupMappingRequest {
+  reserved 2;
+  // Federation the group mapping will be created for
+  string federation_id = 1 [
+    (required) = true,
+    (length) = "<=50"
+  ];
+  // Synchronization status.
+  bool enabled = 3;
+}
+
+message CreateGroupMappingMetadata {
+  string federation_id = 1;
+}
+
+// Request for updating group mapping configuration
+message UpdateGroupMappingRequest {
+  // Federation the group mapping update is requested
+  string federation_id = 1 [
+    (required) = true,
+    (length) = "<=50"
+  ];
+  // A set of fields that should be updated
+  google.protobuf.FieldMask update_mask = 2;
+  // A new state of synchronization to update (if mentioned in update_mask).
+  bool enabled = 3;
+}
+
+message UpdateGroupMappingMetadata {
+  string federation_id = 1;
+}
+
+message DeleteGroupMappingRequest {
+  // Federation the group mapping deletion is requested
+  string federation_id = 1 [
+    (required) = true,
+    (length) = "<=50"
+  ];
+}
+
+message DeleteGroupMappingMetadata {
+  string federation_id = 1;
+}
+
+// Request for updating group mapping configuration
+message UpdateGroupMappingItemsRequest {
+  reserved 2 to 3;
+  // Federation the group mapping update is requested
+  string federation_id = 1 [
+    (required) = true,
+    (length) = "<=50"
+  ];
+  // A collection of mapping items to add or remove (ignores update_fields).
+  repeated GroupMappingItemDelta group_mapping_item_deltas = 4 [(size) = "1-1000"];
+}
+
+// Message describes the user's request to change (add or remove) a single group mapping.
+message GroupMappingItemDelta {
+  GroupMappingItem item = 1;
+  Action action = 2;
+  enum Action {
+    ACTION_UNSPECIFIED = 0;
+    // Group mapping item is to be added
+    ADD = 1;
+    // Group mapping item is to be removed
+    REMOVE = 2;
+  }
+}
+
+message UpdateGroupMappingItemsMetadata {
+  string federation_id = 1;
+}
+
+message UpdateGroupMappingItemsResponse {
+  // Effective changes that were applied
+  repeated GroupMappingItemDelta group_mapping_item_deltas = 4;
+}
+
+message ListGroupMappingItemsRequest {
+  string federation_id = 1 [
+    (required) = true,
+    (length) = "<=50"
+  ];
+  int64 page_size = 2 [(value) = "0-1000"];
+  string page_token = 3 [(length) = "<=2000"];
+  string filter = 4 [(length) = "<=1000"];
+}
+
+message ListGroupMappingItemsResponse {
+  repeated GroupMappingItem group_mapping_items = 1;
+  string next_page_token = 2;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group_service.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group_service.proto
new file mode 100644
index 0000000000..734a0bf0db
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/group_service.proto
@@ -0,0 +1,298 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "google/api/annotations.proto";
+import "google/protobuf/field_mask.proto";
+import "yandex/cloud/api/operation.proto";
+import "yandex/cloud/organizationmanager/v1/group.proto";
+import "yandex/cloud/access/access.proto";
+import "yandex/cloud/operation/operation.proto";
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+// A set of methods for managing groups.
+service GroupService {
+  // Returns the specified Group resource.
+  //
+  // To get the list of available Group resources, make a [List] request.
+  rpc Get (GetGroupRequest) returns (Group) {
+    option (google.api.http) = { get: "/organization-manager/v1/groups/{group_id}" };
+  }
+
+  // Retrieves the list of group resources.
+  rpc List (ListGroupsRequest) returns (ListGroupsResponse) {
+    option (google.api.http) = { get: "/organization-manager/v1/groups" };
+  }
+
+  // Creates a group in the specified organization.
+  rpc Create (CreateGroupRequest) returns (operation.Operation) {
+    option (google.api.http) = { post: "/organization-manager/v1/groups" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "CreateGroupMetadata"
+      response: "Group"
+    };
+  }
+
+  // Updates the specified group.
+  rpc Update (UpdateGroupRequest) returns (operation.Operation) {
+    option (google.api.http) = { patch: "/organization-manager/v1/groups/{group_id}" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "UpdateGroupMetadata"
+      response: "Group"
+    };
+  }
+
+  // Deletes the specified group.
+  rpc Delete (DeleteGroupRequest) returns (operation.Operation) {
+    option (google.api.http) = { delete: "/organization-manager/v1/groups/{group_id}" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "DeleteGroupMetadata"
+      response: "google.protobuf.Empty"
+    };
+  }
+
+  // Lists operations for the specified group.
+  rpc ListOperations (ListGroupOperationsRequest) returns (ListGroupOperationsResponse) {
+    option (google.api.http) = { get: "/organization-manager/v1/groups/{group_id}/operations" };
+  }
+
+  // members
+
+  // List group active members.
+  rpc ListMembers (ListGroupMembersRequest) returns (ListGroupMembersResponse) {
+    option (google.api.http) = { get: "/organization-manager/v1/groups/{group_id}:listMembers" };
+  }
+
+  // Update group members.
+  rpc UpdateMembers (UpdateGroupMembersRequest) returns (operation.Operation) {
+    option (google.api.http) = { post: "/organization-manager/v1/groups/{group_id}:updateMembers" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "UpdateGroupMembersMetadata"
+      response: "google.protobuf.Empty"
+    };
+  }
+
+  // access
+
+  // Lists access bindings for the specified group.
+  rpc ListAccessBindings (access.ListAccessBindingsRequest) returns (access.ListAccessBindingsResponse) {
+    option (google.api.http) = { get: "/organization-manager/v1/groups/{resource_id}:listAccessBindings" };
+  }
+
+  // Sets access bindings for the specified group.
+  rpc SetAccessBindings (access.SetAccessBindingsRequest) returns (operation.Operation) {
+    option (google.api.http) = { post: "/organization-manager/v1/groups/{resource_id}:setAccessBindings" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "access.SetAccessBindingsMetadata"
+      response: "access.AccessBindingsOperationResult"
+    };
+  }
+
+  // Updates access bindings for the specified group.
+  rpc UpdateAccessBindings (access.UpdateAccessBindingsRequest) returns (operation.Operation) {
+    option (google.api.http) = { post: "/organization-manager/v1/groups/{resource_id}:updateAccessBindings" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "access.UpdateAccessBindingsMetadata"
+      response: "access.AccessBindingsOperationResult"
+    };
+  }
+}
+
+message GetGroupRequest {
+  // ID of the Group resource to return.
+  // To get the group ID, use a [GroupService.List] request.
+  string group_id = 1 [(required) = true, (length) = "<=50"];
+}
+
+message ListGroupsRequest {
+  // ID of the organization to list groups in.
+  // To get the organization ID, use a [yandex.cloud.organizationmanager.v1.OrganizationService.List] request.
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size],
+  // the service returns a [ListGroupsResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Default value: 100.
+  int64 page_size = 2 [(value) = "0-1000"];
+
+  // Page token. Set [page_token]
+  // to the [ListGroupsResponse.next_page_token]
+  // returned by a previous list request to get the next page of results.
+  string page_token = 3 [(length) = "<=2000"];
+
+  // A filter expression that filters resources listed in the response.
+  // The expression must specify:
+  // 1. The field name. Currently you can use filtering only on the [Group.name] field.
+  // 2. An `=` operator.
+  // 3. The value in double quotes (`"`). Must be 3-63 characters long and match the regular expression `[a-z][-a-z0-9]{1,61}[a-z0-9]`.
+  string filter = 4 [(length) = "<=1000"];
+}
+
+message ListGroupsResponse {
+  // List of Group resources.
+  repeated Group groups = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number of results
+  // is larger than [ListGroupsRequest.page_size], use
+  // the [next_page_token] as the value
+  // for the [ListGroupsRequest.page_token] query parameter
+  // in the next list request. Each subsequent list request will have its own
+  // [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+}
+
+message CreateGroupRequest {
+  // ID of the organization to create a group in.
+  // To get the organization ID, use a [yandex.cloud.organizationmanager.v1.OrganizationService.List] request.
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+
+  // Name of the group.
+  // The name must be unique within the organization.
+  string name = 2 [(required) = true, (pattern) = "[a-z]([-a-z0-9]{0,61}[a-z0-9])?"];
+
+  // Description of the group.
+  string description = 3 [(length) = "<=256"];
+}
+
+message CreateGroupMetadata {
+  // ID of the group that is being created.
+  string group_id = 1;
+}
+
+message UpdateGroupRequest {
+  // ID of the Group resource to update.
+  // To get the group ID, use a [GroupService.List] request.
+  string group_id = 1 [(required) = true, (length) = "<=50"];
+
+  // Field mask that specifies which fields of the Group resource are going to be updated.
+  google.protobuf.FieldMask update_mask = 2;
+
+  // Name of the group.
+  // The name must be unique within the organization.
+  string name = 3 [(pattern) = "|[a-z]([-a-z0-9]{0,61}[a-z0-9])?"];
+
+  // Description of the group.
+  string description = 4 [(length) = "<=256"];
+}
+
+message UpdateGroupMetadata {
+  // ID of the Group resource that is being updated.
+  string group_id = 1;
+}
+
+message DeleteGroupRequest {
+  // ID of the group to delete.
+  // To get the group ID, use a [GroupService.List] request.
+  string group_id = 1 [(required) = true, (length) = "<=50"];
+}
+
+message DeleteGroupMetadata {
+  // ID of the group that is being deleted.
+  string group_id = 1;
+}
+
+message ListGroupOperationsRequest {
+  // ID of the Group resource to list operations for.
+  string group_id = 1 [(required) = true, (length) = "<=50"];
+
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size], the service returns a [ListGroupOperationsResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Default value: 100.
+  int64 page_size = 2 [(value) = "0-1000"];
+
+  // Page token. Set [page_token]
+  // to the [ListGroupOperationsResponse.next_page_token]
+  // returned by a previous list request to get the next page of results.
+  string page_token = 3 [(length) = "<=2000"];
+}
+
+message ListGroupOperationsResponse {
+  // List of operations for the specified group.
+  repeated operation.Operation operations = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number of results
+  // is larger than [ListGroupOperationsRequest.page_size], use the [next_page_token] as the value
+  // for the [ListGroupOperationsRequest.page_token] query parameter in the next list request.
+  // Each subsequent list request will have its own [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+}
+
+message ListGroupMembersRequest {
+  // ID of the Group resource to list members for.
+  string group_id = 1 [(required) = true, (length) = "<=50"];
+
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size], the service returns a [ListGroupMembersResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Acceptable values are 0 to 1000, inclusive. Default value: 100.
+  int64 page_size = 2 [(value) = "0-1000"];
+
+  // Page token. Set [page_token]
+  // to the [ListGroupMembersResponse.next_page_token]
+  // returned by a previous list request to get the next page of results.
+  string page_token = 3 [(length) = "<=2000"];
+}
+
+message ListGroupMembersResponse {
+  // List of members for the specified group.
+  repeated GroupMember members = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number of results
+  // is larger than [ListGroupMembersRequest.page_size], use the [next_page_token] as the value
+  // for the [ListGroupMembersRequest.page_token] query parameter in the next list request.
+  // Each subsequent list request will have its own [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+}
+
+message GroupMember {
+  // ID of the subject.
+  string subject_id = 1;
+
+  // Type of the subject.
+  //
+  // It can contain one of the following values:
+  // * `userAccount`: An account on Yandex, added to Yandex Cloud.
+  // * `federatedUser`: A federated account. This type represents a user from an identity federation, like Active Directory.
+  string subject_type = 2;
+}
+
+message UpdateGroupMembersRequest {
+  // ID of the group to update.
+  // To get the group ID, use a [GroupService.List] request.
+  string group_id = 1 [(required) = true, (length) = "<=50"];
+
+  // Updates to group members.
+  repeated MemberDelta member_deltas = 2 [(size) = "1-1000"];
+}
+
+message UpdateGroupMembersMetadata {
+  // ID of the group that is being updated.
+  string group_id = 1;
+}
+
+message MemberDelta {
+  // The action that is being performed on a group member.
+  MemberAction action = 1 [(required) = true];
+
+  // ID of the subject that is being added or removed from a group.
+  //
+  // Subject type can be one of following values:
+  // * `userAccount`: An account on Yandex, added to Yandex Cloud.
+  // * `federatedUser`: A federated account. This type represents a user from an identity federation, like Active Directory.
+  string subject_id = 2 [(required) = true, (length) = "<=50"];
+
+  enum MemberAction {
+    MEMBER_ACTION_UNSPECIFIED = 0;
+
+    // Addition of a group member.
+    ADD = 1;
+
+    // Removal of a group member.
+    REMOVE = 2;
+  }
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/organization.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/organization.proto
new file mode 100644
index 0000000000..abd1ed42c1
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/organization.proto
@@ -0,0 +1,30 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+// An Organization resource. For more information, see [Organization](/docs/organization/enable-org).
+message Organization {
+  reserved 5;
+  // ID of the organization.
+  string id = 1;
+
+  // Creation timestamp.
+  google.protobuf.Timestamp created_at = 2;
+
+  // Name of the organization. 3-63 characters long.
+  string name = 3;
+
+  // Description of the organization. 0-256 characters long.
+  string description = 4;
+
+  // Display name of the organization. 0-256 characters long.
+  string title = 6;
+
+  // Resource labels as `` key:value `` pairs. Maximum of 64 per resource.
+  map<string, string> labels = 7;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/organization_service.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/organization_service.proto
new file mode 100644
index 0000000000..e75c4a51de
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/organization_service.proto
@@ -0,0 +1,161 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "google/api/annotations.proto";
+import "google/protobuf/field_mask.proto";
+import "yandex/cloud/api/operation.proto";
+import "yandex/cloud/organizationmanager/v1/organization.proto";
+import "yandex/cloud/access/access.proto";
+import "yandex/cloud/operation/operation.proto";
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+// A set of methods for managing Organization resources.
+service OrganizationService {
+  // Returns the specified Organization resource.
+  //
+  // To get the list of available Organization resources, make a [List] request.
+  rpc Get (GetOrganizationRequest) returns (Organization) {
+    option (google.api.http) = { get: "/organization-manager/v1/organizations/{organization_id}" };
+  }
+
+  // Retrieves the list of Organization resources.
+  rpc List (ListOrganizationsRequest) returns (ListOrganizationsResponse) {
+    option (google.api.http) = { get: "/organization-manager/v1/organizations" };
+  }
+
+  // Updates the specified organization.
+  rpc Update (UpdateOrganizationRequest) returns (operation.Operation) {
+    option (google.api.http) = { patch: "/organization-manager/v1/organizations/{organization_id}" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "UpdateOrganizationMetadata"
+      response: "Organization"
+    };
+  }
+
+  // Lists operations for the specified organization.
+  rpc ListOperations (ListOrganizationOperationsRequest) returns (ListOrganizationOperationsResponse) {
+    option (google.api.http) = { get: "/organization-manager/v1/organizations/{organization_id}/operations" };
+  }
+
+  //access
+
+  // Lists access bindings for the specified organization.
+  rpc ListAccessBindings (access.ListAccessBindingsRequest) returns (access.ListAccessBindingsResponse) {
+    option (google.api.http) = { get: "/organization-manager/v1/organizations/{resource_id}:listAccessBindings" };
+  }
+
+  // Sets access bindings for the specified organization.
+  rpc SetAccessBindings (access.SetAccessBindingsRequest) returns (operation.Operation) {
+    option (google.api.http) = { post: "/organization-manager/v1/organizations/{resource_id}:setAccessBindings" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "access.SetAccessBindingsMetadata"
+      response: "google.protobuf.Empty"
+    };
+  }
+
+  // Updates access bindings for the specified organization.
+  rpc UpdateAccessBindings (access.UpdateAccessBindingsRequest) returns (operation.Operation) {
+    option (google.api.http) = { post: "/organization-manager/v1/organizations/{resource_id}:updateAccessBindings" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "access.UpdateAccessBindingsMetadata"
+      response: "google.protobuf.Empty"
+    };
+  }
+
+}
+
+message GetOrganizationRequest {
+  // ID of the Organization resource to return.
+  // To get the organization ID, use a [OrganizationService.List] request.
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+}
+
+message ListOrganizationsRequest {
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size],
+  // the service returns a [ListOrganizationsResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Default value: 100.
+  int64 page_size = 1 [(value) = "0-1000"];
+
+  // Page token. Set [page_token]
+  // to the [ListOrganizationsResponse.next_page_token]
+  // returned by a previous list request to get the next page of results.
+  string page_token = 2 [(length) = "<=2000"];
+  // A filter expression that filters resources listed in the response.
+  // The expression must specify:
+  // 1. The field name. Currently you can use filtering only on the [Organization.name] field.
+  // 2. An `=` operator.
+  // 3. The value in double quotes (`"`). Must be 3-63 characters long and match the regular expression `[a-z][-a-z0-9]{1,61}[a-z0-9]`.
+  string filter = 3 [(length) = "<=1000"];
+}
+
+message ListOrganizationsResponse {
+  // List of Organization resources.
+  repeated Organization organizations = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number of results
+  // is larger than [ListOrganizationsRequest.page_size], use
+  // the [next_page_token] as the value
+  // for the [ListOrganizationsRequest.page_token] query parameter
+  // in the next list request. Each subsequent list request will have its own
+  // [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+}
+
+message UpdateOrganizationRequest {
+  // ID of the organization to update.
+  // To get the organization ID, use a [OrganizationService.List] request.
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+
+  // Field mask that specifies which fields of the organization are going to be updated.
+  google.protobuf.FieldMask update_mask = 2;
+
+  // Name of the organization.
+  string name = 3 [(pattern) = "|[a-z]([-a-z0-9]{0,61}[a-z0-9])?"];
+
+  // Description of the organization.
+  string description = 4 [(length) = "<=256"];
+
+  // Display name of the organization.
+  string title = 5 [(length) = "<=256"];
+
+  // Resource labels as `` key:value `` pairs.
+  map<string, string> labels = 6 [(yandex.cloud.size) = "<=64", (length) = "<=63", (pattern) = "[-_0-9a-z]*", (map_key).length = "1-63", (map_key).pattern = "[a-z][-_0-9a-z]*"];
+}
+
+message UpdateOrganizationMetadata {
+  // ID of the organization that is being updated.
+  string organization_id = 1;
+}
+
+message ListOrganizationOperationsRequest {
+  // ID of the Organization resource to list operations for.
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size], the service returns a [ListOrganizationOperationsResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Acceptable values are 0 to 1000, inclusive. Default value: 100.
+  int64 page_size = 2 [(value) = "0-1000"];
+
+  // Page token. Set [page_token]
+  // to the [ListOrganizationOperationsResponse.next_page_token]
+  // returned by a previous list request to get the next page of results.
+  string page_token = 3 [(length) = "<=2000"];
+}
+
+message ListOrganizationOperationsResponse {
+  // List of operations for the specified organization.
+  repeated operation.Operation operations = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number of results
+  // is larger than [ListOrganizationOperationsRequest.page_size], use the [next_page_token] as the value
+  // for the [ListOrganizationOperationsRequest.page_token] query parameter in the next list request.
+  // Each subsequent list request will have its own [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/os_login_service.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/os_login_service.proto
new file mode 100644
index 0000000000..680f1577e0
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/os_login_service.proto
@@ -0,0 +1,180 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "google/api/annotations.proto";
+import "google/protobuf/field_mask.proto";
+import "yandex/cloud/api/operation.proto";
+import "yandex/cloud/operation/operation.proto";
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+service OsLoginService {
+  // OsLogin settings
+  rpc GetSettings (GetOsLoginSettingsRequest) returns (OsLoginSettings) {
+    option (google.api.http) = { get: "/organization-manager/v1/organizations/{organization_id}/osLoginSettings" };
+  }
+  rpc UpdateSettings (UpdateOsLoginSettingsRequest) returns (operation.Operation) {
+    option (google.api.http) = { patch: "/organization-manager/v1/organizations/{organization_id}/osLoginSettings" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "UpdateOsLoginSettingsMetadata"
+      response: "OsLoginSettings"
+    };
+  }
+
+  // OsLogin Profiles
+  rpc GetProfile (GetOsLoginProfileRequest) returns (OsLoginProfile) {
+    option (google.api.http) = { get: "/organization-manager/v1/osLoginProfiles/{os_login_profile_id}" };
+  }
+  rpc ListProfiles (ListOsLoginProfilesRequest) returns (ListOsLoginProfilesResponse) {
+    option (google.api.http) = { get: "/organization-manager/v1/osLoginProfiles" };
+  }
+  rpc CreateProfile (CreateOsLoginProfileRequest) returns (operation.Operation) {
+    option (google.api.http) = { post: "/organization-manager/v1/osLoginProfiles" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "CreateOsLoginProfileMetadata"
+      response: "OsLoginProfile"
+    };
+  }
+  rpc UpdateProfile (UpdateOsLoginProfileRequest) returns (operation.Operation) {
+    option (google.api.http) = { patch: "/organization-manager/v1/osLoginProfiles/{os_login_profile_id}" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "UpdateOsLoginProfileMetadata"
+      response: "OsLoginProfile"
+    };
+  }
+  // Sets a profile as a default for the subject assigned to this profile
+  rpc SetDefaultProfile (SetDefaultOsLoginProfileRequest) returns (operation.Operation) {
+    option (google.api.http) = { post: "/organization-manager/v1/osLoginProfiles/{os_login_profile_id}:setDefault" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "SetDefaultOsLoginProfileMetadata"
+      response: "OsLoginProfile"
+    };
+  }
+  rpc DeleteProfile (DeleteOsLoginProfileRequest) returns (operation.Operation) {
+    option (google.api.http) = { delete: "/organization-manager/v1/osLoginProfiles/{id}" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "DeleteOsLoginProfileMetadata"
+      response: "google.protobuf.Empty"
+    };
+  }
+}
+
+message GetOsLoginSettingsRequest {
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+}
+
+message OsLoginSettings {
+  UserSshKeySettings user_ssh_key_settings = 1;
+  SshCertificateSettings ssh_certificate_settings = 2;
+}
+
+message UserSshKeySettings {
+  bool enabled = 1;
+  bool allow_manage_own_keys = 2;
+}
+
+message SshCertificateSettings {
+  bool enabled = 1;
+}
+
+message UpdateOsLoginSettingsRequest {
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+  UserSshKeySettings user_ssh_key_settings = 2;
+  SshCertificateSettings ssh_certificate_settings = 3;
+  google.protobuf.FieldMask update_mask = 4;
+
+  message UserSshKeySettings {
+    bool enabled = 1;
+    bool allow_manage_own_keys = 2;
+  }
+
+  message SshCertificateSettings {
+    bool enabled = 1;
+  }
+}
+
+message SetDefaultOsLoginProfileRequest {
+  string os_login_profile_id = 1 [(required) = true, (length) = "<=50"];
+}
+
+message GetOsLoginProfileRequest {
+  string os_login_profile_id = 1 [(required) = true, (length) = "<=50"];
+}
+
+message ListOsLoginProfilesRequest {
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+  int64 page_size = 2 [(value) = "0-1000"];
+  string page_token = 3 [(length) = "<=2000"];
+
+  // A filter expression that filters profiles listed in the response.
+  // The expression must specify:
+  // 1. The field name. Currently you can use filtering by subject_id, uid or login.
+  // 2. An `=` operator.
+  // 3. The value in double quotes (`"`).
+  // E.g. login="example-login"
+  string filter = 4 [(length) = "<=1000"];
+}
+
+message ListOsLoginProfilesResponse {
+  repeated OsLoginProfile profiles = 1;
+  string next_page_token = 2;
+}
+
+message OsLoginProfile {
+  string id = 1;
+  string organization_id = 2;
+  string subject_id = 3;
+  string login = 4;
+  int64 uid = 5;
+  bool is_default = 6;
+  string home_directory = 7;
+  string shell = 8;
+}
+
+message UpdateOsLoginProfileRequest {
+  string os_login_profile_id = 1 [(required) = true, (length) = "<=50"];
+  string login = 2 [(required) = true, (length) = "<=32", (pattern)="^[^.]*?[^~.]$"]; // must not contain . or end in ~
+  int64 uid = 3 [(value) = "1-9223372036854775807"]; // 1 - 2^63 - 1
+  string home_directory = 4 [(length) = "<=255"];
+  string shell = 5 [(length)="<=255"];
+  google.protobuf.FieldMask update_mask = 6;
+}
+
+message DeleteOsLoginProfileRequest {
+  string id = 1 [(required) = true, (length) = "<=50"];
+}
+
+message CreateOsLoginProfileRequest {
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+  string subject_id = 2 [(length) = "<=50"];
+  string login = 3 [(required) = true, (length) = "<=32", (pattern)="^[^.]*?[^~.]$"]; // must not contain . or end in ~
+  int64 uid = 4 [(value) = "1-9223372036854775807"]; // 1 - 2^63 - 1
+  string home_directory = 5 [(length) = "<=255"];
+  string shell = 6 [(length)="<=255"];
+}
+
+message UpdateOsLoginProfileMetadata {
+  string os_login_profile_id = 1;
+}
+
+message DeleteOsLoginProfileMetadata {
+  string os_login_profile_id = 1;
+}
+
+message CreateOsLoginProfileMetadata {
+  string os_login_profile_id = 1;
+  string organization_id = 2;
+  string subject_id = 3;
+}
+
+message UpdateOsLoginSettingsMetadata{
+  string organization_id = 1;
+}
+
+message SetDefaultOsLoginProfileMetadata{
+  string previous_default_profile_id = 1;
+  string current_default_profile_id = 2;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/certificate.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/certificate.proto
new file mode 100644
index 0000000000..c6be91dbac
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/certificate.proto
@@ -0,0 +1,32 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1.saml;
+
+import "yandex/cloud/validation.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1/saml;saml";
+option java_package = "yandex.cloud.api.organizationmanager.v1.saml";
+
+// A certificate.
+message Certificate {
+
+  // ID of the certificate.
+  string id = 1 [(required) = true, (length) = "<=50"];
+
+  // ID of the federation that the certificate belongs to.
+  string federation_id = 2 [(required) = true, (length) = "<=50"];
+
+  // Name of the certificate.
+  string name = 3 [ (pattern) = "|[a-z][-a-z0-9]{1,61}[a-z0-9]"];
+
+  // Description of the certificate.
+  string description = 4 [(length) = "<=256"];
+
+  // Creation timestamp.
+  google.protobuf.Timestamp created_at = 5;
+
+  // Certificate data in PEM format.
+  string data = 6 [(required) = true, (length) = "<=32000"];
+
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/certificate_service.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/certificate_service.proto
new file mode 100644
index 0000000000..8e788dd212
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/certificate_service.proto
@@ -0,0 +1,186 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1.saml;
+
+import "google/api/annotations.proto";
+import "google/protobuf/field_mask.proto";
+import "yandex/cloud/api/operation.proto";
+import "yandex/cloud/organizationmanager/v1/saml/certificate.proto";
+import "yandex/cloud/operation/operation.proto";
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1/saml;saml";
+option java_package = "yandex.cloud.api.organizationmanager.v1.saml";
+
+// A set of methods for managing certificates.
+service CertificateService {
+  // Returns the specified certificate.
+  //
+  // To get the list of available certificates, make a [List] request.
+  rpc Get (GetCertificateRequest) returns (Certificate) {
+    option (google.api.http) = { get: "/organization-manager/v1/saml/certificates/{certificate_id}" };
+  }
+
+  // Retrieves the list of certificates in the specified federation.
+  rpc List (ListCertificatesRequest) returns (ListCertificatesResponse) {
+    option (google.api.http) = { get: "/organization-manager/v1/saml/certificates" };
+  }
+
+  // Creates a certificate in the specified federation.
+  rpc Create (CreateCertificateRequest) returns (operation.Operation) {
+    option (google.api.http) = { post: "/organization-manager/v1/saml/certificates" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "CreateCertificateMetadata"
+      response: "Certificate"
+    };
+  }
+
+  // Updates the specified certificate.
+  rpc Update (UpdateCertificateRequest) returns (operation.Operation) {
+    option (google.api.http) = { patch: "/organization-manager/v1/saml/certificates/{certificate_id}" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "UpdateCertificateMetadata"
+      response: "Certificate"
+    };
+  }
+
+  // Deletes the specified certificate.
+  rpc Delete (DeleteCertificateRequest) returns (operation.Operation) {
+    option (google.api.http) = { delete: "/organization-manager/v1/saml/certificates/{certificate_id}" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "DeleteCertificateMetadata"
+      response: "google.protobuf.Empty"
+    };
+  }
+
+  // Lists operations for the specified certificate.
+  rpc ListOperations (ListCertificateOperationsRequest) returns (ListCertificateOperationsResponse) {
+    option (google.api.http) = { get: "/organization-manager/v1/saml/certificates/{certificate_id}/operations" };
+  }
+}
+
+message GetCertificateRequest {
+  // ID of the certificate to return.
+  // To get the certificate ID, make a [CertificateService.List] request.
+  string certificate_id = 1 [(length) = "<=50"];
+}
+
+message ListCertificatesRequest {
+  // ID of the federation to list certificates in.
+  // To get the federation ID make a [yandex.cloud.organizationmanager.v1.saml.FederationService.List] request.
+  string federation_id = 1 [(length) = "<=50", (required) = true];
+
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size], the service returns a [ListCertificatesResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Default value: 100.
+  int64 page_size = 2 [(value) = "0-1000"];
+
+  // Page token. To get the next page of results, set [page_token]
+  // to the [ListCertificatesResponse.next_page_token]
+  // returned by a previous list request.
+  string page_token = 3 [(length) = "<=2000"];
+
+  // A filter expression that filters resources listed in the response.
+  // The expression must specify:
+  // 1. The field name. Currently you can use filtering only on [Certificate.name] field.
+  // 2. An `=` operator.
+  // 3. The value in double quotes (`"`). Must be 3-63 characters long and match the regular expression `[a-z][-a-z0-9]{1,61}[a-z0-9]`.
+  string filter = 4 [(length) = "<=1000"];
+}
+
+message ListCertificatesResponse {
+  // List of certificates.
+  repeated Certificate certificates = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number of results
+  // is larger than [ListCertificatesRequest.page_size], use
+  // the [next_page_token] as the value
+  // for the [ListCertificatesRequest.page_token] query parameter
+  // in the next list request. Each subsequent list request will have its own
+  // [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+}
+
+message CreateCertificateRequest {
+  // ID of the federation to add new certificate.
+  // To get the federation ID make a [yandex.cloud.organizationmanager.v1.saml.FederationService.List] request.
+  string federation_id = 1 [(length) = "<=50"];
+
+  // Name of the certificate.
+  // The name must be unique within the federation.
+  string name = 2 [(pattern) = "[a-z]([-a-z0-9]{0,61}[a-z0-9])?"];
+
+  // Description of the certificate.
+  string description = 3 [(length) = "<=256"];
+
+  // Certificate data in PEM format.
+  string data = 4 [(length) = "<=32000"];
+}
+
+message CreateCertificateMetadata {
+  // ID of the certificate that is being created.
+  string certificate_id = 1;
+}
+
+message UpdateCertificateRequest {
+  // ID of the certificate to update.
+  // To get the certificate ID, make a [CertificateService.List] request.
+  string certificate_id = 1 [(length) = "<=50"];
+
+  // Field mask that specifies which fields of the certificate are going to be updated.
+  google.protobuf.FieldMask update_mask = 2;
+
+  // Name of the certificate.
+  // The name must be unique within the federation.
+  string name = 3 [(pattern) = "|[a-z]([-a-z0-9]{0,61}[a-z0-9])?"];
+
+  // Description of the certificate.
+  string description = 4 [(length) = "<=256"];
+
+  // Certificate data in PEM format.
+  string data = 5 [(length) = "<=32000"];
+}
+
+message UpdateCertificateMetadata {
+  // ID of the certificate that is being updated.
+  string certificate_id = 1;
+}
+
+message DeleteCertificateRequest {
+  // ID of the certificate to delete.
+  // To get the certificate ID, make a [CertificateService.List] request.
+  string certificate_id = 1 [(length) = "<=50"];
+}
+
+message DeleteCertificateMetadata {
+  // ID of the certificate that is being deleted.
+  string certificate_id = 1;
+}
+
+message ListCertificateOperationsRequest {
+  // ID of the certificate to list operations for.
+  string certificate_id = 1 [(length) = "<=50"];
+
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size], the service returns a [ListCertificateOperationsResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Default value: 100.
+  int64 page_size = 2 [(value) = "0-1000"];
+
+  // Page token. To get the next page of results, set [page_token]
+  // to the [ListCertificateOperationsResponse.next_page_token]
+  // returned by a previous list request.
+  string page_token = 3 [(length) = "<=2000"];
+}
+
+message ListCertificateOperationsResponse {
+  // List of operations for the specified certificate.
+  repeated operation.Operation operations = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number of results
+  // is larger than [ListCertificateOperationsRequest.page_size], use the [next_page_token] as the value
+  // for the [ListCertificateOperationsRequest.page_token] query parameter in the next list request.
+  // Each subsequent list request will have its own [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/federation.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/federation.proto
new file mode 100644
index 0000000000..140997fc99
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/federation.proto
@@ -0,0 +1,89 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1.saml;
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/timestamp.proto";
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1/saml;saml";
+option java_package = "yandex.cloud.api.organizationmanager.v1.saml";
+
+// A federation.
+// For more information, see [SAML-compatible identity federations](/docs/iam/concepts/federations).
+message Federation {
+
+  // ID of the federation.
+  string id = 1 [(required) = true, (length) = "<=50"];
+
+  // ID of the organization that the federation belongs to.
+  string organization_id = 2;
+
+  // Name of the federation.
+  string name = 3 [(required) = true, (pattern) = "|[a-z][-a-z0-9]{1,61}[a-z0-9]"];
+
+  // Description of the federation.
+  string description = 4 [(length) = "<=256"];
+
+  // Creation timestamp.
+  google.protobuf.Timestamp created_at = 5;
+
+  // Browser cookie lifetime in seconds.
+  // If the cookie is still valid, the management console
+  // authenticates the user immediately and redirects them to the home page.
+  google.protobuf.Duration cookie_max_age = 6 [(value) = "10m-12h"];
+
+  // Add new users automatically on successful authentication.
+  // The user becomes member of the organization automatically,
+  // but you need to grant other roles to them.
+  //
+  // If the value is `false`, users who aren't added to the organization
+  // can't log in, even if they have authenticated on your server.
+  bool auto_create_account_on_login = 7;
+
+  // ID of the IdP server to be used for authentication.
+  // The IdP server also responds to IAM with this ID after the user authenticates.
+  string issuer = 8 [(required) = true, (length) = "<=8000"];
+
+  // Single sign-on endpoint binding type. Most Identity Providers support the `POST` binding type.
+  //
+  // SAML Binding is a mapping of a SAML protocol message onto standard messaging
+  // formats and/or communications protocols.
+  BindingType sso_binding = 9;
+
+  // Single sign-on endpoint URL.
+  // Specify the link to the IdP login page here.
+  string sso_url = 10 [(required) = true, (length) = "<=8000"];
+
+  // Federation security settings.
+  FederationSecuritySettings security_settings = 11;
+
+  // Use case insensitive Name IDs.
+  bool case_insensitive_name_ids = 12;
+
+  // Resource labels as `` key:value `` pairs. Maximum of 64 per resource.
+  map<string, string> labels = 13;
+}
+
+enum BindingType {
+  BINDING_TYPE_UNSPECIFIED = 0;
+
+  // HTTP POST binding.
+  POST = 1;
+
+  // HTTP redirect binding.
+  REDIRECT = 2;
+
+  // HTTP artifact binding.
+  ARTIFACT = 3;
+
+}
+
+// Federation security settings.
+message FederationSecuritySettings {
+  // Enable encrypted assertions.
+  bool encrypted_assertions = 1;
+
+  // Value parameter ForceAuthn in SAMLRequest.
+  bool force_authn = 2;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/federation_service.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/federation_service.proto
new file mode 100644
index 0000000000..9c7456412c
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/saml/federation_service.proto
@@ -0,0 +1,401 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1.saml;
+
+import "google/api/annotations.proto";
+import "google/protobuf/duration.proto";
+import "google/protobuf/field_mask.proto";
+import "yandex/cloud/api/operation.proto";
+import "yandex/cloud/operation/operation.proto";
+import "yandex/cloud/organizationmanager/v1/saml/federation.proto";
+import "yandex/cloud/organizationmanager/v1/user_account.proto";
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1/saml;saml";
+option java_package = "yandex.cloud.api.organizationmanager.v1.saml";
+
+// A set of methods for managing federations.
+service FederationService {
+  // Returns the specified federation.
+  //
+  // To get the list of available federations, make a [List] request.
+  rpc Get(GetFederationRequest) returns (Federation) {
+    option (google.api.http) = {get: "/organization-manager/v1/saml/federations/{federation_id}"};
+  }
+
+  // Retrieves the list of federations in the specified organization.
+  rpc List(ListFederationsRequest) returns (ListFederationsResponse) {
+    option (google.api.http) = {get: "/organization-manager/v1/saml/federations"};
+  }
+
+  // Creates a federation in the specified organization.
+  rpc Create(CreateFederationRequest) returns (operation.Operation) {
+    option (google.api.http) = {
+      post: "/organization-manager/v1/saml/federations"
+      body: "*"
+    };
+    option (yandex.cloud.api.operation) = {
+      metadata: "CreateFederationMetadata"
+      response: "Federation"
+    };
+  }
+
+  // Updates the specified federation.
+  rpc Update(UpdateFederationRequest) returns (operation.Operation) {
+    option (google.api.http) = {
+      patch: "/organization-manager/v1/saml/federations/{federation_id}"
+      body: "*"
+    };
+    option (yandex.cloud.api.operation) = {
+      metadata: "UpdateFederationMetadata"
+      response: "Federation"
+    };
+  }
+
+  // Deletes the specified federation.
+  rpc Delete(DeleteFederationRequest) returns (operation.Operation) {
+    option (google.api.http) = {delete: "/organization-manager/v1/saml/federations/{federation_id}"};
+    option (yandex.cloud.api.operation) = {
+      metadata: "DeleteFederationMetadata"
+      response: "google.protobuf.Empty"
+    };
+  }
+
+  // Adds users to the specified federation.
+  rpc AddUserAccounts(AddFederatedUserAccountsRequest) returns (operation.Operation) {
+    option (google.api.http) = {
+      post: "/organization-manager/v1/saml/federations/{federation_id}:addUserAccounts"
+      body: "*"
+    };
+    option (yandex.cloud.api.operation) = {
+      metadata: "AddFederatedUserAccountsMetadata"
+      response: "AddFederatedUserAccountsResponse"
+    };
+  }
+
+  // Deletes users from the specified federation.
+  rpc DeleteUserAccounts(DeleteFederatedUserAccountsRequest) returns (operation.Operation) {
+    option (google.api.http) = {
+      post: "/organization-manager/v1/saml/federations/{federation_id}:deleteUserAccounts"
+      body: "*"
+    };
+    option (yandex.cloud.api.operation) = {
+      metadata: "DeleteFederatedUserAccountsMetadata"
+      response: "DeleteFederatedUserAccountsResponse"
+    };
+  }
+
+  // Lists users for the specified federation.
+  rpc ListUserAccounts(ListFederatedUserAccountsRequest) returns (ListFederatedUserAccountsResponse) {
+    option (google.api.http) = {get: "/organization-manager/v1/saml/federations/{federation_id}:listUserAccounts"};
+  }
+
+  // Lists operations for the specified federation.
+  rpc ListOperations(ListFederationOperationsRequest) returns (ListFederationOperationsResponse) {
+    option (google.api.http) = {get: "/organization-manager/v1/saml/federations/{federation_id}/operations"};
+  }
+}
+
+message GetFederationRequest {
+  // ID of the federation to return.
+  // To get the federation ID, make a [FederationService.List] request.
+  string federation_id = 1 [(length) = "<=50"];
+}
+
+message ListFederationsRequest {
+  // ID of the organization to list federations in.
+  // To get the organization ID, make a [yandex.cloud.organizationmanager.v1.OrganizationService.List] request.
+  string organization_id = 6 [
+    (required) = true,
+    (length) = "<=50"
+  ];
+
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size],
+  // the service returns a [ListFederationsResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Default value: 100
+  int64 page_size = 3 [(value) = "0-1000"];
+
+  // Page token. To get the next page of results, set [page_token]
+  // to the [ListFederationsResponse.next_page_token]
+  // returned by a previous list request.
+  string page_token = 4 [(length) = "<=2000"];
+
+  // A filter expression that filters resources listed in the response.
+  // The expression must specify:
+  // 1. The field name. Currently you can use filtering only on the [Federation.name] field.
+  // 2. An `=` operator.
+  // 3. The value in double quotes (`"`). Must be 3-63 characters long and match the regular expression `[a-z][-a-z0-9]{1,61}[a-z0-9]`.
+  string filter = 5 [(length) = "<=1000"];
+}
+
+message ListFederationsResponse {
+  // List of federations.
+  repeated Federation federations = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number of results
+  // is larger than [ListFederationsRequest.page_size], use
+  // the [next_page_token] as the value
+  // for the [ListFederationsRequest.page_token] query parameter
+  // in the next list request. Each subsequent list request will have its own
+  // [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+}
+
+message CreateFederationRequest {
+  // ID of the organization to create a federation in.
+  // To get the organization ID, make a [yandex.cloud.organizationmanager.v1.OrganizationService.List] request.
+  string organization_id = 1 [(length) = "<=50"];
+
+  // Name of the federation.
+  // The name must be unique within the organization.
+  string name = 2 [(pattern) = "[a-z]([-a-z0-9]{0,61}[a-z0-9])?"];
+
+  // Description of the federation.
+  string description = 3 [(length) = "<=256"];
+
+  // Browser cookie lifetime in seconds.
+  // If the cookie is still valid, the management console
+  // authenticates the user immediately and redirects them to the home page.
+  // The default value is `8h`.
+  google.protobuf.Duration cookie_max_age = 4 [(value) = "10m-12h"];
+
+  // Add new users automatically on successful authentication.
+  // The user becomes member of the organization automatically,
+  // but you need to grant other roles to them.
+  //
+  // If the value is `false`, users who aren't added to the organization
+  // can't log in, even if they have authenticated on your server.
+  bool auto_create_account_on_login = 5;
+
+  // ID of the IdP server to be used for authentication.
+  // The IdP server also responds to IAM with this ID after the user authenticates.
+  string issuer = 6 [
+    (required) = true,
+    (length) = "<=8000"
+  ];
+
+  // Single sign-on endpoint binding type. Most Identity Providers support the `POST` binding type.
+  //
+  // SAML Binding is a mapping of a SAML protocol message onto standard messaging
+  // formats and/or communications protocols.
+  BindingType sso_binding = 7;
+
+  // Single sign-on endpoint URL.
+  // Specify the link to the IdP login page here.
+  string sso_url = 8 [
+    (required) = true,
+    (length) = "<=8000"
+  ];
+
+  // Federation security settings.
+  FederationSecuritySettings security_settings = 9;
+
+  // Use case insensitive Name IDs.
+  bool case_insensitive_name_ids = 10;
+
+  // Resource labels as `` key:value `` pairs.
+  map<string, string> labels = 11 [
+    (yandex.cloud.size) = "<=64",
+    (length) = "<=63",
+    (pattern) = "[-_0-9a-z]*",
+    (map_key).length = "1-63",
+    (map_key).pattern = "[a-z][-_0-9a-z]*"
+  ];
+}
+
+message CreateFederationMetadata {
+  // ID of the federation that is being created.
+  string federation_id = 1;
+}
+
+message UpdateFederationRequest {
+  reserved 11;
+  // ID of the federation to update.
+  // To get the federation ID, make a [FederationService.List] request.
+  string federation_id = 1 [(length) = "<=50"];
+
+  // Field mask that specifies which fields of the federation are going to be updated.
+  google.protobuf.FieldMask update_mask = 2;
+
+  // Name of the federation.
+  // The name must be unique within the organization.
+  string name = 3 [(pattern) = "|[a-z]([-a-z0-9]{0,61}[a-z0-9])?"];
+
+  // Description of the federation.
+  string description = 4 [(length) = "<=256"];
+
+  // Browser cookie lifetime in seconds.
+  // If the cookie is still valid, the management console
+  // authenticates the user immediately and redirects them to the home page.
+  // The default value is `8h`.
+  google.protobuf.Duration cookie_max_age = 5 [(value) = "10m-12h"];
+
+  // Add new users automatically on successful authentication.
+  // The user becomes member of the organization automatically,
+  // but you need to grant other roles to them.
+  //
+  // If the value is `false`, users who aren't added to the organization
+  // can't log in, even if they have authenticated on your server.
+  bool auto_create_account_on_login = 6;
+
+  // ID of the IdP server to be used for authentication.
+  // The IdP server also responds to IAM with this ID after the user authenticates.
+  string issuer = 7 [
+    (required) = true,
+    (length) = "<=8000"
+  ];
+
+  // Single sign-on endpoint binding type. Most Identity Providers support the `POST` binding type.
+  //
+  // SAML Binding is a mapping of a SAML protocol message onto standard messaging
+  // formats and/or communications protocols.
+  BindingType sso_binding = 8;
+
+  // Single sign-on endpoint URL.
+  // Specify the link to the IdP login page here.
+  string sso_url = 9 [
+    (required) = true,
+    (length) = "<=8000"
+  ];
+
+  // Federation security settings.
+  FederationSecuritySettings security_settings = 10;
+
+  // Use case insensitive name ids.
+  bool case_insensitive_name_ids = 12;
+
+  // Resource labels as `` key:value `` pairs.
+  map<string, string> labels = 13 [
+    (yandex.cloud.size) = "<=64",
+    (length) = "<=63",
+    (pattern) = "[-_0-9a-z]*",
+    (map_key).length = "1-63",
+    (map_key).pattern = "[a-z][-_0-9a-z]*"
+  ];
+}
+
+message UpdateFederationMetadata {
+  // ID of the federation that is being updated.
+  string federation_id = 1;
+}
+
+message DeleteFederationRequest {
+  // ID of the federation to delete.
+  // To get the federation ID, make a [FederationService.List] request.
+  string federation_id = 1 [(length) = "<=50"];
+}
+
+message DeleteFederationMetadata {
+  // ID of the federation that is being deleted.
+  string federation_id = 1;
+}
+
+message AddFederatedUserAccountsRequest {
+  // ID of the federation to add users.
+  string federation_id = 1 [(length) = "<=50"];
+  // Name IDs returned by the Identity Provider (IdP) on successful authentication.
+  // These may be UPNs or user email addresses.
+  repeated string name_ids = 2 [(length) = "<=1000"];
+}
+
+message AddFederatedUserAccountsMetadata {
+  // ID of the federation that is being altered.
+  string federation_id = 1;
+}
+
+message AddFederatedUserAccountsResponse {
+  // List of users created by [FederationService.AddUserAccounts] request.
+  repeated UserAccount user_accounts = 1;
+}
+
+message DeleteFederatedUserAccountsRequest {
+  // ID of the federation to delete users from.
+  string federation_id = 1 [
+    (required) = true,
+    (length) = "<=50"
+  ];
+  // List of subjects to delete.
+  repeated string subject_ids = 2 [
+    (size) = "1-1000",
+    (length) = "1-50"
+  ];
+}
+
+message DeleteFederatedUserAccountsMetadata {
+  // ID of the federation that is being altered.
+  string federation_id = 1;
+}
+
+message DeleteFederatedUserAccountsResponse {
+  // List of subjects deleted by [FederationService.DeleteUserAccounts] request.
+  repeated string deleted_subjects = 1;
+  // List of subjects found in [FederationService.DeleteUserAccounts] request that do not exist.
+  repeated string non_existing_subjects = 2;
+}
+
+message ListFederatedUserAccountsRequest {
+  // ID of the federation to list user accounts for.
+  string federation_id = 1 [
+    (required) = true,
+    (length) = "<=50"
+  ];
+
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size], the service returns a [ListFederatedUserAccountsResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Default value: 100.
+  int64 page_size = 2 [(value) = "0-1000"];
+
+  // Page token. To get the next page of results, set [page_token]
+  // to the [ListFederatedUserAccountsResponse.next_page_token]
+  // returned by a previous list request.
+  string page_token = 3 [(length) = "<=2000"];
+
+  // A filter expression that filters resources listed in the response.
+  // The expression must specify:
+  // 1. The field name. Currently you can use filtering only on the [name_id] field.
+  // 2. An `=` operator.
+  // 3. The value in double quotes (`"`). Must be 1-1000 characters long and match the regular expression
+  //   `[a-z0-9A-Z/@_.\-=+*\\]+`.
+  string filter = 4 [(length) = "<=1010"];
+}
+
+message ListFederatedUserAccountsResponse {
+  // List of user accounts for the specified federation.
+  repeated UserAccount user_accounts = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number of results
+  // is larger than [ListFederatedUserAccountsRequest.page_size], use the [next_page_token] as the value
+  // for the [ListFederatedUserAccountsRequest.page_token] query parameter in the next list request.
+  // Each subsequent list request will have its own [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+}
+
+message ListFederationOperationsRequest {
+  // ID of the federation to list operations for.
+  string federation_id = 1 [(length) = "<=50"];
+
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size], the service returns a [ListFederationOperationsResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Default value: 100.
+  int64 page_size = 2 [(value) = "0-1000"];
+
+  // Page token. To get the next page of results, set [page_token]
+  // to the [ListFederationOperationsResponse.next_page_token]
+  // returned by a previous list request.
+  string page_token = 3 [(length) = "<=2000"];
+}
+
+message ListFederationOperationsResponse {
+  // List of operations for the specified federation.
+  repeated operation.Operation operations = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number of results
+  // is larger than [ListFederationOperationsRequest.page_size], use the [next_page_token] as the value
+  // for the [ListFederationOperationsRequest.page_token] query parameter in the next list request.
+  // Each subsequent list request will have its own [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/ssh_certificate_service.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/ssh_certificate_service.proto
new file mode 100644
index 0000000000..f68f376132
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/ssh_certificate_service.proto
@@ -0,0 +1,38 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "google/api/annotations.proto";
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+service SshCertificateService {
+  // Members of an organization can generate certificates for themselves
+  // Signing certificates for other users requires a special permission
+  rpc Generate (GenerateSshCertificateRequest) returns (GenerateSshCertificateResponse) {
+    option (google.api.http) = { post: "/organization-manager/v1/sshCertificates:generate" body: "*" };
+  };
+}
+
+message GenerateSshCertificateRequest {
+  oneof scope { // the same certificate is generated for both an organization and a cloud in that organization
+    option (exactly_one) = true;
+
+    string cloud_id = 1 [(length) = "<=50"]; // the cloud must be attached to an organization
+    string organization_id = 2 [(length) = "<=50"];
+  }
+
+  oneof subject { // if empty, use default login for current subject
+    string subject_id = 3 [(length) = "<=50"]; // specify subject to generate certificate for default login
+    string os_login = 4 [(length) = "<=32"]; // specify os_login for a specific login
+  }
+
+  string public_key = 5 [(required) = true, (length) = "<=15000"];
+}
+
+message GenerateSshCertificateResponse {
+  // as per specification https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD
+  string signed_certificate = 1;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_account.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_account.proto
new file mode 100644
index 0000000000..c53ea4fdef
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_account.proto
@@ -0,0 +1,46 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+// Currently represents only [Yandex account](/docs/iam/concepts/#passport).
+message UserAccount {
+  // ID of the user account.
+  string id = 1;
+
+  oneof user_account {
+    option (exactly_one) = true;
+    // A YandexPassportUserAccount resource.
+    YandexPassportUserAccount yandex_passport_user_account = 2;
+    // A SAML federated user.
+    SamlUserAccount saml_user_account = 3;
+  }
+}
+
+// A YandexPassportUserAccount resource.
+// For more information, see [Yandex account](/docs/iam/concepts/#passport).
+message YandexPassportUserAccount {
+  // Login of the Yandex user account.
+  string login = 1;
+  // Default email of the Yandex user account.
+  string default_email = 2;
+}
+
+// A SAML federated user.
+// For more information, see [federations](/docs/iam/concepts/users/saml-federations).
+message SamlUserAccount {
+    message Attribute {
+        repeated string value = 1;
+    }
+    // ID of the federation that the federation belongs to.
+    string federation_id = 1 [(required) = true, (length) = "<=50"];
+    // Name Id of the SAML federated user.
+    // The name is unique within the federation. 1-256 characters long.
+    string name_id = 2 [(required) = true, (length) = "1-256"];
+    // Additional attributes of the SAML federated user.
+    map <string, Attribute> attributes = 3;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_service.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_service.proto
new file mode 100644
index 0000000000..3fddcddac8
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_service.proto
@@ -0,0 +1,86 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "google/api/annotations.proto";
+import "yandex/cloud/api/operation.proto";
+import "yandex/cloud/oauth/claims.proto";
+import "yandex/cloud/operation/operation.proto";
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+// A set of methods for managing Organization users.
+service UserService {
+  // List organization active members.
+  rpc ListMembers (ListMembersRequest) returns (ListMembersResponse) {
+    option (google.api.http) = {get: "/organization-manager/v1/organizations/{organization_id}/users"};
+  }
+
+  // Delete user membership.
+  rpc DeleteMembership (DeleteMembershipRequest) returns (operation.Operation) {
+    option (google.api.http) = {delete: "/organization-manager/v1/organizations/{organization_id}/users/{subject_id}"};
+    option (yandex.cloud.api.operation) = {
+      metadata: "DeleteMembershipMetadata"
+      response: "DeleteMembershipResponse"
+    };
+  }
+}
+
+message ListMembersRequest {
+  // ID of the Organization resource to list members for.
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size], the service returns a [ListMembersResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Acceptable values are 0 to 1000, inclusive. Default value: 100.
+  int64 page_size = 2 [(value) = "0-1000"];
+
+  // Page token. Set [page_token]
+  // to the [ListMembersResponse.next_page_token]
+  // returned by a previous list request to get the next page of results.
+  string page_token = 3 [(length) = "<=2000"];
+}
+
+message ListMembersResponse {
+  // List of users for the specified organization.
+  repeated OrganizationUser users = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number of results
+  // is larger than [ListMembersRequest.page_size], use the [next_page_token] as the value
+  // for the [ListMembersRequest.page_token] query parameter in the next list request.
+  // Each subsequent list request will have its own [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+
+  message OrganizationUser {
+    // OpenID standard claims with additional Cloud Organization claims.
+    yandex.cloud.oauth.SubjectClaims subject_claims = 1;
+  }
+}
+
+message DeleteMembershipRequest {
+  // ID of the organization to delete membership.
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+
+  // ID of the subject that is being deleted from organization.
+  // By default equals to authenticated subject.
+  string subject_id = 2 [(length) = "<=50"];
+}
+
+message DeleteMembershipMetadata {
+  // ID of the organization to delete membership.
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+
+  // ID of the subject that is being deleted from organization.
+  string subject_id = 2 [(required) = true, (length) = "<=50"];
+}
+
+message DeleteMembershipResponse {
+  // ID of the organization to delete membership.
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+
+  // ID of the subject that is being deleted from organization.
+  string subject_id = 2 [(required) = true, (length) = "<=50"];
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_ssh_key.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_ssh_key.proto
new file mode 100644
index 0000000000..1d93af94ee
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_ssh_key.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+message UserSshKey {
+  string id = 1;
+  string subject_id = 2;
+  string data = 3;
+  string name = 4;
+  string fingerprint = 5;
+  string organization_id = 6;
+  google.protobuf.Timestamp created_at = 7;
+  // Used for temporary keys, if empty the key doesn't expire
+  google.protobuf.Timestamp expires_at = 8;
+}
diff --git a/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_ssh_key_service.proto b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_ssh_key_service.proto
new file mode 100644
index 0000000000..9129dd6972
--- /dev/null
+++ b/contrib/libs/yandex-cloud-api-protos/yandex/cloud/organizationmanager/v1/user_ssh_key_service.proto
@@ -0,0 +1,96 @@
+syntax = "proto3";
+
+package yandex.cloud.organizationmanager.v1;
+
+import "google/api/annotations.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+import "yandex/cloud/api/operation.proto";
+import "yandex/cloud/organizationmanager/v1/user_ssh_key.proto";
+import "yandex/cloud/operation/operation.proto";
+import "yandex/cloud/validation.proto";
+
+option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/organizationmanager/v1;organizationmanager";
+option java_package = "yandex.cloud.api.organizationmanager.v1";
+
+service UserSshKeyService {
+  rpc Get (GetUserSshKeyRequest) returns (UserSshKey) {
+    option (google.api.http) = { get: "/organization-manager/v1/userSshKeys/{user_ssh_key_id}" };
+  }
+
+  rpc List (ListUserSshKeysRequest) returns (ListUserSshKeysResponse) {
+    option (google.api.http) = { get: "/organization-manager/v1/userSshKeys" };
+  }
+
+  rpc Create (CreateUserSshKeyRequest) returns (operation.Operation) {
+    option (google.api.http) = { post: "/organization-manager/v1/userSshKeys" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "CreateUserSshKeyMetadata"
+      response: "UserSshKey"
+    };
+  }
+
+  rpc Update(UpdateUserSshKeyRequest) returns (operation.Operation) {
+    option (google.api.http) = { patch: "/organization-manager/v1/userSshKeys/{user_ssh_key_id}" body: "*" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "UpdateUserSshKeyMetadata"
+      response: "UserSshKey"
+    };
+  }
+
+  rpc Delete (DeleteUserSshKeyRequest) returns (operation.Operation) {
+    option (google.api.http) = { delete: "/organization-manager/v1/userSshKeys/{user_ssh_key_id}" };
+    option (yandex.cloud.api.operation) = {
+      metadata: "DeleteUserSshKeyMetadata"
+      response: "google.protobuf.Empty"
+    };
+  }
+}
+
+message GetUserSshKeyRequest {
+  string user_ssh_key_id = 1 [(required) = true, (length) = "<=50"];
+}
+
+message ListUserSshKeysRequest {
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+  string subject_id = 2 [(length) = "<=50"]; // if empty, list all organization keys
+  int64 page_size = 3 [(value) = "0-1000"];
+  string page_token = 4 [(length) = "<=2000"];
+}
+
+message ListUserSshKeysResponse {
+  repeated UserSshKey ssh_keys = 1;
+  string next_page_token = 2;
+}
+
+message CreateUserSshKeyRequest {
+  string organization_id = 1 [(required) = true, (length) = "<=50"];
+  string subject_id = 2 [(required) = true, (length) = "<=50"];
+  string name = 3 [(length) = "<=255"];
+  string data = 4 [(required) = true, (length) = "<=20000"];
+  google.protobuf.Timestamp expires_at = 5;
+}
+
+message CreateUserSshKeyMetadata {
+  string user_ssh_key_id = 1;
+  string organization_id = 2;
+}
+
+message UpdateUserSshKeyRequest {
+  string user_ssh_key_id = 1 [(required) = true, (length) = "<=50"];
+  string name = 2 [(length) = "<=255"];
+  google.protobuf.FieldMask update_mask = 3;
+  google.protobuf.Timestamp expires_at = 4;
+}
+
+message UpdateUserSshKeyMetadata {
+  string user_ssh_key_id = 1;
+}
+
+message DeleteUserSshKeyRequest {
+  string user_ssh_key_id = 1 [(required) = true, (length) = "<=50"];
+}
+
+message DeleteUserSshKeyMetadata {
+  string user_ssh_key_id = 1;
+}