temporalio · shivam-ajmera · Aug 15, 2025 · Aug 14, 2025 · Aug 14, 2025 · Aug 14, 2025
@@ -1445,6 +1445,11 @@ proxier! {
     (update_namespace_export_sink, cloudreq::UpdateNamespaceExportSinkRequest, cloudreq::UpdateNamespaceExportSinkResponse);
     (delete_namespace_export_sink, cloudreq::DeleteNamespaceExportSinkRequest, cloudreq::DeleteNamespaceExportSinkResponse);
     (validate_namespace_export_sink, cloudreq::ValidateNamespaceExportSinkRequest, cloudreq::ValidateNamespaceExportSinkResponse);
+    (update_namespace_tags, cloudreq::UpdateNamespaceTagsRequest, cloudreq::UpdateNamespaceTagsResponse);
+    (create_connectivity_rule, cloudreq::CreateConnectivityRuleRequest, cloudreq::CreateConnectivityRuleResponse);
+    (get_connectivity_rule, cloudreq::GetConnectivityRuleRequest, cloudreq::GetConnectivityRuleResponse);
+    (get_connectivity_rules, cloudreq::GetConnectivityRulesRequest, cloudreq::GetConnectivityRulesResponse);
+    (delete_connectivity_rule, cloudreq::DeleteConnectivityRuleRequest, cloudreq::DeleteConnectivityRuleResponse);
 }
 
 proxier! {

@@ -525,6 +525,11 @@ async fn call_cloud_service(client: &CoreClient, call: &RpcCallOptions) -> anyho
         "UpdateUserGroup" => rpc_call!(client, call, update_user_group),
         "UpdateUser" => rpc_call!(client, call, update_user),
         "ValidateNamespaceExportSink" => rpc_call!(client, call, validate_namespace_export_sink),
+        "UpdateNamespaceTags" => rpc_call!(client, call, update_namespace_tags),
+        "CreateConnectivityRule" => rpc_call!(client, call, create_connectivity_rule),
+        "GetConnectivityRule" => rpc_call!(client, call, get_connectivity_rule),
+        "GetConnectivityRules" => rpc_call!(client, call, get_connectivity_rules),
+        "DeleteConnectivityRule" => rpc_call!(client, call, delete_connectivity_rule),
         rpc => Err(anyhow::anyhow!("Unknown RPC call {}", rpc)),
     }
 }

@@ -3,4 +3,4 @@
 # @temporalio/saas will be requested for review when
 # someone opens a pull request.
 
-*       @temporalio/saas
+*       @temporalio/crew-iam-plus
@@ -15,7 +15,7 @@ To use the Cloud Ops API in your project, preform the following 4 steps:
 
 The client is expected to pass in a `temporal-cloud-api-version` header with the api version identifier with every request it makes to the apis. The backend will use the version to safely mutate resources. The `temporal:versioning:min_version` label specifies the minimum version of the API that supports the field.
 
-Current Version `v0.4.0`
+Current Version `v0.7.1`
 
 ### URL
 

@@ -1 +1 @@
-v0.5.1
+v0.7.1
@@ -3,6 +3,7 @@ name: buf.build/temporalio/cloud-api
 deps:
   - buf.build/googleapis/googleapis
   - buf.build/temporalio/api:v1.43.0
+
 breaking:
   use:
     - FILE

@@ -18,6 +18,7 @@ import "temporal/api/cloud/nexus/v1/message.proto";
 import "temporal/api/cloud/region/v1/message.proto";
 import "temporal/api/cloud/account/v1/message.proto";
 import "temporal/api/cloud/usage/v1/message.proto";
+import "temporal/api/cloud/connectivityrule/v1/message.proto";
 
 message GetUsersRequest {
     // The requested size of the page to retrieve - optional.
@@ -129,6 +130,9 @@ message CreateNamespaceRequest {
     // The id to use for this async operation.
     // Optional, if not provided a random id will be generated.
     string async_operation_id = 3;
+    // The tags to add to the namespace.
+    // Note: This field can be set by global admins or account owners only.
+    map<string, string> tags = 4;
 }
 
 message CreateNamespaceResponse {
@@ -845,3 +849,82 @@ message ValidateNamespaceExportSinkRequest {
 
 message ValidateNamespaceExportSinkResponse {
 }
+
+message UpdateNamespaceTagsRequest {
+    // The namespace to set tags for.
+    string namespace = 1;
+    // A list of tags to add or update. 
+    // If a key of an existing tag is added, the tag's value is updated. 
+    // At least one of tags_to_upsert or tags_to_remove must be specified.
+    map<string, string> tags_to_upsert = 2;
+    // A list of tag keys to remove. 
+    // If a tag key doesn't exist, it is silently ignored.
+    // At least one of tags_to_upsert or tags_to_remove must be specified.
+    repeated string tags_to_remove = 3;
+    // The id to use for this async operation - optional.
+    string async_operation_id = 4;
+}
+
+message UpdateNamespaceTagsResponse {
+    // The async operation.
+    temporal.api.cloud.operation.v1.AsyncOperation async_operation = 1;
+} 
+
+message CreateConnectivityRuleRequest {
+    // The connectivity rule specification.
+    temporal.api.cloud.connectivityrule.v1.ConnectivityRuleSpec spec = 1;
+    // The id to use for this async operation.
+    // Optional, if not provided a random id will be generated.
+    string async_operation_id = 2;
+}
+
+message CreateConnectivityRuleResponse {
+    // The id of the connectivity rule that was created.
+    string connectivity_rule_id = 1;
+    // The async operation
+    temporal.api.cloud.operation.v1.AsyncOperation async_operation = 2;
+}
+
+message GetConnectivityRuleRequest {
+    // The id of the connectivity rule to get.
+    string connectivity_rule_id = 1;
+}
+
+message GetConnectivityRuleResponse {
+    temporal.api.cloud.connectivityrule.v1.ConnectivityRule connectivity_rule = 1;
+}
+
+message GetConnectivityRulesRequest {
+    // The requested size of the page to retrieve.
+    // Optional, defaults to 100.
+    int32 page_size = 1;
+    // The page token if this is continuing from another response.
+    // Optional, defaults to empty.
+    string page_token = 2;
+    // Filter connectivity rule by the namespace id.
+    string namespace = 3;
+}
+
+message GetConnectivityRulesResponse {
+    // connectivity_rules returned
+    repeated temporal.api.cloud.connectivityrule.v1.ConnectivityRule connectivity_rules = 1;
+    // The next page token
+    string next_page_token = 2;
+}
+
+message DeleteConnectivityRuleRequest {
+    // The ID of the connectivity rule that need be deleted, required.
+    string connectivity_rule_id = 1;
+
+    // The resource version which should be the same from the the db, required
+    // The latest version can be found in the GetConnectivityRule operation response
+    string resource_version = 2;
+    // The id to use for this async operation.
+    // Optional, if not provided a random id will be generated.
+    string async_operation_id = 3;
+}
+
+message DeleteConnectivityRuleResponse {
+    // The async operation
+    temporal.api.cloud.operation.v1.AsyncOperation async_operation = 1;
+}
@@ -395,4 +395,41 @@ service CloudService {
             body: "*"
         };
     }
+
+    // Update the tags for a namespace
+     rpc UpdateNamespaceTags(UpdateNamespaceTagsRequest) returns (UpdateNamespaceTagsResponse) {
+        option (google.api.http) = {
+            post: "/cloud/namespaces/{namespace}/update-tags"
+            body: "*"
+        };
+    }
+
+    // Creates a connectivity rule
+    rpc CreateConnectivityRule(CreateConnectivityRuleRequest) returns (CreateConnectivityRuleResponse) {
+        option (google.api.http) = {
+            post: "/cloud/connectivity-rules"
+            body: "*"
+        };
+    }
+
+    // Gets a connectivity rule by id
+    rpc GetConnectivityRule(GetConnectivityRuleRequest) returns (GetConnectivityRuleResponse) {
+        option (google.api.http) = {
+            get: "/cloud/connectivity-rules/{connectivity_rule_id}"
+        };
+    }
+
+    // Lists connectivity rules by account
+    rpc GetConnectivityRules(GetConnectivityRulesRequest) returns (GetConnectivityRulesResponse) {
+        option (google.api.http) = {
+            get: "/cloud/connectivity-rules"
+        };
+    }
+
+    // Deletes a connectivity rule by id
+    rpc DeleteConnectivityRule(DeleteConnectivityRuleRequest) returns (DeleteConnectivityRuleResponse) {
+        option (google.api.http) = {
+            delete: "/cloud/connectivity-rules/{connectivity_rule_id}"
+        };
+    }
 }
@@ -0,0 +1,64 @@
+syntax = "proto3";
+
+package temporal.api.cloud.connectivityrule.v1;
+
+option go_package = "go.temporal.io/api/cloud/connectivityrule/v1;connectivityrule";
+option java_package = "io.temporal.api.cloud.connectivityrule.v1";
+option java_multiple_files = true;
+option java_outer_classname = "MessageProto";
+option ruby_package = "Temporalio::Api::Cloud::ConnectivityRule::V1";
+option csharp_namespace = "Temporalio.Api.Cloud.ConnectivityRule.V1";
+
+import "temporal/api/cloud/resource/v1/message.proto";
+import "google/protobuf/timestamp.proto";
+
+message ConnectivityRule {
+  reserved 3; // Removed endpoint field
+
+  // The id of the private connectivity rule.
+  string id = 1;
+
+  // The connectivity rule specification.
+  ConnectivityRuleSpec spec = 2;
+
+  // The current version of the connectivity rule specification.
+  // The next update operation will have to include this version.
+  string resource_version = 4;
+
+  temporal.api.cloud.resource.v1.ResourceState state = 5;
+
+  // The id of the async operation that is creating/updating/deleting the connectivity rule, if any.
+  string async_operation_id = 6;
+
+  // The date and time when the connectivity rule was created.
+  google.protobuf.Timestamp created_time = 7;
+}
+
+// The connectivity rule specification passed in on create/update operations.
+message ConnectivityRuleSpec {
+  oneof connection_type {
+    // This allows access via public internet.
+    PublicConnectivityRule public_rule = 1;
+    // This allows access via specific private vpc.
+    PrivateConnectivityRule private_rule = 2;
+  }
+}
+
+// A public connectivity rule allows access to the namespace via the public internet.
+message PublicConnectivityRule {}
+
+// A private connectivity rule allows connections from a specific private vpc only.
+message PrivateConnectivityRule {
+  // Connection id provided to enforce the private connectivity. This is required both by AWS and GCP.
+  string connection_id = 1;
+
+  // For GCP private connectivity service, GCP needs both GCP project id and the Private Service Connect Connection IDs
+  // AWS only needs the connection_id
+  string gcp_project_id = 2;
+
+  // The region of the connectivity rule. This should align with the namespace.
+  // Example: "aws-us-west-2"
+  string region = 3;
+
+  reserved 4;
+}
@@ -13,12 +13,13 @@ import "temporal/api/cloud/resource/v1/message.proto";
 import "google/protobuf/timestamp.proto";
 
 message AccountAccess {
-    // The role on the account, should be one of [owner, admin, developer, financeadmin, read]
+    // The role on the account, should be one of [owner, admin, developer, financeadmin, read, metricsread]
     // owner - gives full access to the account, including users, namespaces, and billing
     // admin - gives full access the account, including users and namespaces
     // developer - gives access to create namespaces on the account
     // financeadmin - gives read only access and write access for billing
     // read - gives read only access to the account
+    // metricsread - gives read only access to all namespace metrics
     // Deprecated: Not supported after v0.3.0 api version. Use role instead.
     // temporal:versioning:max_version=v0.3.0
     string role_deprecated = 1 [deprecated = true];
@@ -34,6 +35,7 @@ message AccountAccess {
         ROLE_DEVELOPER = 3; // Gives access to create namespaces on the account.
         ROLE_FINANCE_ADMIN = 4; // Gives read only access and write access for billing.
         ROLE_READ = 5; // Gives read only access to the account.
+        ROLE_METRICS_READ = 6; // Gives read only access to the account metrics.
     }
 }
 

@@ -12,6 +12,7 @@ option csharp_namespace = "Temporalio.Api.Cloud.Namespace.V1";
 import "temporal/api/cloud/resource/v1/message.proto";
 import "google/protobuf/timestamp.proto";
 import "temporal/api/cloud/sink/v1/message.proto";
+import "temporal/api/cloud/connectivityrule/v1/message.proto";
 
 message CertificateFilterSpec {
     // The common_name in the certificate.
@@ -139,6 +140,11 @@ message NamespaceSpec {
     // The high availability configuration for the namespace.
     // temporal:versioning:min_version=v0.4.0
     HighAvailabilitySpec high_availability = 10;
+    // The private connectivity configuration for the namespace.
+    // This will apply the connectivity rules specified to the namespace.
+    // temporal:versioning:min_version=v0.6.0
+    repeated string connectivity_rule_ids = 11;
+
 
     enum SearchAttributeType {
         SEARCH_ATTRIBUTE_TYPE_UNSPECIFIED = 0;
@@ -218,6 +224,10 @@ message Namespace {
     // The status of each region where the namespace is available.
     // The id of the region is the key and the status is the value of the map.
     map<string, NamespaceRegionStatus> region_status = 12;
+    // The connectivity rules that are set on this namespace.
+    repeated temporal.api.cloud.connectivityrule.v1.ConnectivityRule connectivity_rules = 14;
+    // The tags for the namespace.
+    map<string, string> tags = 15;
 }
 
 message NamespaceRegionStatus {

@@ -47,5 +47,6 @@ message AsyncOperation {
 	STATE_FAILED = 3;      // The operation failed, check failure_reason for more details.
 	STATE_CANCELLED = 4;   // The operation was cancelled.
 	STATE_FULFILLED = 5;   // The operation was fulfilled.
+        STATE_REJECTED = 6;    // The operation was rejected.
     }
 }
@@ -1930,6 +1930,11 @@ pub mod temporal {
                     tonic::include_proto!("temporal.api.cloud.cloudservice.v1");
                 }
             }
+            pub mod connectivityrule {
+                pub mod v1 {
+                    tonic::include_proto!("temporal.api.cloud.connectivityrule.v1");
+                }
+            }
             pub mod identity {
                 pub mod v1 {
                     tonic::include_proto!("temporal.api.cloud.identity.v1");
-Original file line number
+Diff line change
@@ Expand Up @@
     The client is expected to pass in a `temporal-cloud-api-version` header with the api version identifier with every request it makes to the apis. The backend will use the version to safely mutate resources. The `temporal:versioning:min_version` label specifies the minimum version of the API that supports the field.
-    Current Version `v0.4.0`
+    Current Version `v0.7.1`
     ### URL
@@ Expand Down @@