diff --git a/packages/google-cloud-kms/protos/google/iam/v1/iam_policy.proto b/packages/google-cloud-kms/protos/google/iam/v1/iam_policy.proto
new file mode 100644
index 00000000000..a272fe8d7d9
--- /dev/null
+++ b/packages/google-cloud-kms/protos/google/iam/v1/iam_policy.proto
@@ -0,0 +1,119 @@
+// Copyright 2016 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.iam.v1;
+
+import "google/api/annotations.proto";
+import "google/iam/v1/policy.proto";
+
+option cc_enable_arenas = true;
+option csharp_namespace = "Google.Cloud.Iam.V1";
+option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam";
+option java_multiple_files = true;
+option java_outer_classname = "IamPolicyProto";
+option java_package = "com.google.iam.v1";
+option php_namespace = "Google\\Cloud\\Iam\\V1";
+
+
+// ## API Overview
+//
+// Manages Identity and Access Management (IAM) policies.
+//
+// Any implementation of an API that offers access control features
+// implements the google.iam.v1.IAMPolicy interface.
+//
+// ## Data model
+//
+// Access control is applied when a principal (user or service account), takes
+// some action on a resource exposed by a service. Resources, identified by
+// URI-like names, are the unit of access control specification. Service
+// implementations can choose the granularity of access control and the
+// supported permissions for their resources.
+// For example one database service may allow access control to be
+// specified only at the Table level, whereas another might allow access control
+// to also be specified at the Column level.
+//
+// ## Policy Structure
+//
+// See google.iam.v1.Policy
+//
+// This is intentionally not a CRUD style API because access control policies
+// are created and deleted implicitly with the resources to which they are
+// attached.
+service IAMPolicy {
+  // Sets the access control policy on the specified resource. Replaces any
+  // existing policy.
+  rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy) {
+    option (google.api.http) = { post: "/v1/{resource=**}:setIamPolicy" body: "*" };
+  }
+
+  // Gets the access control policy for a resource.
+  // Returns an empty policy if the resource exists and does not have a policy
+  // set.
+  rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy) {
+    option (google.api.http) = { post: "/v1/{resource=**}:getIamPolicy" body: "*" };
+  }
+
+  // Returns permissions that a caller has on the specified resource.
+  // If the resource does not exist, this will return an empty set of
+  // permissions, not a NOT_FOUND error.
+  rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse) {
+    option (google.api.http) = { post: "/v1/{resource=**}:testIamPermissions" body: "*" };
+  }
+}
+
+// Request message for `SetIamPolicy` method.
+message SetIamPolicyRequest {
+  // REQUIRED: The resource for which the policy is being specified.
+  // `resource` is usually specified as a path. For example, a Project
+  // resource is specified as `projects/{project}`.
+  string resource = 1;
+
+  // REQUIRED: The complete policy to be applied to the `resource`. The size of
+  // the policy is limited to a few 10s of KB. An empty policy is a
+  // valid policy but certain Cloud Platform services (such as Projects)
+  // might reject them.
+  Policy policy = 2;
+}
+
+// Request message for `GetIamPolicy` method.
+message GetIamPolicyRequest {
+  // REQUIRED: The resource for which the policy is being requested.
+  // `resource` is usually specified as a path. For example, a Project
+  // resource is specified as `projects/{project}`.
+  string resource = 1;
+}
+
+// Request message for `TestIamPermissions` method.
+message TestIamPermissionsRequest {
+  // REQUIRED: The resource for which the policy detail is being requested.
+  // `resource` is usually specified as a path. For example, a Project
+  // resource is specified as `projects/{project}`.
+  string resource = 1;
+
+  // The set of permissions to check for the `resource`. Permissions with
+  // wildcards (such as '*' or 'storage.*') are not allowed. For more
+  // information see
+  // [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
+  repeated string permissions = 2;
+}
+
+// Response message for `TestIamPermissions` method.
+message TestIamPermissionsResponse {
+  // A subset of `TestPermissionsRequest.permissions` that the caller is
+  // allowed.
+  repeated string permissions = 1;
+}