1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. iam
  5. WorkforcePoolProvider
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

gcp.iam.WorkforcePoolProvider

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

    A configuration for an external identity provider.

    To get more information about WorkforcePoolProvider, see:

    Note: Ask your Google Cloud account team to request access to workforce identity federation for your billing/quota project. The account team notifies you when the project is granted access.

    Example Usage

    Iam Workforce Pool Provider Saml Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkforcePool("pool", {
        workforcePoolId: "example-pool",
        parent: "organizations/123456789",
        location: "global",
    });
    const example = new gcp.iam.WorkforcePoolProvider("example", {
        workforcePoolId: pool.workforcePoolId,
        location: pool.location,
        providerId: "example-prvdr",
        attributeMapping: {
            "google.subject": "assertion.sub",
        },
        saml: {
            idpMetadataXml: "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkforcePool("pool",
        workforce_pool_id="example-pool",
        parent="organizations/123456789",
        location="global")
    example = gcp.iam.WorkforcePoolProvider("example",
        workforce_pool_id=pool.workforce_pool_id,
        location=pool.location,
        provider_id="example-prvdr",
        attribute_mapping={
            "google.subject": "assertion.sub",
        },
        saml={
            "idp_metadata_xml": "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
    			WorkforcePoolId: pulumi.String("example-pool"),
    			Parent:          pulumi.String("organizations/123456789"),
    			Location:        pulumi.String("global"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
    			WorkforcePoolId: pool.WorkforcePoolId,
    			Location:        pool.Location,
    			ProviderId:      pulumi.String("example-prvdr"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject": pulumi.String("assertion.sub"),
    			},
    			Saml: &iam.WorkforcePoolProviderSamlArgs{
    				IdpMetadataXml: pulumi.String("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkforcePool("pool", new()
        {
            WorkforcePoolId = "example-pool",
            Parent = "organizations/123456789",
            Location = "global",
        });
    
        var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
        {
            WorkforcePoolId = pool.WorkforcePoolId,
            Location = pool.Location,
            ProviderId = "example-prvdr",
            AttributeMapping = 
            {
                { "google.subject", "assertion.sub" },
            },
            Saml = new Gcp.Iam.Inputs.WorkforcePoolProviderSamlArgs
            {
                IdpMetadataXml = "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkforcePool;
    import com.pulumi.gcp.iam.WorkforcePoolArgs;
    import com.pulumi.gcp.iam.WorkforcePoolProvider;
    import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderSamlArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
                .workforcePoolId("example-pool")
                .parent("organizations/123456789")
                .location("global")
                .build());
    
            var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
                .workforcePoolId(pool.workforcePoolId())
                .location(pool.location())
                .providerId("example-prvdr")
                .attributeMapping(Map.of("google.subject", "assertion.sub"))
                .saml(WorkforcePoolProviderSamlArgs.builder()
                    .idpMetadataXml("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>")
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkforcePool
        properties:
          workforcePoolId: example-pool
          parent: organizations/123456789
          location: global
      example:
        type: gcp:iam:WorkforcePoolProvider
        properties:
          workforcePoolId: ${pool.workforcePoolId}
          location: ${pool.location}
          providerId: example-prvdr
          attributeMapping:
            google.subject: assertion.sub
          saml:
            idpMetadataXml: <?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://test.com"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test.com/sso"/></md:IDPSSODescriptor></md:EntityDescriptor>
    

    Iam Workforce Pool Provider Saml Full

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkforcePool("pool", {
        workforcePoolId: "example-pool",
        parent: "organizations/123456789",
        location: "global",
    });
    const example = new gcp.iam.WorkforcePoolProvider("example", {
        workforcePoolId: pool.workforcePoolId,
        location: pool.location,
        providerId: "example-prvdr",
        attributeMapping: {
            "google.subject": "assertion.sub",
        },
        saml: {
            idpMetadataXml: "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
        },
        displayName: "Display name",
        description: "A sample SAML workforce pool provider.",
        disabled: false,
        attributeCondition: "true",
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkforcePool("pool",
        workforce_pool_id="example-pool",
        parent="organizations/123456789",
        location="global")
    example = gcp.iam.WorkforcePoolProvider("example",
        workforce_pool_id=pool.workforce_pool_id,
        location=pool.location,
        provider_id="example-prvdr",
        attribute_mapping={
            "google.subject": "assertion.sub",
        },
        saml={
            "idp_metadata_xml": "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
        },
        display_name="Display name",
        description="A sample SAML workforce pool provider.",
        disabled=False,
        attribute_condition="true")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
    			WorkforcePoolId: pulumi.String("example-pool"),
    			Parent:          pulumi.String("organizations/123456789"),
    			Location:        pulumi.String("global"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
    			WorkforcePoolId: pool.WorkforcePoolId,
    			Location:        pool.Location,
    			ProviderId:      pulumi.String("example-prvdr"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject": pulumi.String("assertion.sub"),
    			},
    			Saml: &iam.WorkforcePoolProviderSamlArgs{
    				IdpMetadataXml: pulumi.String("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>"),
    			},
    			DisplayName:        pulumi.String("Display name"),
    			Description:        pulumi.String("A sample SAML workforce pool provider."),
    			Disabled:           pulumi.Bool(false),
    			AttributeCondition: pulumi.String("true"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkforcePool("pool", new()
        {
            WorkforcePoolId = "example-pool",
            Parent = "organizations/123456789",
            Location = "global",
        });
    
        var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
        {
            WorkforcePoolId = pool.WorkforcePoolId,
            Location = pool.Location,
            ProviderId = "example-prvdr",
            AttributeMapping = 
            {
                { "google.subject", "assertion.sub" },
            },
            Saml = new Gcp.Iam.Inputs.WorkforcePoolProviderSamlArgs
            {
                IdpMetadataXml = "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
            },
            DisplayName = "Display name",
            Description = "A sample SAML workforce pool provider.",
            Disabled = false,
            AttributeCondition = "true",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkforcePool;
    import com.pulumi.gcp.iam.WorkforcePoolArgs;
    import com.pulumi.gcp.iam.WorkforcePoolProvider;
    import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderSamlArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
                .workforcePoolId("example-pool")
                .parent("organizations/123456789")
                .location("global")
                .build());
    
            var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
                .workforcePoolId(pool.workforcePoolId())
                .location(pool.location())
                .providerId("example-prvdr")
                .attributeMapping(Map.of("google.subject", "assertion.sub"))
                .saml(WorkforcePoolProviderSamlArgs.builder()
                    .idpMetadataXml("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>")
                    .build())
                .displayName("Display name")
                .description("A sample SAML workforce pool provider.")
                .disabled(false)
                .attributeCondition("true")
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkforcePool
        properties:
          workforcePoolId: example-pool
          parent: organizations/123456789
          location: global
      example:
        type: gcp:iam:WorkforcePoolProvider
        properties:
          workforcePoolId: ${pool.workforcePoolId}
          location: ${pool.location}
          providerId: example-prvdr
          attributeMapping:
            google.subject: assertion.sub
          saml:
            idpMetadataXml: <?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://test.com"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test.com/sso"/></md:IDPSSODescriptor></md:EntityDescriptor>
          displayName: Display name
          description: A sample SAML workforce pool provider.
          disabled: false
          attributeCondition: 'true'
    

    Iam Workforce Pool Provider Oidc Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkforcePool("pool", {
        workforcePoolId: "example-pool",
        parent: "organizations/123456789",
        location: "global",
    });
    const example = new gcp.iam.WorkforcePoolProvider("example", {
        workforcePoolId: pool.workforcePoolId,
        location: pool.location,
        providerId: "example-prvdr",
        attributeMapping: {
            "google.subject": "assertion.sub",
        },
        oidc: {
            issuerUri: "https://accounts.thirdparty.com",
            clientId: "client-id",
            clientSecret: {
                value: {
                    plainText: "client-secret",
                },
            },
            webSsoConfig: {
                responseType: "CODE",
                assertionClaimsBehavior: "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
            },
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkforcePool("pool",
        workforce_pool_id="example-pool",
        parent="organizations/123456789",
        location="global")
    example = gcp.iam.WorkforcePoolProvider("example",
        workforce_pool_id=pool.workforce_pool_id,
        location=pool.location,
        provider_id="example-prvdr",
        attribute_mapping={
            "google.subject": "assertion.sub",
        },
        oidc={
            "issuer_uri": "https://accounts.thirdparty.com",
            "client_id": "client-id",
            "client_secret": {
                "value": {
                    "plain_text": "client-secret",
                },
            },
            "web_sso_config": {
                "response_type": "CODE",
                "assertion_claims_behavior": "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
    			WorkforcePoolId: pulumi.String("example-pool"),
    			Parent:          pulumi.String("organizations/123456789"),
    			Location:        pulumi.String("global"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
    			WorkforcePoolId: pool.WorkforcePoolId,
    			Location:        pool.Location,
    			ProviderId:      pulumi.String("example-prvdr"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject": pulumi.String("assertion.sub"),
    			},
    			Oidc: &iam.WorkforcePoolProviderOidcArgs{
    				IssuerUri: pulumi.String("https://accounts.thirdparty.com"),
    				ClientId:  pulumi.String("client-id"),
    				ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
    					Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
    						PlainText: pulumi.String("client-secret"),
    					},
    				},
    				WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
    					ResponseType:            pulumi.String("CODE"),
    					AssertionClaimsBehavior: pulumi.String("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkforcePool("pool", new()
        {
            WorkforcePoolId = "example-pool",
            Parent = "organizations/123456789",
            Location = "global",
        });
    
        var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
        {
            WorkforcePoolId = pool.WorkforcePoolId,
            Location = pool.Location,
            ProviderId = "example-prvdr",
            AttributeMapping = 
            {
                { "google.subject", "assertion.sub" },
            },
            Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
            {
                IssuerUri = "https://accounts.thirdparty.com",
                ClientId = "client-id",
                ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
                {
                    Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
                    {
                        PlainText = "client-secret",
                    },
                },
                WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
                {
                    ResponseType = "CODE",
                    AssertionClaimsBehavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkforcePool;
    import com.pulumi.gcp.iam.WorkforcePoolArgs;
    import com.pulumi.gcp.iam.WorkforcePoolProvider;
    import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretValueArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcWebSsoConfigArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
                .workforcePoolId("example-pool")
                .parent("organizations/123456789")
                .location("global")
                .build());
    
            var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
                .workforcePoolId(pool.workforcePoolId())
                .location(pool.location())
                .providerId("example-prvdr")
                .attributeMapping(Map.of("google.subject", "assertion.sub"))
                .oidc(WorkforcePoolProviderOidcArgs.builder()
                    .issuerUri("https://accounts.thirdparty.com")
                    .clientId("client-id")
                    .clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
                        .value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
                            .plainText("client-secret")
                            .build())
                        .build())
                    .webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
                        .responseType("CODE")
                        .assertionClaimsBehavior("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkforcePool
        properties:
          workforcePoolId: example-pool
          parent: organizations/123456789
          location: global
      example:
        type: gcp:iam:WorkforcePoolProvider
        properties:
          workforcePoolId: ${pool.workforcePoolId}
          location: ${pool.location}
          providerId: example-prvdr
          attributeMapping:
            google.subject: assertion.sub
          oidc:
            issuerUri: https://accounts.thirdparty.com
            clientId: client-id
            clientSecret:
              value:
                plainText: client-secret
            webSsoConfig:
              responseType: CODE
              assertionClaimsBehavior: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
    

    Iam Workforce Pool Provider Oidc Full

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkforcePool("pool", {
        workforcePoolId: "example-pool",
        parent: "organizations/123456789",
        location: "global",
    });
    const example = new gcp.iam.WorkforcePoolProvider("example", {
        workforcePoolId: pool.workforcePoolId,
        location: pool.location,
        providerId: "example-prvdr",
        attributeMapping: {
            "google.subject": "assertion.sub",
        },
        oidc: {
            issuerUri: "https://accounts.thirdparty.com",
            clientId: "client-id",
            clientSecret: {
                value: {
                    plainText: "client-secret",
                },
            },
            webSsoConfig: {
                responseType: "CODE",
                assertionClaimsBehavior: "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
                additionalScopes: [
                    "groups",
                    "roles",
                ],
            },
        },
        displayName: "Display name",
        description: "A sample OIDC workforce pool provider.",
        disabled: false,
        attributeCondition: "true",
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkforcePool("pool",
        workforce_pool_id="example-pool",
        parent="organizations/123456789",
        location="global")
    example = gcp.iam.WorkforcePoolProvider("example",
        workforce_pool_id=pool.workforce_pool_id,
        location=pool.location,
        provider_id="example-prvdr",
        attribute_mapping={
            "google.subject": "assertion.sub",
        },
        oidc={
            "issuer_uri": "https://accounts.thirdparty.com",
            "client_id": "client-id",
            "client_secret": {
                "value": {
                    "plain_text": "client-secret",
                },
            },
            "web_sso_config": {
                "response_type": "CODE",
                "assertion_claims_behavior": "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
                "additional_scopes": [
                    "groups",
                    "roles",
                ],
            },
        },
        display_name="Display name",
        description="A sample OIDC workforce pool provider.",
        disabled=False,
        attribute_condition="true")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
    			WorkforcePoolId: pulumi.String("example-pool"),
    			Parent:          pulumi.String("organizations/123456789"),
    			Location:        pulumi.String("global"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
    			WorkforcePoolId: pool.WorkforcePoolId,
    			Location:        pool.Location,
    			ProviderId:      pulumi.String("example-prvdr"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject": pulumi.String("assertion.sub"),
    			},
    			Oidc: &iam.WorkforcePoolProviderOidcArgs{
    				IssuerUri: pulumi.String("https://accounts.thirdparty.com"),
    				ClientId:  pulumi.String("client-id"),
    				ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
    					Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
    						PlainText: pulumi.String("client-secret"),
    					},
    				},
    				WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
    					ResponseType:            pulumi.String("CODE"),
    					AssertionClaimsBehavior: pulumi.String("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"),
    					AdditionalScopes: pulumi.StringArray{
    						pulumi.String("groups"),
    						pulumi.String("roles"),
    					},
    				},
    			},
    			DisplayName:        pulumi.String("Display name"),
    			Description:        pulumi.String("A sample OIDC workforce pool provider."),
    			Disabled:           pulumi.Bool(false),
    			AttributeCondition: pulumi.String("true"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkforcePool("pool", new()
        {
            WorkforcePoolId = "example-pool",
            Parent = "organizations/123456789",
            Location = "global",
        });
    
        var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
        {
            WorkforcePoolId = pool.WorkforcePoolId,
            Location = pool.Location,
            ProviderId = "example-prvdr",
            AttributeMapping = 
            {
                { "google.subject", "assertion.sub" },
            },
            Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
            {
                IssuerUri = "https://accounts.thirdparty.com",
                ClientId = "client-id",
                ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
                {
                    Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
                    {
                        PlainText = "client-secret",
                    },
                },
                WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
                {
                    ResponseType = "CODE",
                    AssertionClaimsBehavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
                    AdditionalScopes = new[]
                    {
                        "groups",
                        "roles",
                    },
                },
            },
            DisplayName = "Display name",
            Description = "A sample OIDC workforce pool provider.",
            Disabled = false,
            AttributeCondition = "true",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkforcePool;
    import com.pulumi.gcp.iam.WorkforcePoolArgs;
    import com.pulumi.gcp.iam.WorkforcePoolProvider;
    import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretValueArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcWebSsoConfigArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
                .workforcePoolId("example-pool")
                .parent("organizations/123456789")
                .location("global")
                .build());
    
            var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
                .workforcePoolId(pool.workforcePoolId())
                .location(pool.location())
                .providerId("example-prvdr")
                .attributeMapping(Map.of("google.subject", "assertion.sub"))
                .oidc(WorkforcePoolProviderOidcArgs.builder()
                    .issuerUri("https://accounts.thirdparty.com")
                    .clientId("client-id")
                    .clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
                        .value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
                            .plainText("client-secret")
                            .build())
                        .build())
                    .webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
                        .responseType("CODE")
                        .assertionClaimsBehavior("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS")
                        .additionalScopes(                    
                            "groups",
                            "roles")
                        .build())
                    .build())
                .displayName("Display name")
                .description("A sample OIDC workforce pool provider.")
                .disabled(false)
                .attributeCondition("true")
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkforcePool
        properties:
          workforcePoolId: example-pool
          parent: organizations/123456789
          location: global
      example:
        type: gcp:iam:WorkforcePoolProvider
        properties:
          workforcePoolId: ${pool.workforcePoolId}
          location: ${pool.location}
          providerId: example-prvdr
          attributeMapping:
            google.subject: assertion.sub
          oidc:
            issuerUri: https://accounts.thirdparty.com
            clientId: client-id
            clientSecret:
              value:
                plainText: client-secret
            webSsoConfig:
              responseType: CODE
              assertionClaimsBehavior: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
              additionalScopes:
                - groups
                - roles
          displayName: Display name
          description: A sample OIDC workforce pool provider.
          disabled: false
          attributeCondition: 'true'
    

    Iam Workforce Pool Provider Extra Attributes Oauth2 Config Client Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkforcePool("pool", {
        workforcePoolId: "example-pool",
        parent: "organizations/123456789",
        location: "global",
    });
    const example = new gcp.iam.WorkforcePoolProvider("example", {
        workforcePoolId: pool.workforcePoolId,
        location: pool.location,
        providerId: "example-prvdr",
        attributeMapping: {
            "google.subject": "assertion.sub",
        },
        oidc: {
            issuerUri: "https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
            clientId: "https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
            webSsoConfig: {
                responseType: "CODE",
                assertionClaimsBehavior: "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
            },
            clientSecret: {
                value: {
                    plainText: "client-secret",
                },
            },
        },
        extraAttributesOauth2Client: {
            issuerUri: "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
            clientId: "client-id",
            clientSecret: {
                value: {
                    plainText: "client-secret",
                },
            },
            attributesType: "AZURE_AD_GROUPS_MAIL",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkforcePool("pool",
        workforce_pool_id="example-pool",
        parent="organizations/123456789",
        location="global")
    example = gcp.iam.WorkforcePoolProvider("example",
        workforce_pool_id=pool.workforce_pool_id,
        location=pool.location,
        provider_id="example-prvdr",
        attribute_mapping={
            "google.subject": "assertion.sub",
        },
        oidc={
            "issuer_uri": "https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
            "client_id": "https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
            "web_sso_config": {
                "response_type": "CODE",
                "assertion_claims_behavior": "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
            },
            "client_secret": {
                "value": {
                    "plain_text": "client-secret",
                },
            },
        },
        extra_attributes_oauth2_client={
            "issuer_uri": "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
            "client_id": "client-id",
            "client_secret": {
                "value": {
                    "plain_text": "client-secret",
                },
            },
            "attributes_type": "AZURE_AD_GROUPS_MAIL",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
    			WorkforcePoolId: pulumi.String("example-pool"),
    			Parent:          pulumi.String("organizations/123456789"),
    			Location:        pulumi.String("global"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
    			WorkforcePoolId: pool.WorkforcePoolId,
    			Location:        pool.Location,
    			ProviderId:      pulumi.String("example-prvdr"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject": pulumi.String("assertion.sub"),
    			},
    			Oidc: &iam.WorkforcePoolProviderOidcArgs{
    				IssuerUri: pulumi.String("https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/"),
    				ClientId:  pulumi.String("https://analysis.windows.net/powerbi/connector/GoogleBigQuery"),
    				WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
    					ResponseType:            pulumi.String("CODE"),
    					AssertionClaimsBehavior: pulumi.String("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"),
    				},
    				ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
    					Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
    						PlainText: pulumi.String("client-secret"),
    					},
    				},
    			},
    			ExtraAttributesOauth2Client: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs{
    				IssuerUri: pulumi.String("https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0"),
    				ClientId:  pulumi.String("client-id"),
    				ClientSecret: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs{
    					Value: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs{
    						PlainText: pulumi.String("client-secret"),
    					},
    				},
    				AttributesType: pulumi.String("AZURE_AD_GROUPS_MAIL"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkforcePool("pool", new()
        {
            WorkforcePoolId = "example-pool",
            Parent = "organizations/123456789",
            Location = "global",
        });
    
        var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
        {
            WorkforcePoolId = pool.WorkforcePoolId,
            Location = pool.Location,
            ProviderId = "example-prvdr",
            AttributeMapping = 
            {
                { "google.subject", "assertion.sub" },
            },
            Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
            {
                IssuerUri = "https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
                ClientId = "https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
                WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
                {
                    ResponseType = "CODE",
                    AssertionClaimsBehavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
                },
                ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
                {
                    Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
                    {
                        PlainText = "client-secret",
                    },
                },
            },
            ExtraAttributesOauth2Client = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientArgs
            {
                IssuerUri = "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
                ClientId = "client-id",
                ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs
                {
                    Value = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs
                    {
                        PlainText = "client-secret",
                    },
                },
                AttributesType = "AZURE_AD_GROUPS_MAIL",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkforcePool;
    import com.pulumi.gcp.iam.WorkforcePoolArgs;
    import com.pulumi.gcp.iam.WorkforcePoolProvider;
    import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcWebSsoConfigArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretValueArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
                .workforcePoolId("example-pool")
                .parent("organizations/123456789")
                .location("global")
                .build());
    
            var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
                .workforcePoolId(pool.workforcePoolId())
                .location(pool.location())
                .providerId("example-prvdr")
                .attributeMapping(Map.of("google.subject", "assertion.sub"))
                .oidc(WorkforcePoolProviderOidcArgs.builder()
                    .issuerUri("https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/")
                    .clientId("https://analysis.windows.net/powerbi/connector/GoogleBigQuery")
                    .webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
                        .responseType("CODE")
                        .assertionClaimsBehavior("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS")
                        .build())
                    .clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
                        .value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
                            .plainText("client-secret")
                            .build())
                        .build())
                    .build())
                .extraAttributesOauth2Client(WorkforcePoolProviderExtraAttributesOauth2ClientArgs.builder()
                    .issuerUri("https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0")
                    .clientId("client-id")
                    .clientSecret(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs.builder()
                        .value(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs.builder()
                            .plainText("client-secret")
                            .build())
                        .build())
                    .attributesType("AZURE_AD_GROUPS_MAIL")
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkforcePool
        properties:
          workforcePoolId: example-pool
          parent: organizations/123456789
          location: global
      example:
        type: gcp:iam:WorkforcePoolProvider
        properties:
          workforcePoolId: ${pool.workforcePoolId}
          location: ${pool.location}
          providerId: example-prvdr
          attributeMapping:
            google.subject: assertion.sub
          oidc:
            issuerUri: https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/
            clientId: https://analysis.windows.net/powerbi/connector/GoogleBigQuery
            webSsoConfig:
              responseType: CODE
              assertionClaimsBehavior: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
            clientSecret:
              value:
                plainText: client-secret
          extraAttributesOauth2Client:
            issuerUri: https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0
            clientId: client-id
            clientSecret:
              value:
                plainText: client-secret
            attributesType: AZURE_AD_GROUPS_MAIL
    

    Iam Workforce Pool Provider Extra Attributes Oauth2 Config Client Full

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkforcePool("pool", {
        workforcePoolId: "example-pool",
        parent: "organizations/123456789",
        location: "global",
    });
    const example = new gcp.iam.WorkforcePoolProvider("example", {
        workforcePoolId: pool.workforcePoolId,
        location: pool.location,
        providerId: "example-prvdr",
        attributeMapping: {
            "google.subject": "assertion.sub",
        },
        oidc: {
            issuerUri: "https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
            clientId: "https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
            clientSecret: {
                value: {
                    plainText: "client-secret",
                },
            },
            webSsoConfig: {
                responseType: "CODE",
                assertionClaimsBehavior: "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
            },
        },
        extraAttributesOauth2Client: {
            issuerUri: "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
            clientId: "client-id",
            clientSecret: {
                value: {
                    plainText: "client-secret",
                },
            },
            attributesType: "AZURE_AD_GROUPS_MAIL",
            queryParameters: {
                filter: "mail:gcp",
            },
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkforcePool("pool",
        workforce_pool_id="example-pool",
        parent="organizations/123456789",
        location="global")
    example = gcp.iam.WorkforcePoolProvider("example",
        workforce_pool_id=pool.workforce_pool_id,
        location=pool.location,
        provider_id="example-prvdr",
        attribute_mapping={
            "google.subject": "assertion.sub",
        },
        oidc={
            "issuer_uri": "https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
            "client_id": "https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
            "client_secret": {
                "value": {
                    "plain_text": "client-secret",
                },
            },
            "web_sso_config": {
                "response_type": "CODE",
                "assertion_claims_behavior": "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
            },
        },
        extra_attributes_oauth2_client={
            "issuer_uri": "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
            "client_id": "client-id",
            "client_secret": {
                "value": {
                    "plain_text": "client-secret",
                },
            },
            "attributes_type": "AZURE_AD_GROUPS_MAIL",
            "query_parameters": {
                "filter": "mail:gcp",
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
    			WorkforcePoolId: pulumi.String("example-pool"),
    			Parent:          pulumi.String("organizations/123456789"),
    			Location:        pulumi.String("global"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
    			WorkforcePoolId: pool.WorkforcePoolId,
    			Location:        pool.Location,
    			ProviderId:      pulumi.String("example-prvdr"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject": pulumi.String("assertion.sub"),
    			},
    			Oidc: &iam.WorkforcePoolProviderOidcArgs{
    				IssuerUri: pulumi.String("https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/"),
    				ClientId:  pulumi.String("https://analysis.windows.net/powerbi/connector/GoogleBigQuery"),
    				ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
    					Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
    						PlainText: pulumi.String("client-secret"),
    					},
    				},
    				WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
    					ResponseType:            pulumi.String("CODE"),
    					AssertionClaimsBehavior: pulumi.String("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"),
    				},
    			},
    			ExtraAttributesOauth2Client: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs{
    				IssuerUri: pulumi.String("https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0"),
    				ClientId:  pulumi.String("client-id"),
    				ClientSecret: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs{
    					Value: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs{
    						PlainText: pulumi.String("client-secret"),
    					},
    				},
    				AttributesType: pulumi.String("AZURE_AD_GROUPS_MAIL"),
    				QueryParameters: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs{
    					Filter: pulumi.String("mail:gcp"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkforcePool("pool", new()
        {
            WorkforcePoolId = "example-pool",
            Parent = "organizations/123456789",
            Location = "global",
        });
    
        var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
        {
            WorkforcePoolId = pool.WorkforcePoolId,
            Location = pool.Location,
            ProviderId = "example-prvdr",
            AttributeMapping = 
            {
                { "google.subject", "assertion.sub" },
            },
            Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
            {
                IssuerUri = "https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
                ClientId = "https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
                ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
                {
                    Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
                    {
                        PlainText = "client-secret",
                    },
                },
                WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
                {
                    ResponseType = "CODE",
                    AssertionClaimsBehavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
                },
            },
            ExtraAttributesOauth2Client = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientArgs
            {
                IssuerUri = "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
                ClientId = "client-id",
                ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs
                {
                    Value = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs
                    {
                        PlainText = "client-secret",
                    },
                },
                AttributesType = "AZURE_AD_GROUPS_MAIL",
                QueryParameters = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs
                {
                    Filter = "mail:gcp",
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkforcePool;
    import com.pulumi.gcp.iam.WorkforcePoolArgs;
    import com.pulumi.gcp.iam.WorkforcePoolProvider;
    import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretValueArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcWebSsoConfigArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs;
    import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
                .workforcePoolId("example-pool")
                .parent("organizations/123456789")
                .location("global")
                .build());
    
            var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
                .workforcePoolId(pool.workforcePoolId())
                .location(pool.location())
                .providerId("example-prvdr")
                .attributeMapping(Map.of("google.subject", "assertion.sub"))
                .oidc(WorkforcePoolProviderOidcArgs.builder()
                    .issuerUri("https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/")
                    .clientId("https://analysis.windows.net/powerbi/connector/GoogleBigQuery")
                    .clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
                        .value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
                            .plainText("client-secret")
                            .build())
                        .build())
                    .webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
                        .responseType("CODE")
                        .assertionClaimsBehavior("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS")
                        .build())
                    .build())
                .extraAttributesOauth2Client(WorkforcePoolProviderExtraAttributesOauth2ClientArgs.builder()
                    .issuerUri("https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0")
                    .clientId("client-id")
                    .clientSecret(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs.builder()
                        .value(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs.builder()
                            .plainText("client-secret")
                            .build())
                        .build())
                    .attributesType("AZURE_AD_GROUPS_MAIL")
                    .queryParameters(WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs.builder()
                        .filter("mail:gcp")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkforcePool
        properties:
          workforcePoolId: example-pool
          parent: organizations/123456789
          location: global
      example:
        type: gcp:iam:WorkforcePoolProvider
        properties:
          workforcePoolId: ${pool.workforcePoolId}
          location: ${pool.location}
          providerId: example-prvdr
          attributeMapping:
            google.subject: assertion.sub
          oidc:
            issuerUri: https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/
            clientId: https://analysis.windows.net/powerbi/connector/GoogleBigQuery
            clientSecret:
              value:
                plainText: client-secret
            webSsoConfig:
              responseType: CODE
              assertionClaimsBehavior: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
          extraAttributesOauth2Client:
            issuerUri: https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0
            clientId: client-id
            clientSecret:
              value:
                plainText: client-secret
            attributesType: AZURE_AD_GROUPS_MAIL
            queryParameters:
              filter: mail:gcp
    

    Create WorkforcePoolProvider Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new WorkforcePoolProvider(name: string, args: WorkforcePoolProviderArgs, opts?: CustomResourceOptions);
    @overload
    def WorkforcePoolProvider(resource_name: str,
                              args: WorkforcePoolProviderArgs,
                              opts: Optional[ResourceOptions] = None)
    
    @overload
    def WorkforcePoolProvider(resource_name: str,
                              opts: Optional[ResourceOptions] = None,
                              location: Optional[str] = None,
                              provider_id: Optional[str] = None,
                              workforce_pool_id: Optional[str] = None,
                              attribute_condition: Optional[str] = None,
                              attribute_mapping: Optional[Mapping[str, str]] = None,
                              description: Optional[str] = None,
                              disabled: Optional[bool] = None,
                              display_name: Optional[str] = None,
                              extra_attributes_oauth2_client: Optional[WorkforcePoolProviderExtraAttributesOauth2ClientArgs] = None,
                              oidc: Optional[WorkforcePoolProviderOidcArgs] = None,
                              saml: Optional[WorkforcePoolProviderSamlArgs] = None)
    func NewWorkforcePoolProvider(ctx *Context, name string, args WorkforcePoolProviderArgs, opts ...ResourceOption) (*WorkforcePoolProvider, error)
    public WorkforcePoolProvider(string name, WorkforcePoolProviderArgs args, CustomResourceOptions? opts = null)
    public WorkforcePoolProvider(String name, WorkforcePoolProviderArgs args)
    public WorkforcePoolProvider(String name, WorkforcePoolProviderArgs args, CustomResourceOptions options)
    
    type: gcp:iam:WorkforcePoolProvider
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args WorkforcePoolProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args WorkforcePoolProviderArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args WorkforcePoolProviderArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args WorkforcePoolProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args WorkforcePoolProviderArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var workforcePoolProviderResource = new Gcp.Iam.WorkforcePoolProvider("workforcePoolProviderResource", new()
    {
        Location = "string",
        ProviderId = "string",
        WorkforcePoolId = "string",
        AttributeCondition = "string",
        AttributeMapping = 
        {
            { "string", "string" },
        },
        Description = "string",
        Disabled = false,
        DisplayName = "string",
        ExtraAttributesOauth2Client = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientArgs
        {
            AttributesType = "string",
            ClientId = "string",
            ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs
            {
                Value = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs
                {
                    PlainText = "string",
                    Thumbprint = "string",
                },
            },
            IssuerUri = "string",
            QueryParameters = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs
            {
                Filter = "string",
            },
        },
        Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
        {
            ClientId = "string",
            IssuerUri = "string",
            ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
            {
                Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
                {
                    PlainText = "string",
                    Thumbprint = "string",
                },
            },
            JwksJson = "string",
            WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
            {
                AssertionClaimsBehavior = "string",
                ResponseType = "string",
                AdditionalScopes = new[]
                {
                    "string",
                },
            },
        },
        Saml = new Gcp.Iam.Inputs.WorkforcePoolProviderSamlArgs
        {
            IdpMetadataXml = "string",
        },
    });
    
    example, err := iam.NewWorkforcePoolProvider(ctx, "workforcePoolProviderResource", &iam.WorkforcePoolProviderArgs{
    	Location:           pulumi.String("string"),
    	ProviderId:         pulumi.String("string"),
    	WorkforcePoolId:    pulumi.String("string"),
    	AttributeCondition: pulumi.String("string"),
    	AttributeMapping: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	Description: pulumi.String("string"),
    	Disabled:    pulumi.Bool(false),
    	DisplayName: pulumi.String("string"),
    	ExtraAttributesOauth2Client: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs{
    		AttributesType: pulumi.String("string"),
    		ClientId:       pulumi.String("string"),
    		ClientSecret: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs{
    			Value: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs{
    				PlainText:  pulumi.String("string"),
    				Thumbprint: pulumi.String("string"),
    			},
    		},
    		IssuerUri: pulumi.String("string"),
    		QueryParameters: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs{
    			Filter: pulumi.String("string"),
    		},
    	},
    	Oidc: &iam.WorkforcePoolProviderOidcArgs{
    		ClientId:  pulumi.String("string"),
    		IssuerUri: pulumi.String("string"),
    		ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
    			Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
    				PlainText:  pulumi.String("string"),
    				Thumbprint: pulumi.String("string"),
    			},
    		},
    		JwksJson: pulumi.String("string"),
    		WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
    			AssertionClaimsBehavior: pulumi.String("string"),
    			ResponseType:            pulumi.String("string"),
    			AdditionalScopes: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    	},
    	Saml: &iam.WorkforcePoolProviderSamlArgs{
    		IdpMetadataXml: pulumi.String("string"),
    	},
    })
    
    var workforcePoolProviderResource = new WorkforcePoolProvider("workforcePoolProviderResource", WorkforcePoolProviderArgs.builder()
        .location("string")
        .providerId("string")
        .workforcePoolId("string")
        .attributeCondition("string")
        .attributeMapping(Map.of("string", "string"))
        .description("string")
        .disabled(false)
        .displayName("string")
        .extraAttributesOauth2Client(WorkforcePoolProviderExtraAttributesOauth2ClientArgs.builder()
            .attributesType("string")
            .clientId("string")
            .clientSecret(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs.builder()
                .value(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs.builder()
                    .plainText("string")
                    .thumbprint("string")
                    .build())
                .build())
            .issuerUri("string")
            .queryParameters(WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs.builder()
                .filter("string")
                .build())
            .build())
        .oidc(WorkforcePoolProviderOidcArgs.builder()
            .clientId("string")
            .issuerUri("string")
            .clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
                .value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
                    .plainText("string")
                    .thumbprint("string")
                    .build())
                .build())
            .jwksJson("string")
            .webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
                .assertionClaimsBehavior("string")
                .responseType("string")
                .additionalScopes("string")
                .build())
            .build())
        .saml(WorkforcePoolProviderSamlArgs.builder()
            .idpMetadataXml("string")
            .build())
        .build());
    
    workforce_pool_provider_resource = gcp.iam.WorkforcePoolProvider("workforcePoolProviderResource",
        location="string",
        provider_id="string",
        workforce_pool_id="string",
        attribute_condition="string",
        attribute_mapping={
            "string": "string",
        },
        description="string",
        disabled=False,
        display_name="string",
        extra_attributes_oauth2_client={
            "attributes_type": "string",
            "client_id": "string",
            "client_secret": {
                "value": {
                    "plain_text": "string",
                    "thumbprint": "string",
                },
            },
            "issuer_uri": "string",
            "query_parameters": {
                "filter": "string",
            },
        },
        oidc={
            "client_id": "string",
            "issuer_uri": "string",
            "client_secret": {
                "value": {
                    "plain_text": "string",
                    "thumbprint": "string",
                },
            },
            "jwks_json": "string",
            "web_sso_config": {
                "assertion_claims_behavior": "string",
                "response_type": "string",
                "additional_scopes": ["string"],
            },
        },
        saml={
            "idp_metadata_xml": "string",
        })
    
    const workforcePoolProviderResource = new gcp.iam.WorkforcePoolProvider("workforcePoolProviderResource", {
        location: "string",
        providerId: "string",
        workforcePoolId: "string",
        attributeCondition: "string",
        attributeMapping: {
            string: "string",
        },
        description: "string",
        disabled: false,
        displayName: "string",
        extraAttributesOauth2Client: {
            attributesType: "string",
            clientId: "string",
            clientSecret: {
                value: {
                    plainText: "string",
                    thumbprint: "string",
                },
            },
            issuerUri: "string",
            queryParameters: {
                filter: "string",
            },
        },
        oidc: {
            clientId: "string",
            issuerUri: "string",
            clientSecret: {
                value: {
                    plainText: "string",
                    thumbprint: "string",
                },
            },
            jwksJson: "string",
            webSsoConfig: {
                assertionClaimsBehavior: "string",
                responseType: "string",
                additionalScopes: ["string"],
            },
        },
        saml: {
            idpMetadataXml: "string",
        },
    });
    
    type: gcp:iam:WorkforcePoolProvider
    properties:
        attributeCondition: string
        attributeMapping:
            string: string
        description: string
        disabled: false
        displayName: string
        extraAttributesOauth2Client:
            attributesType: string
            clientId: string
            clientSecret:
                value:
                    plainText: string
                    thumbprint: string
            issuerUri: string
            queryParameters:
                filter: string
        location: string
        oidc:
            clientId: string
            clientSecret:
                value:
                    plainText: string
                    thumbprint: string
            issuerUri: string
            jwksJson: string
            webSsoConfig:
                additionalScopes:
                    - string
                assertionClaimsBehavior: string
                responseType: string
        providerId: string
        saml:
            idpMetadataXml: string
        workforcePoolId: string
    

    WorkforcePoolProvider Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The WorkforcePoolProvider resource accepts the following input properties:

    Location string
    The location for the resource.
    ProviderId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    WorkforcePoolId string
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.
    AttributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    AttributeMapping Dictionary<string, string>

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Description string
    A user-specified description of the provider. Cannot exceed 256 characters.
    Disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    DisplayName string
    A user-specified display name for the provider. Cannot exceed 32 characters.
    ExtraAttributesOauth2Client WorkforcePoolProviderExtraAttributesOauth2Client
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    Oidc WorkforcePoolProviderOidc
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    Saml WorkforcePoolProviderSaml
    Represents a SAML identity provider. Structure is documented below.
    Location string
    The location for the resource.
    ProviderId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    WorkforcePoolId string
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.
    AttributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    AttributeMapping map[string]string

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Description string
    A user-specified description of the provider. Cannot exceed 256 characters.
    Disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    DisplayName string
    A user-specified display name for the provider. Cannot exceed 32 characters.
    ExtraAttributesOauth2Client WorkforcePoolProviderExtraAttributesOauth2ClientArgs
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    Oidc WorkforcePoolProviderOidcArgs
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    Saml WorkforcePoolProviderSamlArgs
    Represents a SAML identity provider. Structure is documented below.
    location String
    The location for the resource.
    providerId String
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    workforcePoolId String
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.
    attributeCondition String
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping Map<String,String>

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    description String
    A user-specified description of the provider. Cannot exceed 256 characters.
    disabled Boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName String
    A user-specified display name for the provider. Cannot exceed 32 characters.
    extraAttributesOauth2Client WorkforcePoolProviderExtraAttributesOauth2Client
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    oidc WorkforcePoolProviderOidc
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    saml WorkforcePoolProviderSaml
    Represents a SAML identity provider. Structure is documented below.
    location string
    The location for the resource.
    providerId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    workforcePoolId string
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.
    attributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping {[key: string]: string}

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    description string
    A user-specified description of the provider. Cannot exceed 256 characters.
    disabled boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName string
    A user-specified display name for the provider. Cannot exceed 32 characters.
    extraAttributesOauth2Client WorkforcePoolProviderExtraAttributesOauth2Client
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    oidc WorkforcePoolProviderOidc
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    saml WorkforcePoolProviderSaml
    Represents a SAML identity provider. Structure is documented below.
    location str
    The location for the resource.
    provider_id str
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    workforce_pool_id str
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.
    attribute_condition str
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attribute_mapping Mapping[str, str]

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    description str
    A user-specified description of the provider. Cannot exceed 256 characters.
    disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    display_name str
    A user-specified display name for the provider. Cannot exceed 32 characters.
    extra_attributes_oauth2_client WorkforcePoolProviderExtraAttributesOauth2ClientArgs
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    oidc WorkforcePoolProviderOidcArgs
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    saml WorkforcePoolProviderSamlArgs
    Represents a SAML identity provider. Structure is documented below.
    location String
    The location for the resource.
    providerId String
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    workforcePoolId String
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.
    attributeCondition String
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping Map<String>

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    description String
    A user-specified description of the provider. Cannot exceed 256 characters.
    disabled Boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName String
    A user-specified display name for the provider. Cannot exceed 32 characters.
    extraAttributesOauth2Client Property Map
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    oidc Property Map
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    saml Property Map
    Represents a SAML identity provider. Structure is documented below.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the WorkforcePoolProvider resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    State string
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    State string
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    state String
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    state string
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    state str
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    state String
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

    Look up Existing WorkforcePoolProvider Resource

    Get an existing WorkforcePoolProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: WorkforcePoolProviderState, opts?: CustomResourceOptions): WorkforcePoolProvider
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            attribute_condition: Optional[str] = None,
            attribute_mapping: Optional[Mapping[str, str]] = None,
            description: Optional[str] = None,
            disabled: Optional[bool] = None,
            display_name: Optional[str] = None,
            extra_attributes_oauth2_client: Optional[WorkforcePoolProviderExtraAttributesOauth2ClientArgs] = None,
            location: Optional[str] = None,
            name: Optional[str] = None,
            oidc: Optional[WorkforcePoolProviderOidcArgs] = None,
            provider_id: Optional[str] = None,
            saml: Optional[WorkforcePoolProviderSamlArgs] = None,
            state: Optional[str] = None,
            workforce_pool_id: Optional[str] = None) -> WorkforcePoolProvider
    func GetWorkforcePoolProvider(ctx *Context, name string, id IDInput, state *WorkforcePoolProviderState, opts ...ResourceOption) (*WorkforcePoolProvider, error)
    public static WorkforcePoolProvider Get(string name, Input<string> id, WorkforcePoolProviderState? state, CustomResourceOptions? opts = null)
    public static WorkforcePoolProvider get(String name, Output<String> id, WorkforcePoolProviderState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AttributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    AttributeMapping Dictionary<string, string>

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Description string
    A user-specified description of the provider. Cannot exceed 256 characters.
    Disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    DisplayName string
    A user-specified display name for the provider. Cannot exceed 32 characters.
    ExtraAttributesOauth2Client WorkforcePoolProviderExtraAttributesOauth2Client
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    Location string
    The location for the resource.
    Name string
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    Oidc WorkforcePoolProviderOidc
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    ProviderId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    Saml WorkforcePoolProviderSaml
    Represents a SAML identity provider. Structure is documented below.
    State string
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
    WorkforcePoolId string
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.
    AttributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    AttributeMapping map[string]string

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Description string
    A user-specified description of the provider. Cannot exceed 256 characters.
    Disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    DisplayName string
    A user-specified display name for the provider. Cannot exceed 32 characters.
    ExtraAttributesOauth2Client WorkforcePoolProviderExtraAttributesOauth2ClientArgs
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    Location string
    The location for the resource.
    Name string
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    Oidc WorkforcePoolProviderOidcArgs
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    ProviderId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    Saml WorkforcePoolProviderSamlArgs
    Represents a SAML identity provider. Structure is documented below.
    State string
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
    WorkforcePoolId string
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.
    attributeCondition String
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping Map<String,String>

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    description String
    A user-specified description of the provider. Cannot exceed 256 characters.
    disabled Boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName String
    A user-specified display name for the provider. Cannot exceed 32 characters.
    extraAttributesOauth2Client WorkforcePoolProviderExtraAttributesOauth2Client
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    location String
    The location for the resource.
    name String
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    oidc WorkforcePoolProviderOidc
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    providerId String
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    saml WorkforcePoolProviderSaml
    Represents a SAML identity provider. Structure is documented below.
    state String
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
    workforcePoolId String
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.
    attributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping {[key: string]: string}

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    description string
    A user-specified description of the provider. Cannot exceed 256 characters.
    disabled boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName string
    A user-specified display name for the provider. Cannot exceed 32 characters.
    extraAttributesOauth2Client WorkforcePoolProviderExtraAttributesOauth2Client
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    location string
    The location for the resource.
    name string
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    oidc WorkforcePoolProviderOidc
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    providerId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    saml WorkforcePoolProviderSaml
    Represents a SAML identity provider. Structure is documented below.
    state string
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
    workforcePoolId string
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.
    attribute_condition str
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attribute_mapping Mapping[str, str]

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    description str
    A user-specified description of the provider. Cannot exceed 256 characters.
    disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    display_name str
    A user-specified display name for the provider. Cannot exceed 32 characters.
    extra_attributes_oauth2_client WorkforcePoolProviderExtraAttributesOauth2ClientArgs
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    location str
    The location for the resource.
    name str
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    oidc WorkforcePoolProviderOidcArgs
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    provider_id str
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    saml WorkforcePoolProviderSamlArgs
    Represents a SAML identity provider. Structure is documented below.
    state str
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
    workforce_pool_id str
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.
    attributeCondition String
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping Map<String>

    Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
    • google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
    • google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
    • google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:
    {"google.subject": "assertion.sub"}
    

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    description String
    A user-specified description of the provider. Cannot exceed 256 characters.
    disabled Boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName String
    A user-specified display name for the provider. Cannot exceed 32 characters.
    extraAttributesOauth2Client Property Map
    The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
    location String
    The location for the resource.
    name String
    Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
    oidc Property Map
    Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
    providerId String
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    saml Property Map
    Represents a SAML identity provider. Structure is documented below.
    state String
    The current state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
    workforcePoolId String
    The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.

    Supporting Types

    WorkforcePoolProviderExtraAttributesOauth2Client, WorkforcePoolProviderExtraAttributesOauth2ClientArgs

    AttributesType string
    Represents the IdP and type of claims that should be fetched.

    • AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
    ClientId string
    The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    ClientSecret WorkforcePoolProviderExtraAttributesOauth2ClientClientSecret
    The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    IssuerUri string
    The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
    QueryParameters WorkforcePoolProviderExtraAttributesOauth2ClientQueryParameters
    Represents the parameters to control which claims are fetched from an IdP.
    AttributesType string
    Represents the IdP and type of claims that should be fetched.

    • AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
    ClientId string
    The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    ClientSecret WorkforcePoolProviderExtraAttributesOauth2ClientClientSecret
    The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    IssuerUri string
    The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
    QueryParameters WorkforcePoolProviderExtraAttributesOauth2ClientQueryParameters
    Represents the parameters to control which claims are fetched from an IdP.
    attributesType String
    Represents the IdP and type of claims that should be fetched.

    • AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
    clientId String
    The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    clientSecret WorkforcePoolProviderExtraAttributesOauth2ClientClientSecret
    The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    issuerUri String
    The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
    queryParameters WorkforcePoolProviderExtraAttributesOauth2ClientQueryParameters
    Represents the parameters to control which claims are fetched from an IdP.
    attributesType string
    Represents the IdP and type of claims that should be fetched.

    • AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
    clientId string
    The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    clientSecret WorkforcePoolProviderExtraAttributesOauth2ClientClientSecret
    The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    issuerUri string
    The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
    queryParameters WorkforcePoolProviderExtraAttributesOauth2ClientQueryParameters
    Represents the parameters to control which claims are fetched from an IdP.
    attributes_type str
    Represents the IdP and type of claims that should be fetched.

    • AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
    client_id str
    The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    client_secret WorkforcePoolProviderExtraAttributesOauth2ClientClientSecret
    The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    issuer_uri str
    The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
    query_parameters WorkforcePoolProviderExtraAttributesOauth2ClientQueryParameters
    Represents the parameters to control which claims are fetched from an IdP.
    attributesType String
    Represents the IdP and type of claims that should be fetched.

    • AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
    clientId String
    The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    clientSecret Property Map
    The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
    issuerUri String
    The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
    queryParameters Property Map
    Represents the parameters to control which claims are fetched from an IdP.

    WorkforcePoolProviderExtraAttributesOauth2ClientClientSecret, WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs

    Value WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue
    The value of the client secret. Structure is documented below.
    Value WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue
    The value of the client secret. Structure is documented below.
    value WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue
    The value of the client secret. Structure is documented below.
    value WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue
    The value of the client secret. Structure is documented below.
    value WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue
    The value of the client secret. Structure is documented below.
    value Property Map
    The value of the client secret. Structure is documented below.

    WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue, WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs

    PlainText string
    The plain text of the client secret value.
    Thumbprint string
    (Output) A thumbprint to represent the current client secret value.
    PlainText string
    The plain text of the client secret value.
    Thumbprint string
    (Output) A thumbprint to represent the current client secret value.
    plainText String
    The plain text of the client secret value.
    thumbprint String
    (Output) A thumbprint to represent the current client secret value.
    plainText string
    The plain text of the client secret value.
    thumbprint string
    (Output) A thumbprint to represent the current client secret value.
    plain_text str
    The plain text of the client secret value.
    thumbprint str
    (Output) A thumbprint to represent the current client secret value.
    plainText String
    The plain text of the client secret value.
    thumbprint String
    (Output) A thumbprint to represent the current client secret value.

    WorkforcePoolProviderExtraAttributesOauth2ClientQueryParameters, WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs

    Filter string
    The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
    Filter string
    The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
    filter String
    The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
    filter string
    The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
    filter str
    The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
    filter String
    The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.

    WorkforcePoolProviderOidc, WorkforcePoolProviderOidcArgs

    ClientId string
    The client ID. Must match the audience claim of the JWT issued by the identity provider.
    IssuerUri string
    The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
    ClientSecret WorkforcePoolProviderOidcClientSecret
    The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
    JwksJson string
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    
    WebSsoConfig WorkforcePoolProviderOidcWebSsoConfig
    Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.
    ClientId string
    The client ID. Must match the audience claim of the JWT issued by the identity provider.
    IssuerUri string
    The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
    ClientSecret WorkforcePoolProviderOidcClientSecret
    The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
    JwksJson string
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    
    WebSsoConfig WorkforcePoolProviderOidcWebSsoConfig
    Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.
    clientId String
    The client ID. Must match the audience claim of the JWT issued by the identity provider.
    issuerUri String
    The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
    clientSecret WorkforcePoolProviderOidcClientSecret
    The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
    jwksJson String
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    
    webSsoConfig WorkforcePoolProviderOidcWebSsoConfig
    Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.
    clientId string
    The client ID. Must match the audience claim of the JWT issued by the identity provider.
    issuerUri string
    The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
    clientSecret WorkforcePoolProviderOidcClientSecret
    The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
    jwksJson string
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    
    webSsoConfig WorkforcePoolProviderOidcWebSsoConfig
    Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.
    client_id str
    The client ID. Must match the audience claim of the JWT issued by the identity provider.
    issuer_uri str
    The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
    client_secret WorkforcePoolProviderOidcClientSecret
    The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
    jwks_json str
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    
    web_sso_config WorkforcePoolProviderOidcWebSsoConfig
    Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.
    clientId String
    The client ID. Must match the audience claim of the JWT issued by the identity provider.
    issuerUri String
    The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
    clientSecret Property Map
    The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
    jwksJson String
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    
    webSsoConfig Property Map
    Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.

    WorkforcePoolProviderOidcClientSecret, WorkforcePoolProviderOidcClientSecretArgs

    Value WorkforcePoolProviderOidcClientSecretValue
    The value of the client secret. Structure is documented below.
    Value WorkforcePoolProviderOidcClientSecretValue
    The value of the client secret. Structure is documented below.
    value WorkforcePoolProviderOidcClientSecretValue
    The value of the client secret. Structure is documented below.
    value WorkforcePoolProviderOidcClientSecretValue
    The value of the client secret. Structure is documented below.
    value WorkforcePoolProviderOidcClientSecretValue
    The value of the client secret. Structure is documented below.
    value Property Map
    The value of the client secret. Structure is documented below.

    WorkforcePoolProviderOidcClientSecretValue, WorkforcePoolProviderOidcClientSecretValueArgs

    PlainText string
    The plain text of the client secret value.
    Thumbprint string
    (Output) A thumbprint to represent the current client secret value.
    PlainText string
    The plain text of the client secret value.
    Thumbprint string
    (Output) A thumbprint to represent the current client secret value.
    plainText String
    The plain text of the client secret value.
    thumbprint String
    (Output) A thumbprint to represent the current client secret value.
    plainText string
    The plain text of the client secret value.
    thumbprint string
    (Output) A thumbprint to represent the current client secret value.
    plain_text str
    The plain text of the client secret value.
    thumbprint str
    (Output) A thumbprint to represent the current client secret value.
    plainText String
    The plain text of the client secret value.
    thumbprint String
    (Output) A thumbprint to represent the current client secret value.

    WorkforcePoolProviderOidcWebSsoConfig, WorkforcePoolProviderOidcWebSsoConfigArgs

    AssertionClaimsBehavior string
    The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

    • MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
    • ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.
    ResponseType string
    The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

    • CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
    • ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.
    AdditionalScopes List<string>

    Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the openid, profile and email scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.

    The extra_attributes_oauth2_client block supports:

    AssertionClaimsBehavior string
    The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

    • MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
    • ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.
    ResponseType string
    The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

    • CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
    • ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.
    AdditionalScopes []string

    Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the openid, profile and email scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.

    The extra_attributes_oauth2_client block supports:

    assertionClaimsBehavior String
    The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

    • MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
    • ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.
    responseType String
    The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

    • CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
    • ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.
    additionalScopes List<String>

    Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the openid, profile and email scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.

    The extra_attributes_oauth2_client block supports:

    assertionClaimsBehavior string
    The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

    • MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
    • ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.
    responseType string
    The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

    • CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
    • ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.
    additionalScopes string[]

    Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the openid, profile and email scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.

    The extra_attributes_oauth2_client block supports:

    assertion_claims_behavior str
    The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

    • MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
    • ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.
    response_type str
    The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

    • CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
    • ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.
    additional_scopes Sequence[str]

    Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the openid, profile and email scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.

    The extra_attributes_oauth2_client block supports:

    assertionClaimsBehavior String
    The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

    • MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
    • ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.
    responseType String
    The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

    • CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
    • ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.
    additionalScopes List<String>

    Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the openid, profile and email scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.

    The extra_attributes_oauth2_client block supports:

    WorkforcePoolProviderSaml, WorkforcePoolProviderSamlArgs

    IdpMetadataXml string
    SAML Identity provider configuration metadata xml doc. The xml document should comply with SAML 2.0 specification. The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints:

    1. Must contain an Identity Provider Entity ID.
    2. Must contain at least one non-expired signing key certificate.
    3. For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
    4. Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
    IdpMetadataXml string
    SAML Identity provider configuration metadata xml doc. The xml document should comply with SAML 2.0 specification. The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints:

    1. Must contain an Identity Provider Entity ID.
    2. Must contain at least one non-expired signing key certificate.
    3. For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
    4. Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
    idpMetadataXml String
    SAML Identity provider configuration metadata xml doc. The xml document should comply with SAML 2.0 specification. The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints:

    1. Must contain an Identity Provider Entity ID.
    2. Must contain at least one non-expired signing key certificate.
    3. For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
    4. Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
    idpMetadataXml string
    SAML Identity provider configuration metadata xml doc. The xml document should comply with SAML 2.0 specification. The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints:

    1. Must contain an Identity Provider Entity ID.
    2. Must contain at least one non-expired signing key certificate.
    3. For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
    4. Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
    idp_metadata_xml str
    SAML Identity provider configuration metadata xml doc. The xml document should comply with SAML 2.0 specification. The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints:

    1. Must contain an Identity Provider Entity ID.
    2. Must contain at least one non-expired signing key certificate.
    3. For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
    4. Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
    idpMetadataXml String
    SAML Identity provider configuration metadata xml doc. The xml document should comply with SAML 2.0 specification. The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints:

    1. Must contain an Identity Provider Entity ID.
    2. Must contain at least one non-expired signing key certificate.
    3. For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
    4. Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.

    Import

    WorkforcePoolProvider can be imported using any of these accepted formats:

    • locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}

    • {{location}}/{{workforce_pool_id}}/{{provider_id}}

    When using the pulumi import command, WorkforcePoolProvider can be imported using one of the formats above. For example:

    $ pulumi import gcp:iam/workforcePoolProvider:WorkforcePoolProvider default locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}
    
    $ pulumi import gcp:iam/workforcePoolProvider:WorkforcePoolProvider default {{location}}/{{workforce_pool_id}}/{{provider_id}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi