gcp.iam.WorkloadIdentityPoolProvider
Explore with Pulumi AI
A configuration for an external identity provider.
To get more information about WorkloadIdentityPoolProvider, see:
Example Usage
Iam Workload Identity Pool Provider Aws Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
aws: {
accountId: "999999999999",
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
aws={
"account_id": "999999999999",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
AccountId: pulumi.String("999999999999"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
{
AccountId = "999999999999",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.aws(WorkloadIdentityPoolProviderAwsArgs.builder()
.accountId("999999999999")
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
aws:
accountId: '999999999999'
Iam Workload Identity Pool Provider Aws Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
displayName: "Name of provider",
description: "AWS identity pool provider for automated test",
disabled: true,
attributeCondition: "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
attributeMapping: {
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
aws: {
accountId: "999999999999",
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
display_name="Name of provider",
description="AWS identity pool provider for automated test",
disabled=True,
attribute_condition="attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
attribute_mapping={
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
aws={
"account_id": "999999999999",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
DisplayName: pulumi.String("Name of provider"),
Description: pulumi.String("AWS identity pool provider for automated test"),
Disabled: pulumi.Bool(true),
AttributeCondition: pulumi.String("attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\""),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.arn"),
"attribute.aws_account": pulumi.String("assertion.account"),
"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
},
Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
AccountId: pulumi.String("999999999999"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
DisplayName = "Name of provider",
Description = "AWS identity pool provider for automated test",
Disabled = true,
AttributeCondition = "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
AttributeMapping =
{
{ "google.subject", "assertion.arn" },
{ "attribute.aws_account", "assertion.account" },
{ "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
},
Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
{
AccountId = "999999999999",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.displayName("Name of provider")
.description("AWS identity pool provider for automated test")
.disabled(true)
.attributeCondition("attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"")
.attributeMapping(Map.ofEntries(
Map.entry("google.subject", "assertion.arn"),
Map.entry("attribute.aws_account", "assertion.account"),
Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
))
.aws(WorkloadIdentityPoolProviderAwsArgs.builder()
.accountId("999999999999")
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
displayName: Name of provider
description: AWS identity pool provider for automated test
disabled: true
attributeCondition: attribute.aws_role=="arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole"
attributeMapping:
google.subject: assertion.arn
attribute.aws_account: assertion.account
attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
aws:
accountId: '999999999999'
Iam Workload Identity Pool Provider Github Actions
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
displayName: "Name of provider",
description: "GitHub Actions identity pool provider for automated test",
disabled: true,
attributeCondition: ` assertion.repository_owner_id == "123456789" &&
attribute.repository == "gh-org/gh-repo" &&
assertion.ref == "refs/heads/main" &&
assertion.ref_type == "branch"
`,
attributeMapping: {
"google.subject": "assertion.sub",
"attribute.actor": "assertion.actor",
"attribute.aud": "assertion.aud",
"attribute.repository": "assertion.repository",
},
oidc: {
issuerUri: "https://token.actions.githubusercontent.com",
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
display_name="Name of provider",
description="GitHub Actions identity pool provider for automated test",
disabled=True,
attribute_condition=""" assertion.repository_owner_id == "123456789" &&
attribute.repository == "gh-org/gh-repo" &&
assertion.ref == "refs/heads/main" &&
assertion.ref_type == "branch"
""",
attribute_mapping={
"google.subject": "assertion.sub",
"attribute.actor": "assertion.actor",
"attribute.aud": "assertion.aud",
"attribute.repository": "assertion.repository",
},
oidc={
"issuer_uri": "https://token.actions.githubusercontent.com",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
DisplayName: pulumi.String("Name of provider"),
Description: pulumi.String("GitHub Actions identity pool provider for automated test"),
Disabled: pulumi.Bool(true),
AttributeCondition: pulumi.String(" assertion.repository_owner_id == \"123456789\" &&\n attribute.repository == \"gh-org/gh-repo\" &&\n assertion.ref == \"refs/heads/main\" &&\n assertion.ref_type == \"branch\"\n"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.sub"),
"attribute.actor": pulumi.String("assertion.actor"),
"attribute.aud": pulumi.String("assertion.aud"),
"attribute.repository": pulumi.String("assertion.repository"),
},
Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
IssuerUri: pulumi.String("https://token.actions.githubusercontent.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
DisplayName = "Name of provider",
Description = "GitHub Actions identity pool provider for automated test",
Disabled = true,
AttributeCondition = @" assertion.repository_owner_id == ""123456789"" &&
attribute.repository == ""gh-org/gh-repo"" &&
assertion.ref == ""refs/heads/main"" &&
assertion.ref_type == ""branch""
",
AttributeMapping =
{
{ "google.subject", "assertion.sub" },
{ "attribute.actor", "assertion.actor" },
{ "attribute.aud", "assertion.aud" },
{ "attribute.repository", "assertion.repository" },
},
Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
{
IssuerUri = "https://token.actions.githubusercontent.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.displayName("Name of provider")
.description("GitHub Actions identity pool provider for automated test")
.disabled(true)
.attributeCondition("""
assertion.repository_owner_id == "123456789" &&
attribute.repository == "gh-org/gh-repo" &&
assertion.ref == "refs/heads/main" &&
assertion.ref_type == "branch"
""")
.attributeMapping(Map.ofEntries(
Map.entry("google.subject", "assertion.sub"),
Map.entry("attribute.actor", "assertion.actor"),
Map.entry("attribute.aud", "assertion.aud"),
Map.entry("attribute.repository", "assertion.repository")
))
.oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
.issuerUri("https://token.actions.githubusercontent.com")
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
displayName: Name of provider
description: GitHub Actions identity pool provider for automated test
disabled: true
attributeCondition: |2
assertion.repository_owner_id == "123456789" &&
attribute.repository == "gh-org/gh-repo" &&
assertion.ref == "refs/heads/main" &&
assertion.ref_type == "branch"
attributeMapping:
google.subject: assertion.sub
attribute.actor: assertion.actor
attribute.aud: assertion.aud
attribute.repository: assertion.repository
oidc:
issuerUri: https://token.actions.githubusercontent.com
Iam Workload Identity Pool Provider Oidc Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
attributeMapping: {
"google.subject": "assertion.sub",
},
oidc: {
issuerUri: "https://sts.windows.net/azure-tenant-id",
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
attribute_mapping={
"google.subject": "assertion.sub",
},
oidc={
"issuer_uri": "https://sts.windows.net/azure-tenant-id",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.sub"),
},
Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
AttributeMapping =
{
{ "google.subject", "assertion.sub" },
},
Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
{
IssuerUri = "https://sts.windows.net/azure-tenant-id",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.attributeMapping(Map.of("google.subject", "assertion.sub"))
.oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
.issuerUri("https://sts.windows.net/azure-tenant-id")
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
attributeMapping:
google.subject: assertion.sub
oidc:
issuerUri: https://sts.windows.net/azure-tenant-id
Iam Workload Identity Pool Provider Oidc Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
displayName: "Name of provider",
description: "OIDC identity pool provider for automated test",
disabled: true,
attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
attributeMapping: {
"google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
"attribute.tid": "assertion.tid",
"attribute.managed_identity_name": ` {
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
`,
},
oidc: {
allowedAudiences: [
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
],
issuerUri: "https://sts.windows.net/azure-tenant-id",
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
display_name="Name of provider",
description="OIDC identity pool provider for automated test",
disabled=True,
attribute_condition="\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
attribute_mapping={
"google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
"attribute.tid": "assertion.tid",
"attribute.managed_identity_name": """ {
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
""",
},
oidc={
"allowed_audiences": [
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
],
"issuer_uri": "https://sts.windows.net/azure-tenant-id",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
DisplayName: pulumi.String("Name of provider"),
Description: pulumi.String("OIDC identity pool provider for automated test"),
Disabled: pulumi.Bool(true),
AttributeCondition: pulumi.String("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
"attribute.tid": pulumi.String("assertion.tid"),
"attribute.managed_identity_name": pulumi.String(" {\n \"8bb39bdb-1cc5-4447-b7db-a19e920eb111\":\"workload1\",\n \"55d36609-9bcf-48e0-a366-a3cf19027d2a\":\"workload2\"\n }[assertion.oid]\n"),
},
Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
AllowedAudiences: pulumi.StringArray{
pulumi.String("https://example.com/gcp-oidc-federation"),
pulumi.String("example.com/gcp-oidc-federation"),
},
IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
DisplayName = "Name of provider",
Description = "OIDC identity pool provider for automated test",
Disabled = true,
AttributeCondition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
AttributeMapping =
{
{ "google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub" },
{ "attribute.tid", "assertion.tid" },
{ "attribute.managed_identity_name", @" {
""8bb39bdb-1cc5-4447-b7db-a19e920eb111"":""workload1"",
""55d36609-9bcf-48e0-a366-a3cf19027d2a"":""workload2""
}[assertion.oid]
" },
},
Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
{
AllowedAudiences = new[]
{
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
},
IssuerUri = "https://sts.windows.net/azure-tenant-id",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.displayName("Name of provider")
.description("OIDC identity pool provider for automated test")
.disabled(true)
.attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups")
.attributeMapping(Map.ofEntries(
Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
Map.entry("attribute.tid", "assertion.tid"),
Map.entry("attribute.managed_identity_name", """
{
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
""")
))
.oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
.allowedAudiences(
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation")
.issuerUri("https://sts.windows.net/azure-tenant-id")
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
displayName: Name of provider
description: OIDC identity pool provider for automated test
disabled: true
attributeCondition: '"e968c2ef-047c-498d-8d79-16ca1b61e77e" in assertion.groups'
attributeMapping:
google.subject: '"azure::" + assertion.tid + "::" + assertion.sub'
attribute.tid: assertion.tid
attribute.managed_identity_name: |2
{
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
oidc:
allowedAudiences:
- https://example.com/gcp-oidc-federation
- example.com/gcp-oidc-federation
issuerUri: https://sts.windows.net/azure-tenant-id
Iam Workload Identity Pool Provider Saml Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
attributeMapping: {
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
saml: {
idpMetadataXml: std.file({
input: "test-fixtures/metadata.xml",
}).then(invoke => invoke.result),
},
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
attribute_mapping={
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
saml={
"idp_metadata_xml": std.file(input="test-fixtures/metadata.xml").result,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/metadata.xml",
}, nil)
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.arn"),
"attribute.aws_account": pulumi.String("assertion.account"),
"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
},
Saml: &iam.WorkloadIdentityPoolProviderSamlArgs{
IdpMetadataXml: pulumi.String(invokeFile.Result),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
AttributeMapping =
{
{ "google.subject", "assertion.arn" },
{ "attribute.aws_account", "assertion.account" },
{ "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
},
Saml = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderSamlArgs
{
IdpMetadataXml = Std.File.Invoke(new()
{
Input = "test-fixtures/metadata.xml",
}).Apply(invoke => invoke.Result),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderSamlArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.attributeMapping(Map.ofEntries(
Map.entry("google.subject", "assertion.arn"),
Map.entry("attribute.aws_account", "assertion.account"),
Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
))
.saml(WorkloadIdentityPoolProviderSamlArgs.builder()
.idpMetadataXml(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/metadata.xml")
.build()).result())
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
attributeMapping:
google.subject: assertion.arn
attribute.aws_account: assertion.account
attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
saml:
idpMetadataXml:
fn::invoke:
Function: std:file
Arguments:
input: test-fixtures/metadata.xml
Return: result
Iam Workload Identity Pool Provider Saml Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
displayName: "Name of provider",
description: "SAML 2.0 identity pool provider for automated test",
disabled: true,
attributeMapping: {
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
saml: {
idpMetadataXml: std.file({
input: "test-fixtures/metadata.xml",
}).then(invoke => invoke.result),
},
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
display_name="Name of provider",
description="SAML 2.0 identity pool provider for automated test",
disabled=True,
attribute_mapping={
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
saml={
"idp_metadata_xml": std.file(input="test-fixtures/metadata.xml").result,
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/metadata.xml",
}, nil)
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
DisplayName: pulumi.String("Name of provider"),
Description: pulumi.String("SAML 2.0 identity pool provider for automated test"),
Disabled: pulumi.Bool(true),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.arn"),
"attribute.aws_account": pulumi.String("assertion.account"),
"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
},
Saml: &iam.WorkloadIdentityPoolProviderSamlArgs{
IdpMetadataXml: pulumi.String(invokeFile.Result),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
DisplayName = "Name of provider",
Description = "SAML 2.0 identity pool provider for automated test",
Disabled = true,
AttributeMapping =
{
{ "google.subject", "assertion.arn" },
{ "attribute.aws_account", "assertion.account" },
{ "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
},
Saml = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderSamlArgs
{
IdpMetadataXml = Std.File.Invoke(new()
{
Input = "test-fixtures/metadata.xml",
}).Apply(invoke => invoke.Result),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderSamlArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.displayName("Name of provider")
.description("SAML 2.0 identity pool provider for automated test")
.disabled(true)
.attributeMapping(Map.ofEntries(
Map.entry("google.subject", "assertion.arn"),
Map.entry("attribute.aws_account", "assertion.account"),
Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
))
.saml(WorkloadIdentityPoolProviderSamlArgs.builder()
.idpMetadataXml(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/metadata.xml")
.build()).result())
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
displayName: Name of provider
description: SAML 2.0 identity pool provider for automated test
disabled: true
attributeMapping:
google.subject: assertion.arn
attribute.aws_account: assertion.account
attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
saml:
idpMetadataXml:
fn::invoke:
Function: std:file
Arguments:
input: test-fixtures/metadata.xml
Return: result
Iam Workload Identity Pool Provider Oidc Upload Key
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
displayName: "Name of provider",
description: "OIDC identity pool provider for automated test",
disabled: true,
attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
attributeMapping: {
"google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
"attribute.tid": "assertion.tid",
"attribute.managed_identity_name": ` {
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
`,
},
oidc: {
allowedAudiences: [
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
],
issuerUri: "https://sts.windows.net/azure-tenant-id",
jwksJson: "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
display_name="Name of provider",
description="OIDC identity pool provider for automated test",
disabled=True,
attribute_condition="\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
attribute_mapping={
"google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
"attribute.tid": "assertion.tid",
"attribute.managed_identity_name": """ {
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
""",
},
oidc={
"allowed_audiences": [
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
],
"issuer_uri": "https://sts.windows.net/azure-tenant-id",
"jwks_json": "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
DisplayName: pulumi.String("Name of provider"),
Description: pulumi.String("OIDC identity pool provider for automated test"),
Disabled: pulumi.Bool(true),
AttributeCondition: pulumi.String("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
"attribute.tid": pulumi.String("assertion.tid"),
"attribute.managed_identity_name": pulumi.String(" {\n \"8bb39bdb-1cc5-4447-b7db-a19e920eb111\":\"workload1\",\n \"55d36609-9bcf-48e0-a366-a3cf19027d2a\":\"workload2\"\n }[assertion.oid]\n"),
},
Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
AllowedAudiences: pulumi.StringArray{
pulumi.String("https://example.com/gcp-oidc-federation"),
pulumi.String("example.com/gcp-oidc-federation"),
},
IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
JwksJson: pulumi.String("{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
DisplayName = "Name of provider",
Description = "OIDC identity pool provider for automated test",
Disabled = true,
AttributeCondition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
AttributeMapping =
{
{ "google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub" },
{ "attribute.tid", "assertion.tid" },
{ "attribute.managed_identity_name", @" {
""8bb39bdb-1cc5-4447-b7db-a19e920eb111"":""workload1"",
""55d36609-9bcf-48e0-a366-a3cf19027d2a"":""workload2""
}[assertion.oid]
" },
},
Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
{
AllowedAudiences = new[]
{
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
},
IssuerUri = "https://sts.windows.net/azure-tenant-id",
JwksJson = "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.displayName("Name of provider")
.description("OIDC identity pool provider for automated test")
.disabled(true)
.attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups")
.attributeMapping(Map.ofEntries(
Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
Map.entry("attribute.tid", "assertion.tid"),
Map.entry("attribute.managed_identity_name", """
{
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
""")
))
.oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
.allowedAudiences(
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation")
.issuerUri("https://sts.windows.net/azure-tenant-id")
.jwksJson("{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}")
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
displayName: Name of provider
description: OIDC identity pool provider for automated test
disabled: true
attributeCondition: '"e968c2ef-047c-498d-8d79-16ca1b61e77e" in assertion.groups'
attributeMapping:
google.subject: '"azure::" + assertion.tid + "::" + assertion.sub'
attribute.tid: assertion.tid
attribute.managed_identity_name: |2
{
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
oidc:
allowedAudiences:
- https://example.com/gcp-oidc-federation
- example.com/gcp-oidc-federation
issuerUri: https://sts.windows.net/azure-tenant-id
jwksJson: '{"keys":[{"kty":"RSA","alg":"RS256","kid":"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA","use":"sig","e":"AQAB","n":"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw"}]}'
Iam Workload Identity Pool Provider X509 Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
attributeMapping: {
"google.subject": "assertion.subject.dn.cn",
},
x509: {
trustStore: {
trustAnchors: [{
pemCertificate: std.file({
input: "test-fixtures/trust_anchor.pem",
}).then(invoke => invoke.result),
}],
},
},
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
attribute_mapping={
"google.subject": "assertion.subject.dn.cn",
},
x509={
"trust_store": {
"trust_anchors": [{
"pem_certificate": std.file(input="test-fixtures/trust_anchor.pem").result,
}],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/trust_anchor.pem",
}, nil)
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.subject.dn.cn"),
},
X509: &iam.WorkloadIdentityPoolProviderX509Args{
TrustStore: &iam.WorkloadIdentityPoolProviderX509TrustStoreArgs{
TrustAnchors: iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArray{
&iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs{
PemCertificate: pulumi.String(invokeFile.Result),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
AttributeMapping =
{
{ "google.subject", "assertion.subject.dn.cn" },
},
X509 = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509Args
{
TrustStore = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs
{
TrustAnchors = new[]
{
new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/trust_anchor.pem",
}).Apply(invoke => invoke.Result),
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509Args;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.attributeMapping(Map.of("google.subject", "assertion.subject.dn.cn"))
.x509(WorkloadIdentityPoolProviderX509Args.builder()
.trustStore(WorkloadIdentityPoolProviderX509TrustStoreArgs.builder()
.trustAnchors(WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/trust_anchor.pem")
.build()).result())
.build())
.build())
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
attributeMapping:
google.subject: assertion.subject.dn.cn
x509:
trustStore:
trustAnchors:
- pemCertificate:
fn::invoke:
Function: std:file
Arguments:
input: test-fixtures/trust_anchor.pem
Return: result
Iam Workload Identity Pool Provider X509 Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
displayName: "Name of provider",
description: "X.509 identity pool provider for automated test",
disabled: true,
attributeMapping: {
"google.subject": "assertion.subject.dn.cn",
},
x509: {
trustStore: {
trustAnchors: [{
pemCertificate: std.file({
input: "test-fixtures/trust_anchor.pem",
}).then(invoke => invoke.result),
}],
intermediateCas: [{
pemCertificate: std.file({
input: "test-fixtures/intermediate_ca.pem",
}).then(invoke => invoke.result),
}],
},
},
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
display_name="Name of provider",
description="X.509 identity pool provider for automated test",
disabled=True,
attribute_mapping={
"google.subject": "assertion.subject.dn.cn",
},
x509={
"trust_store": {
"trust_anchors": [{
"pem_certificate": std.file(input="test-fixtures/trust_anchor.pem").result,
}],
"intermediate_cas": [{
"pem_certificate": std.file(input="test-fixtures/intermediate_ca.pem").result,
}],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/trust_anchor.pem",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/intermediate_ca.pem",
}, nil)
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
DisplayName: pulumi.String("Name of provider"),
Description: pulumi.String("X.509 identity pool provider for automated test"),
Disabled: pulumi.Bool(true),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.subject.dn.cn"),
},
X509: &iam.WorkloadIdentityPoolProviderX509Args{
TrustStore: &iam.WorkloadIdentityPoolProviderX509TrustStoreArgs{
TrustAnchors: iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArray{
&iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs{
PemCertificate: pulumi.String(invokeFile.Result),
},
},
IntermediateCas: iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArray{
&iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs{
PemCertificate: pulumi.String(invokeFile1.Result),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
DisplayName = "Name of provider",
Description = "X.509 identity pool provider for automated test",
Disabled = true,
AttributeMapping =
{
{ "google.subject", "assertion.subject.dn.cn" },
},
X509 = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509Args
{
TrustStore = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs
{
TrustAnchors = new[]
{
new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/trust_anchor.pem",
}).Apply(invoke => invoke.Result),
},
},
IntermediateCas = new[]
{
new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/intermediate_ca.pem",
}).Apply(invoke => invoke.Result),
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509Args;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.displayName("Name of provider")
.description("X.509 identity pool provider for automated test")
.disabled(true)
.attributeMapping(Map.of("google.subject", "assertion.subject.dn.cn"))
.x509(WorkloadIdentityPoolProviderX509Args.builder()
.trustStore(WorkloadIdentityPoolProviderX509TrustStoreArgs.builder()
.trustAnchors(WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/trust_anchor.pem")
.build()).result())
.build())
.intermediateCas(WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/intermediate_ca.pem")
.build()).result())
.build())
.build())
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
displayName: Name of provider
description: X.509 identity pool provider for automated test
disabled: true
attributeMapping:
google.subject: assertion.subject.dn.cn
x509:
trustStore:
trustAnchors:
- pemCertificate:
fn::invoke:
Function: std:file
Arguments:
input: test-fixtures/trust_anchor.pem
Return: result
intermediateCas:
- pemCertificate:
fn::invoke:
Function: std:file
Arguments:
input: test-fixtures/intermediate_ca.pem
Return: result
Create WorkloadIdentityPoolProvider Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new WorkloadIdentityPoolProvider(name: string, args: WorkloadIdentityPoolProviderArgs, opts?: CustomResourceOptions);
@overload
def WorkloadIdentityPoolProvider(resource_name: str,
args: WorkloadIdentityPoolProviderArgs,
opts: Optional[ResourceOptions] = None)
@overload
def WorkloadIdentityPoolProvider(resource_name: str,
opts: Optional[ResourceOptions] = None,
workload_identity_pool_id: Optional[str] = None,
workload_identity_pool_provider_id: Optional[str] = None,
attribute_condition: Optional[str] = None,
attribute_mapping: Optional[Mapping[str, str]] = None,
aws: Optional[WorkloadIdentityPoolProviderAwsArgs] = None,
description: Optional[str] = None,
disabled: Optional[bool] = None,
display_name: Optional[str] = None,
oidc: Optional[WorkloadIdentityPoolProviderOidcArgs] = None,
project: Optional[str] = None,
saml: Optional[WorkloadIdentityPoolProviderSamlArgs] = None,
x509: Optional[WorkloadIdentityPoolProviderX509Args] = None)
func NewWorkloadIdentityPoolProvider(ctx *Context, name string, args WorkloadIdentityPoolProviderArgs, opts ...ResourceOption) (*WorkloadIdentityPoolProvider, error)
public WorkloadIdentityPoolProvider(string name, WorkloadIdentityPoolProviderArgs args, CustomResourceOptions? opts = null)
public WorkloadIdentityPoolProvider(String name, WorkloadIdentityPoolProviderArgs args)
public WorkloadIdentityPoolProvider(String name, WorkloadIdentityPoolProviderArgs args, CustomResourceOptions options)
type: gcp:iam:WorkloadIdentityPoolProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args WorkloadIdentityPoolProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args WorkloadIdentityPoolProviderArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args WorkloadIdentityPoolProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args WorkloadIdentityPoolProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args WorkloadIdentityPoolProviderArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var workloadIdentityPoolProviderResource = new Gcp.Iam.WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource", new()
{
WorkloadIdentityPoolId = "string",
WorkloadIdentityPoolProviderId = "string",
AttributeCondition = "string",
AttributeMapping =
{
{ "string", "string" },
},
Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
{
AccountId = "string",
},
Description = "string",
Disabled = false,
DisplayName = "string",
Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
{
IssuerUri = "string",
AllowedAudiences = new[]
{
"string",
},
JwksJson = "string",
},
Project = "string",
Saml = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderSamlArgs
{
IdpMetadataXml = "string",
},
X509 = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509Args
{
TrustStore = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs
{
TrustAnchors = new[]
{
new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs
{
PemCertificate = "string",
},
},
IntermediateCas = new[]
{
new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs
{
PemCertificate = "string",
},
},
},
},
});
example, err := iam.NewWorkloadIdentityPoolProvider(ctx, "workloadIdentityPoolProviderResource", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pulumi.String("string"),
WorkloadIdentityPoolProviderId: pulumi.String("string"),
AttributeCondition: pulumi.String("string"),
AttributeMapping: pulumi.StringMap{
"string": pulumi.String("string"),
},
Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
AccountId: pulumi.String("string"),
},
Description: pulumi.String("string"),
Disabled: pulumi.Bool(false),
DisplayName: pulumi.String("string"),
Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
IssuerUri: pulumi.String("string"),
AllowedAudiences: pulumi.StringArray{
pulumi.String("string"),
},
JwksJson: pulumi.String("string"),
},
Project: pulumi.String("string"),
Saml: &iam.WorkloadIdentityPoolProviderSamlArgs{
IdpMetadataXml: pulumi.String("string"),
},
X509: &iam.WorkloadIdentityPoolProviderX509Args{
TrustStore: &iam.WorkloadIdentityPoolProviderX509TrustStoreArgs{
TrustAnchors: iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArray{
&iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs{
PemCertificate: pulumi.String("string"),
},
},
IntermediateCas: iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArray{
&iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs{
PemCertificate: pulumi.String("string"),
},
},
},
},
})
var workloadIdentityPoolProviderResource = new WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId("string")
.workloadIdentityPoolProviderId("string")
.attributeCondition("string")
.attributeMapping(Map.of("string", "string"))
.aws(WorkloadIdentityPoolProviderAwsArgs.builder()
.accountId("string")
.build())
.description("string")
.disabled(false)
.displayName("string")
.oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
.issuerUri("string")
.allowedAudiences("string")
.jwksJson("string")
.build())
.project("string")
.saml(WorkloadIdentityPoolProviderSamlArgs.builder()
.idpMetadataXml("string")
.build())
.x509(WorkloadIdentityPoolProviderX509Args.builder()
.trustStore(WorkloadIdentityPoolProviderX509TrustStoreArgs.builder()
.trustAnchors(WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs.builder()
.pemCertificate("string")
.build())
.intermediateCas(WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs.builder()
.pemCertificate("string")
.build())
.build())
.build())
.build());
workload_identity_pool_provider_resource = gcp.iam.WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource",
workload_identity_pool_id="string",
workload_identity_pool_provider_id="string",
attribute_condition="string",
attribute_mapping={
"string": "string",
},
aws={
"account_id": "string",
},
description="string",
disabled=False,
display_name="string",
oidc={
"issuer_uri": "string",
"allowed_audiences": ["string"],
"jwks_json": "string",
},
project="string",
saml={
"idp_metadata_xml": "string",
},
x509={
"trust_store": {
"trust_anchors": [{
"pem_certificate": "string",
}],
"intermediate_cas": [{
"pem_certificate": "string",
}],
},
})
const workloadIdentityPoolProviderResource = new gcp.iam.WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource", {
workloadIdentityPoolId: "string",
workloadIdentityPoolProviderId: "string",
attributeCondition: "string",
attributeMapping: {
string: "string",
},
aws: {
accountId: "string",
},
description: "string",
disabled: false,
displayName: "string",
oidc: {
issuerUri: "string",
allowedAudiences: ["string"],
jwksJson: "string",
},
project: "string",
saml: {
idpMetadataXml: "string",
},
x509: {
trustStore: {
trustAnchors: [{
pemCertificate: "string",
}],
intermediateCas: [{
pemCertificate: "string",
}],
},
},
});
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
attributeCondition: string
attributeMapping:
string: string
aws:
accountId: string
description: string
disabled: false
displayName: string
oidc:
allowedAudiences:
- string
issuerUri: string
jwksJson: string
project: string
saml:
idpMetadataXml: string
workloadIdentityPoolId: string
workloadIdentityPoolProviderId: string
x509:
trustStore:
intermediateCas:
- pemCertificate: string
trustAnchors:
- pemCertificate: string
WorkloadIdentityPoolProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The WorkloadIdentityPoolProvider resource accepts the following input properties:
- Workload
Identity stringPool Id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - Workload
Identity stringPool Provider Id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - Attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- Attribute
Mapping Dictionary<string, string> - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- Aws
Workload
Identity Pool Provider Aws - An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- Description string
- A description for the provider. Cannot exceed 256 characters.
- Disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- Display
Name string - A display name for the provider. Cannot exceed 32 characters.
- Oidc
Workload
Identity Pool Provider Oidc - An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Saml
Workload
Identity Pool Provider Saml - An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- X509
Workload
Identity Pool Provider X509 - An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
- Workload
Identity stringPool Id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - Workload
Identity stringPool Provider Id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - Attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- Attribute
Mapping map[string]string - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- Aws
Workload
Identity Pool Provider Aws Args - An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- Description string
- A description for the provider. Cannot exceed 256 characters.
- Disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- Display
Name string - A display name for the provider. Cannot exceed 32 characters.
- Oidc
Workload
Identity Pool Provider Oidc Args - An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Saml
Workload
Identity Pool Provider Saml Args - An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- X509
Workload
Identity Pool Provider X509Args - An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
- workload
Identity StringPool Id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - workload
Identity StringPool Provider Id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - attribute
Condition String - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping Map<String,String> - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- aws
Workload
Identity Pool Provider Aws - An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- description String
- A description for the provider. Cannot exceed 256 characters.
- disabled Boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name String - A display name for the provider. Cannot exceed 32 characters.
- oidc
Workload
Identity Pool Provider Oidc - An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- saml
Workload
Identity Pool Provider Saml - An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- x509
Workload
Identity Pool Provider X509 - An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
- workload
Identity stringPool Id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - workload
Identity stringPool Provider Id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping {[key: string]: string} - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- aws
Workload
Identity Pool Provider Aws - An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- description string
- A description for the provider. Cannot exceed 256 characters.
- disabled boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name string - A display name for the provider. Cannot exceed 32 characters.
- oidc
Workload
Identity Pool Provider Oidc - An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- saml
Workload
Identity Pool Provider Saml - An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- x509
Workload
Identity Pool Provider X509 - An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
- workload_
identity_ strpool_ id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - workload_
identity_ strpool_ provider_ id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - attribute_
condition str - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute_
mapping Mapping[str, str] - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- aws
Workload
Identity Pool Provider Aws Args - An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- description str
- A description for the provider. Cannot exceed 256 characters.
- disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display_
name str - A display name for the provider. Cannot exceed 32 characters.
- oidc
Workload
Identity Pool Provider Oidc Args - An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- project str
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- saml
Workload
Identity Pool Provider Saml Args - An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- x509
Workload
Identity Pool Provider X509Args - An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
- workload
Identity StringPool Id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - workload
Identity StringPool Provider Id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - attribute
Condition String - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping Map<String> - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- aws Property Map
- An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- description String
- A description for the provider. Cannot exceed 256 characters.
- disabled Boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name String - A display name for the provider. Cannot exceed 32 characters.
- oidc Property Map
- An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- saml Property Map
- An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- x509 Property Map
- An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
Outputs
All input properties are implicitly available as output properties. Additionally, the WorkloadIdentityPoolProvider resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - State string
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - State string
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - state String
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - state string
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - state str
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - state String
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
Look up Existing WorkloadIdentityPoolProvider Resource
Get an existing WorkloadIdentityPoolProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: WorkloadIdentityPoolProviderState, opts?: CustomResourceOptions): WorkloadIdentityPoolProvider
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
attribute_condition: Optional[str] = None,
attribute_mapping: Optional[Mapping[str, str]] = None,
aws: Optional[WorkloadIdentityPoolProviderAwsArgs] = None,
description: Optional[str] = None,
disabled: Optional[bool] = None,
display_name: Optional[str] = None,
name: Optional[str] = None,
oidc: Optional[WorkloadIdentityPoolProviderOidcArgs] = None,
project: Optional[str] = None,
saml: Optional[WorkloadIdentityPoolProviderSamlArgs] = None,
state: Optional[str] = None,
workload_identity_pool_id: Optional[str] = None,
workload_identity_pool_provider_id: Optional[str] = None,
x509: Optional[WorkloadIdentityPoolProviderX509Args] = None) -> WorkloadIdentityPoolProvider
func GetWorkloadIdentityPoolProvider(ctx *Context, name string, id IDInput, state *WorkloadIdentityPoolProviderState, opts ...ResourceOption) (*WorkloadIdentityPoolProvider, error)
public static WorkloadIdentityPoolProvider Get(string name, Input<string> id, WorkloadIdentityPoolProviderState? state, CustomResourceOptions? opts = null)
public static WorkloadIdentityPoolProvider get(String name, Output<String> id, WorkloadIdentityPoolProviderState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- Attribute
Mapping Dictionary<string, string> - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- Aws
Workload
Identity Pool Provider Aws - An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- Description string
- A description for the provider. Cannot exceed 256 characters.
- Disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- Display
Name string - A display name for the provider. Cannot exceed 32 characters.
- Name string
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - Oidc
Workload
Identity Pool Provider Oidc - An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Saml
Workload
Identity Pool Provider Saml - An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- State string
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
- Workload
Identity stringPool Id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - Workload
Identity stringPool Provider Id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - X509
Workload
Identity Pool Provider X509 - An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
- Attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- Attribute
Mapping map[string]string - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- Aws
Workload
Identity Pool Provider Aws Args - An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- Description string
- A description for the provider. Cannot exceed 256 characters.
- Disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- Display
Name string - A display name for the provider. Cannot exceed 32 characters.
- Name string
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - Oidc
Workload
Identity Pool Provider Oidc Args - An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Saml
Workload
Identity Pool Provider Saml Args - An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- State string
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
- Workload
Identity stringPool Id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - Workload
Identity stringPool Provider Id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - X509
Workload
Identity Pool Provider X509Args - An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
- attribute
Condition String - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping Map<String,String> - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- aws
Workload
Identity Pool Provider Aws - An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- description String
- A description for the provider. Cannot exceed 256 characters.
- disabled Boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name String - A display name for the provider. Cannot exceed 32 characters.
- name String
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - oidc
Workload
Identity Pool Provider Oidc - An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- saml
Workload
Identity Pool Provider Saml - An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- state String
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
- workload
Identity StringPool Id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - workload
Identity StringPool Provider Id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - x509
Workload
Identity Pool Provider X509 - An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
- attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping {[key: string]: string} - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- aws
Workload
Identity Pool Provider Aws - An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- description string
- A description for the provider. Cannot exceed 256 characters.
- disabled boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name string - A display name for the provider. Cannot exceed 32 characters.
- name string
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - oidc
Workload
Identity Pool Provider Oidc - An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- saml
Workload
Identity Pool Provider Saml - An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- state string
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
- workload
Identity stringPool Id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - workload
Identity stringPool Provider Id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - x509
Workload
Identity Pool Provider X509 - An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
- attribute_
condition str - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute_
mapping Mapping[str, str] - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- aws
Workload
Identity Pool Provider Aws Args - An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- description str
- A description for the provider. Cannot exceed 256 characters.
- disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display_
name str - A display name for the provider. Cannot exceed 32 characters.
- name str
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - oidc
Workload
Identity Pool Provider Oidc Args - An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- project str
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- saml
Workload
Identity Pool Provider Saml Args - An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- state str
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
- workload_
identity_ strpool_ id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - workload_
identity_ strpool_ provider_ id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - x509
Workload
Identity Pool Provider X509Args - An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
- attribute
Condition String - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping Map<String> - Maps attributes from authentication credentials issued by an external identity provider
to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.google.groups
: Groups the external identity belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where{custom_attribute}
is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
- If no attribute mapping is defined, the following default mapping applies:
{ "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", }
- If any custom attribute mappings are defined, they must include a mapping to the
google.subject
attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the
google.subject
attribute. For example, the following maps thesub
claim of the incoming credential to thesubject
attribute on a Google token.
{"google.subject": "assertion.sub"}
- aws Property Map
- An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
- description String
- A description for the provider. Cannot exceed 256 characters.
- disabled Boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name String - A display name for the provider. Cannot exceed 32 characters.
- name String
- The resource name of the provider as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
. - oidc Property Map
- An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- saml Property Map
- An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
- state String
- The state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active, and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
- workload
Identity StringPool Id - The ID used for the pool, which is the final component of the pool resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - workload
Identity StringPool Provider Id - The ID for the provider, which becomes the final component of the resource name. This
value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - x509 Property Map
- An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
Supporting Types
WorkloadIdentityPoolProviderAws, WorkloadIdentityPoolProviderAwsArgs
- Account
Id string - The AWS account ID.
- Account
Id string - The AWS account ID.
- account
Id String - The AWS account ID.
- account
Id string - The AWS account ID.
- account_
id str - The AWS account ID.
- account
Id String - The AWS account ID.
WorkloadIdentityPoolProviderOidc, WorkloadIdentityPoolProviderOidcArgs
- Issuer
Uri string - The OIDC issuer URL.
- Allowed
Audiences List<string> - Acceptable values for the
aud
field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id> https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
- Jwks
Json string - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
- Issuer
Uri string - The OIDC issuer URL.
- Allowed
Audiences []string - Acceptable values for the
aud
field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id> https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
- Jwks
Json string - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
- issuer
Uri String - The OIDC issuer URL.
- allowed
Audiences List<String> - Acceptable values for the
aud
field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id> https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
- jwks
Json String - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
- issuer
Uri string - The OIDC issuer URL.
- allowed
Audiences string[] - Acceptable values for the
aud
field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id> https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
- jwks
Json string - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
- issuer_
uri str - The OIDC issuer URL.
- allowed_
audiences Sequence[str] - Acceptable values for the
aud
field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id> https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
- jwks_
json str - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
- issuer
Uri String - The OIDC issuer URL.
- allowed
Audiences List<String> - Acceptable values for the
aud
field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id> https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
- jwks
Json String - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
WorkloadIdentityPoolProviderSaml, WorkloadIdentityPoolProviderSamlArgs
- Idp
Metadata stringXml SAML Identity provider configuration metadata xml doc.
The
x509
block supports:
- Idp
Metadata stringXml SAML Identity provider configuration metadata xml doc.
The
x509
block supports:
- idp
Metadata StringXml SAML Identity provider configuration metadata xml doc.
The
x509
block supports:
- idp
Metadata stringXml SAML Identity provider configuration metadata xml doc.
The
x509
block supports:
- idp_
metadata_ strxml SAML Identity provider configuration metadata xml doc.
The
x509
block supports:
- idp
Metadata StringXml SAML Identity provider configuration metadata xml doc.
The
x509
block supports:
WorkloadIdentityPoolProviderX509, WorkloadIdentityPoolProviderX509Args
- Trust
Store WorkloadIdentity Pool Provider X509Trust Store - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
- Trust
Store WorkloadIdentity Pool Provider X509Trust Store - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
- trust
Store WorkloadIdentity Pool Provider X509Trust Store - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
- trust
Store WorkloadIdentity Pool Provider X509Trust Store - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
- trust_
store WorkloadIdentity Pool Provider X509Trust Store - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
- trust
Store Property Map - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
WorkloadIdentityPoolProviderX509TrustStore, WorkloadIdentityPoolProviderX509TrustStoreArgs
- Trust
Anchors List<WorkloadIdentity Pool Provider X509Trust Store Trust Anchor> - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
- Intermediate
Cas List<WorkloadIdentity Pool Provider X509Trust Store Intermediate Ca> - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
- Trust
Anchors []WorkloadIdentity Pool Provider X509Trust Store Trust Anchor - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
- Intermediate
Cas []WorkloadIdentity Pool Provider X509Trust Store Intermediate Ca - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
- trust
Anchors List<WorkloadIdentity Pool Provider X509Trust Store Trust Anchor> - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
- intermediate
Cas List<WorkloadIdentity Pool Provider X509Trust Store Intermediate Ca> - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
- trust
Anchors WorkloadIdentity Pool Provider X509Trust Store Trust Anchor[] - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
- intermediate
Cas WorkloadIdentity Pool Provider X509Trust Store Intermediate Ca[] - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
- trust_
anchors Sequence[WorkloadIdentity Pool Provider X509Trust Store Trust Anchor] - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
- intermediate_
cas Sequence[WorkloadIdentity Pool Provider X509Trust Store Intermediate Ca] - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
- trust
Anchors List<Property Map> - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
- intermediate
Cas List<Property Map> - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa, WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs
- Pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- Pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate String - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem_
certificate str - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate String - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor, WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs
- Pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- Pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate String - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem_
certificate str - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate String - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
Import
WorkloadIdentityPoolProvider can be imported using any of these accepted formats:
projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}
{{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
When using the pulumi import
command, WorkloadIdentityPoolProvider can be imported using one of the formats above. For example:
$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}
$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-beta
Terraform Provider.