1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. iam
  5. WorkloadIdentityPoolProvider
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

gcp.iam.WorkloadIdentityPoolProvider

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

    A configuration for an external identity provider.

    To get more information about WorkloadIdentityPoolProvider, see:

    Example Usage

    Iam Workload Identity Pool Provider Aws Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
    const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
        workloadIdentityPoolId: pool.workloadIdentityPoolId,
        workloadIdentityPoolProviderId: "example-prvdr",
        aws: {
            accountId: "999999999999",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
    example = gcp.iam.WorkloadIdentityPoolProvider("example",
        workload_identity_pool_id=pool.workload_identity_pool_id,
        workload_identity_pool_provider_id="example-prvdr",
        aws={
            "account_id": "999999999999",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
    			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
    			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
    			Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
    				AccountId: pulumi.String("999999999999"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
        {
            WorkloadIdentityPoolId = "example-pool",
        });
    
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
            {
                AccountId = "999999999999",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .build());
    
            var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
                .workloadIdentityPoolId(pool.workloadIdentityPoolId())
                .workloadIdentityPoolProviderId("example-prvdr")
                .aws(WorkloadIdentityPoolProviderAwsArgs.builder()
                    .accountId("999999999999")
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
      example:
        type: gcp:iam:WorkloadIdentityPoolProvider
        properties:
          workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
          workloadIdentityPoolProviderId: example-prvdr
          aws:
            accountId: '999999999999'
    

    Iam Workload Identity Pool Provider Aws Full

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
    const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
        workloadIdentityPoolId: pool.workloadIdentityPoolId,
        workloadIdentityPoolProviderId: "example-prvdr",
        displayName: "Name of provider",
        description: "AWS identity pool provider for automated test",
        disabled: true,
        attributeCondition: "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
        attributeMapping: {
            "google.subject": "assertion.arn",
            "attribute.aws_account": "assertion.account",
            "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
        },
        aws: {
            accountId: "999999999999",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
    example = gcp.iam.WorkloadIdentityPoolProvider("example",
        workload_identity_pool_id=pool.workload_identity_pool_id,
        workload_identity_pool_provider_id="example-prvdr",
        display_name="Name of provider",
        description="AWS identity pool provider for automated test",
        disabled=True,
        attribute_condition="attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
        attribute_mapping={
            "google.subject": "assertion.arn",
            "attribute.aws_account": "assertion.account",
            "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
        },
        aws={
            "account_id": "999999999999",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
    			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
    			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
    			DisplayName:                    pulumi.String("Name of provider"),
    			Description:                    pulumi.String("AWS identity pool provider for automated test"),
    			Disabled:                       pulumi.Bool(true),
    			AttributeCondition:             pulumi.String("attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\""),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject":        pulumi.String("assertion.arn"),
    				"attribute.aws_account": pulumi.String("assertion.account"),
    				"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
    			},
    			Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
    				AccountId: pulumi.String("999999999999"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
        {
            WorkloadIdentityPoolId = "example-pool",
        });
    
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            DisplayName = "Name of provider",
            Description = "AWS identity pool provider for automated test",
            Disabled = true,
            AttributeCondition = "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
            AttributeMapping = 
            {
                { "google.subject", "assertion.arn" },
                { "attribute.aws_account", "assertion.account" },
                { "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
            },
            Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
            {
                AccountId = "999999999999",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .build());
    
            var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
                .workloadIdentityPoolId(pool.workloadIdentityPoolId())
                .workloadIdentityPoolProviderId("example-prvdr")
                .displayName("Name of provider")
                .description("AWS identity pool provider for automated test")
                .disabled(true)
                .attributeCondition("attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"")
                .attributeMapping(Map.ofEntries(
                    Map.entry("google.subject", "assertion.arn"),
                    Map.entry("attribute.aws_account", "assertion.account"),
                    Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
                ))
                .aws(WorkloadIdentityPoolProviderAwsArgs.builder()
                    .accountId("999999999999")
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
      example:
        type: gcp:iam:WorkloadIdentityPoolProvider
        properties:
          workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
          workloadIdentityPoolProviderId: example-prvdr
          displayName: Name of provider
          description: AWS identity pool provider for automated test
          disabled: true
          attributeCondition: attribute.aws_role=="arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole"
          attributeMapping:
            google.subject: assertion.arn
            attribute.aws_account: assertion.account
            attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
          aws:
            accountId: '999999999999'
    

    Iam Workload Identity Pool Provider Github Actions

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
    const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
        workloadIdentityPoolId: pool.workloadIdentityPoolId,
        workloadIdentityPoolProviderId: "example-prvdr",
        displayName: "Name of provider",
        description: "GitHub Actions identity pool provider for automated test",
        disabled: true,
        attributeCondition: `    assertion.repository_owner_id == "123456789" &&
        attribute.repository == "gh-org/gh-repo" &&
        assertion.ref == "refs/heads/main" &&
        assertion.ref_type == "branch"
    `,
        attributeMapping: {
            "google.subject": "assertion.sub",
            "attribute.actor": "assertion.actor",
            "attribute.aud": "assertion.aud",
            "attribute.repository": "assertion.repository",
        },
        oidc: {
            issuerUri: "https://token.actions.githubusercontent.com",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
    example = gcp.iam.WorkloadIdentityPoolProvider("example",
        workload_identity_pool_id=pool.workload_identity_pool_id,
        workload_identity_pool_provider_id="example-prvdr",
        display_name="Name of provider",
        description="GitHub Actions identity pool provider for automated test",
        disabled=True,
        attribute_condition="""    assertion.repository_owner_id == "123456789" &&
        attribute.repository == "gh-org/gh-repo" &&
        assertion.ref == "refs/heads/main" &&
        assertion.ref_type == "branch"
    """,
        attribute_mapping={
            "google.subject": "assertion.sub",
            "attribute.actor": "assertion.actor",
            "attribute.aud": "assertion.aud",
            "attribute.repository": "assertion.repository",
        },
        oidc={
            "issuer_uri": "https://token.actions.githubusercontent.com",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
    			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
    			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
    			DisplayName:                    pulumi.String("Name of provider"),
    			Description:                    pulumi.String("GitHub Actions identity pool provider for automated test"),
    			Disabled:                       pulumi.Bool(true),
    			AttributeCondition:             pulumi.String("    assertion.repository_owner_id == \"123456789\" &&\n    attribute.repository == \"gh-org/gh-repo\" &&\n    assertion.ref == \"refs/heads/main\" &&\n    assertion.ref_type == \"branch\"\n"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject":       pulumi.String("assertion.sub"),
    				"attribute.actor":      pulumi.String("assertion.actor"),
    				"attribute.aud":        pulumi.String("assertion.aud"),
    				"attribute.repository": pulumi.String("assertion.repository"),
    			},
    			Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
    				IssuerUri: pulumi.String("https://token.actions.githubusercontent.com"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
        {
            WorkloadIdentityPoolId = "example-pool",
        });
    
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            DisplayName = "Name of provider",
            Description = "GitHub Actions identity pool provider for automated test",
            Disabled = true,
            AttributeCondition = @"    assertion.repository_owner_id == ""123456789"" &&
        attribute.repository == ""gh-org/gh-repo"" &&
        assertion.ref == ""refs/heads/main"" &&
        assertion.ref_type == ""branch""
    ",
            AttributeMapping = 
            {
                { "google.subject", "assertion.sub" },
                { "attribute.actor", "assertion.actor" },
                { "attribute.aud", "assertion.aud" },
                { "attribute.repository", "assertion.repository" },
            },
            Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
            {
                IssuerUri = "https://token.actions.githubusercontent.com",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .build());
    
            var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
                .workloadIdentityPoolId(pool.workloadIdentityPoolId())
                .workloadIdentityPoolProviderId("example-prvdr")
                .displayName("Name of provider")
                .description("GitHub Actions identity pool provider for automated test")
                .disabled(true)
                .attributeCondition("""
        assertion.repository_owner_id == "123456789" &&
        attribute.repository == "gh-org/gh-repo" &&
        assertion.ref == "refs/heads/main" &&
        assertion.ref_type == "branch"
                """)
                .attributeMapping(Map.ofEntries(
                    Map.entry("google.subject", "assertion.sub"),
                    Map.entry("attribute.actor", "assertion.actor"),
                    Map.entry("attribute.aud", "assertion.aud"),
                    Map.entry("attribute.repository", "assertion.repository")
                ))
                .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
                    .issuerUri("https://token.actions.githubusercontent.com")
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
      example:
        type: gcp:iam:WorkloadIdentityPoolProvider
        properties:
          workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
          workloadIdentityPoolProviderId: example-prvdr
          displayName: Name of provider
          description: GitHub Actions identity pool provider for automated test
          disabled: true
          attributeCondition: |2
                assertion.repository_owner_id == "123456789" &&
                attribute.repository == "gh-org/gh-repo" &&
                assertion.ref == "refs/heads/main" &&
                assertion.ref_type == "branch"
          attributeMapping:
            google.subject: assertion.sub
            attribute.actor: assertion.actor
            attribute.aud: assertion.aud
            attribute.repository: assertion.repository
          oidc:
            issuerUri: https://token.actions.githubusercontent.com
    

    Iam Workload Identity Pool Provider Oidc Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
    const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
        workloadIdentityPoolId: pool.workloadIdentityPoolId,
        workloadIdentityPoolProviderId: "example-prvdr",
        attributeMapping: {
            "google.subject": "assertion.sub",
        },
        oidc: {
            issuerUri: "https://sts.windows.net/azure-tenant-id",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
    example = gcp.iam.WorkloadIdentityPoolProvider("example",
        workload_identity_pool_id=pool.workload_identity_pool_id,
        workload_identity_pool_provider_id="example-prvdr",
        attribute_mapping={
            "google.subject": "assertion.sub",
        },
        oidc={
            "issuer_uri": "https://sts.windows.net/azure-tenant-id",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
    			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
    			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject": pulumi.String("assertion.sub"),
    			},
    			Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
    				IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
        {
            WorkloadIdentityPoolId = "example-pool",
        });
    
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            AttributeMapping = 
            {
                { "google.subject", "assertion.sub" },
            },
            Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
            {
                IssuerUri = "https://sts.windows.net/azure-tenant-id",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .build());
    
            var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
                .workloadIdentityPoolId(pool.workloadIdentityPoolId())
                .workloadIdentityPoolProviderId("example-prvdr")
                .attributeMapping(Map.of("google.subject", "assertion.sub"))
                .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
                    .issuerUri("https://sts.windows.net/azure-tenant-id")
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
      example:
        type: gcp:iam:WorkloadIdentityPoolProvider
        properties:
          workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
          workloadIdentityPoolProviderId: example-prvdr
          attributeMapping:
            google.subject: assertion.sub
          oidc:
            issuerUri: https://sts.windows.net/azure-tenant-id
    

    Iam Workload Identity Pool Provider Oidc Full

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
    const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
        workloadIdentityPoolId: pool.workloadIdentityPoolId,
        workloadIdentityPoolProviderId: "example-prvdr",
        displayName: "Name of provider",
        description: "OIDC identity pool provider for automated test",
        disabled: true,
        attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
        attributeMapping: {
            "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
            "attribute.tid": "assertion.tid",
            "attribute.managed_identity_name": `      {
            "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
            "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
          }[assertion.oid]
    `,
        },
        oidc: {
            allowedAudiences: [
                "https://example.com/gcp-oidc-federation",
                "example.com/gcp-oidc-federation",
            ],
            issuerUri: "https://sts.windows.net/azure-tenant-id",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
    example = gcp.iam.WorkloadIdentityPoolProvider("example",
        workload_identity_pool_id=pool.workload_identity_pool_id,
        workload_identity_pool_provider_id="example-prvdr",
        display_name="Name of provider",
        description="OIDC identity pool provider for automated test",
        disabled=True,
        attribute_condition="\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
        attribute_mapping={
            "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
            "attribute.tid": "assertion.tid",
            "attribute.managed_identity_name": """      {
            "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
            "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
          }[assertion.oid]
    """,
        },
        oidc={
            "allowed_audiences": [
                "https://example.com/gcp-oidc-federation",
                "example.com/gcp-oidc-federation",
            ],
            "issuer_uri": "https://sts.windows.net/azure-tenant-id",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
    			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
    			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
    			DisplayName:                    pulumi.String("Name of provider"),
    			Description:                    pulumi.String("OIDC identity pool provider for automated test"),
    			Disabled:                       pulumi.Bool(true),
    			AttributeCondition:             pulumi.String("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject":                  pulumi.String("\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
    				"attribute.tid":                   pulumi.String("assertion.tid"),
    				"attribute.managed_identity_name": pulumi.String("      {\n        \"8bb39bdb-1cc5-4447-b7db-a19e920eb111\":\"workload1\",\n        \"55d36609-9bcf-48e0-a366-a3cf19027d2a\":\"workload2\"\n      }[assertion.oid]\n"),
    			},
    			Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
    				AllowedAudiences: pulumi.StringArray{
    					pulumi.String("https://example.com/gcp-oidc-federation"),
    					pulumi.String("example.com/gcp-oidc-federation"),
    				},
    				IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
        {
            WorkloadIdentityPoolId = "example-pool",
        });
    
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            DisplayName = "Name of provider",
            Description = "OIDC identity pool provider for automated test",
            Disabled = true,
            AttributeCondition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
            AttributeMapping = 
            {
                { "google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub" },
                { "attribute.tid", "assertion.tid" },
                { "attribute.managed_identity_name", @"      {
            ""8bb39bdb-1cc5-4447-b7db-a19e920eb111"":""workload1"",
            ""55d36609-9bcf-48e0-a366-a3cf19027d2a"":""workload2""
          }[assertion.oid]
    " },
            },
            Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
            {
                AllowedAudiences = new[]
                {
                    "https://example.com/gcp-oidc-federation",
                    "example.com/gcp-oidc-federation",
                },
                IssuerUri = "https://sts.windows.net/azure-tenant-id",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .build());
    
            var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
                .workloadIdentityPoolId(pool.workloadIdentityPoolId())
                .workloadIdentityPoolProviderId("example-prvdr")
                .displayName("Name of provider")
                .description("OIDC identity pool provider for automated test")
                .disabled(true)
                .attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups")
                .attributeMapping(Map.ofEntries(
                    Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
                    Map.entry("attribute.tid", "assertion.tid"),
                    Map.entry("attribute.managed_identity_name", """
          {
            "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
            "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
          }[assertion.oid]
                    """)
                ))
                .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
                    .allowedAudiences(                
                        "https://example.com/gcp-oidc-federation",
                        "example.com/gcp-oidc-federation")
                    .issuerUri("https://sts.windows.net/azure-tenant-id")
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
      example:
        type: gcp:iam:WorkloadIdentityPoolProvider
        properties:
          workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
          workloadIdentityPoolProviderId: example-prvdr
          displayName: Name of provider
          description: OIDC identity pool provider for automated test
          disabled: true
          attributeCondition: '"e968c2ef-047c-498d-8d79-16ca1b61e77e" in assertion.groups'
          attributeMapping:
            google.subject: '"azure::" + assertion.tid + "::" + assertion.sub'
            attribute.tid: assertion.tid
            attribute.managed_identity_name: |2
                    {
                      "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
                      "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
                    }[assertion.oid]
          oidc:
            allowedAudiences:
              - https://example.com/gcp-oidc-federation
              - example.com/gcp-oidc-federation
            issuerUri: https://sts.windows.net/azure-tenant-id
    

    Iam Workload Identity Pool Provider Saml Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    
    const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
    const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
        workloadIdentityPoolId: pool.workloadIdentityPoolId,
        workloadIdentityPoolProviderId: "example-prvdr",
        attributeMapping: {
            "google.subject": "assertion.arn",
            "attribute.aws_account": "assertion.account",
            "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
        },
        saml: {
            idpMetadataXml: std.file({
                input: "test-fixtures/metadata.xml",
            }).then(invoke => invoke.result),
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    
    pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
    example = gcp.iam.WorkloadIdentityPoolProvider("example",
        workload_identity_pool_id=pool.workload_identity_pool_id,
        workload_identity_pool_provider_id="example-prvdr",
        attribute_mapping={
            "google.subject": "assertion.arn",
            "attribute.aws_account": "assertion.account",
            "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
        },
        saml={
            "idp_metadata_xml": std.file(input="test-fixtures/metadata.xml").result,
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    		})
    		if err != nil {
    			return err
    		}
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "test-fixtures/metadata.xml",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
    			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
    			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject":        pulumi.String("assertion.arn"),
    				"attribute.aws_account": pulumi.String("assertion.account"),
    				"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
    			},
    			Saml: &iam.WorkloadIdentityPoolProviderSamlArgs{
    				IdpMetadataXml: pulumi.String(invokeFile.Result),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
        {
            WorkloadIdentityPoolId = "example-pool",
        });
    
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            AttributeMapping = 
            {
                { "google.subject", "assertion.arn" },
                { "attribute.aws_account", "assertion.account" },
                { "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
            },
            Saml = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderSamlArgs
            {
                IdpMetadataXml = Std.File.Invoke(new()
                {
                    Input = "test-fixtures/metadata.xml",
                }).Apply(invoke => invoke.Result),
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderSamlArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .build());
    
            var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
                .workloadIdentityPoolId(pool.workloadIdentityPoolId())
                .workloadIdentityPoolProviderId("example-prvdr")
                .attributeMapping(Map.ofEntries(
                    Map.entry("google.subject", "assertion.arn"),
                    Map.entry("attribute.aws_account", "assertion.account"),
                    Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
                ))
                .saml(WorkloadIdentityPoolProviderSamlArgs.builder()
                    .idpMetadataXml(StdFunctions.file(FileArgs.builder()
                        .input("test-fixtures/metadata.xml")
                        .build()).result())
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
      example:
        type: gcp:iam:WorkloadIdentityPoolProvider
        properties:
          workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
          workloadIdentityPoolProviderId: example-prvdr
          attributeMapping:
            google.subject: assertion.arn
            attribute.aws_account: assertion.account
            attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
          saml:
            idpMetadataXml:
              fn::invoke:
                Function: std:file
                Arguments:
                  input: test-fixtures/metadata.xml
                Return: result
    

    Iam Workload Identity Pool Provider Saml Full

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    
    const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
    const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
        workloadIdentityPoolId: pool.workloadIdentityPoolId,
        workloadIdentityPoolProviderId: "example-prvdr",
        displayName: "Name of provider",
        description: "SAML 2.0 identity pool provider for automated test",
        disabled: true,
        attributeMapping: {
            "google.subject": "assertion.arn",
            "attribute.aws_account": "assertion.account",
            "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
        },
        saml: {
            idpMetadataXml: std.file({
                input: "test-fixtures/metadata.xml",
            }).then(invoke => invoke.result),
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    
    pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
    example = gcp.iam.WorkloadIdentityPoolProvider("example",
        workload_identity_pool_id=pool.workload_identity_pool_id,
        workload_identity_pool_provider_id="example-prvdr",
        display_name="Name of provider",
        description="SAML 2.0 identity pool provider for automated test",
        disabled=True,
        attribute_mapping={
            "google.subject": "assertion.arn",
            "attribute.aws_account": "assertion.account",
            "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
        },
        saml={
            "idp_metadata_xml": std.file(input="test-fixtures/metadata.xml").result,
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    		})
    		if err != nil {
    			return err
    		}
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "test-fixtures/metadata.xml",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
    			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
    			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
    			DisplayName:                    pulumi.String("Name of provider"),
    			Description:                    pulumi.String("SAML 2.0 identity pool provider for automated test"),
    			Disabled:                       pulumi.Bool(true),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject":        pulumi.String("assertion.arn"),
    				"attribute.aws_account": pulumi.String("assertion.account"),
    				"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
    			},
    			Saml: &iam.WorkloadIdentityPoolProviderSamlArgs{
    				IdpMetadataXml: pulumi.String(invokeFile.Result),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
        {
            WorkloadIdentityPoolId = "example-pool",
        });
    
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            DisplayName = "Name of provider",
            Description = "SAML 2.0 identity pool provider for automated test",
            Disabled = true,
            AttributeMapping = 
            {
                { "google.subject", "assertion.arn" },
                { "attribute.aws_account", "assertion.account" },
                { "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
            },
            Saml = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderSamlArgs
            {
                IdpMetadataXml = Std.File.Invoke(new()
                {
                    Input = "test-fixtures/metadata.xml",
                }).Apply(invoke => invoke.Result),
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderSamlArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .build());
    
            var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
                .workloadIdentityPoolId(pool.workloadIdentityPoolId())
                .workloadIdentityPoolProviderId("example-prvdr")
                .displayName("Name of provider")
                .description("SAML 2.0 identity pool provider for automated test")
                .disabled(true)
                .attributeMapping(Map.ofEntries(
                    Map.entry("google.subject", "assertion.arn"),
                    Map.entry("attribute.aws_account", "assertion.account"),
                    Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
                ))
                .saml(WorkloadIdentityPoolProviderSamlArgs.builder()
                    .idpMetadataXml(StdFunctions.file(FileArgs.builder()
                        .input("test-fixtures/metadata.xml")
                        .build()).result())
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
      example:
        type: gcp:iam:WorkloadIdentityPoolProvider
        properties:
          workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
          workloadIdentityPoolProviderId: example-prvdr
          displayName: Name of provider
          description: SAML 2.0 identity pool provider for automated test
          disabled: true
          attributeMapping:
            google.subject: assertion.arn
            attribute.aws_account: assertion.account
            attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
          saml:
            idpMetadataXml:
              fn::invoke:
                Function: std:file
                Arguments:
                  input: test-fixtures/metadata.xml
                Return: result
    

    Iam Workload Identity Pool Provider Oidc Upload Key

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
    const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
        workloadIdentityPoolId: pool.workloadIdentityPoolId,
        workloadIdentityPoolProviderId: "example-prvdr",
        displayName: "Name of provider",
        description: "OIDC identity pool provider for automated test",
        disabled: true,
        attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
        attributeMapping: {
            "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
            "attribute.tid": "assertion.tid",
            "attribute.managed_identity_name": `      {
            "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
            "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
          }[assertion.oid]
    `,
        },
        oidc: {
            allowedAudiences: [
                "https://example.com/gcp-oidc-federation",
                "example.com/gcp-oidc-federation",
            ],
            issuerUri: "https://sts.windows.net/azure-tenant-id",
            jwksJson: "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
    example = gcp.iam.WorkloadIdentityPoolProvider("example",
        workload_identity_pool_id=pool.workload_identity_pool_id,
        workload_identity_pool_provider_id="example-prvdr",
        display_name="Name of provider",
        description="OIDC identity pool provider for automated test",
        disabled=True,
        attribute_condition="\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
        attribute_mapping={
            "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
            "attribute.tid": "assertion.tid",
            "attribute.managed_identity_name": """      {
            "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
            "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
          }[assertion.oid]
    """,
        },
        oidc={
            "allowed_audiences": [
                "https://example.com/gcp-oidc-federation",
                "example.com/gcp-oidc-federation",
            ],
            "issuer_uri": "https://sts.windows.net/azure-tenant-id",
            "jwks_json": "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
    			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
    			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
    			DisplayName:                    pulumi.String("Name of provider"),
    			Description:                    pulumi.String("OIDC identity pool provider for automated test"),
    			Disabled:                       pulumi.Bool(true),
    			AttributeCondition:             pulumi.String("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject":                  pulumi.String("\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
    				"attribute.tid":                   pulumi.String("assertion.tid"),
    				"attribute.managed_identity_name": pulumi.String("      {\n        \"8bb39bdb-1cc5-4447-b7db-a19e920eb111\":\"workload1\",\n        \"55d36609-9bcf-48e0-a366-a3cf19027d2a\":\"workload2\"\n      }[assertion.oid]\n"),
    			},
    			Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
    				AllowedAudiences: pulumi.StringArray{
    					pulumi.String("https://example.com/gcp-oidc-federation"),
    					pulumi.String("example.com/gcp-oidc-federation"),
    				},
    				IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
    				JwksJson:  pulumi.String("{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
        {
            WorkloadIdentityPoolId = "example-pool",
        });
    
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            DisplayName = "Name of provider",
            Description = "OIDC identity pool provider for automated test",
            Disabled = true,
            AttributeCondition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
            AttributeMapping = 
            {
                { "google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub" },
                { "attribute.tid", "assertion.tid" },
                { "attribute.managed_identity_name", @"      {
            ""8bb39bdb-1cc5-4447-b7db-a19e920eb111"":""workload1"",
            ""55d36609-9bcf-48e0-a366-a3cf19027d2a"":""workload2""
          }[assertion.oid]
    " },
            },
            Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
            {
                AllowedAudiences = new[]
                {
                    "https://example.com/gcp-oidc-federation",
                    "example.com/gcp-oidc-federation",
                },
                IssuerUri = "https://sts.windows.net/azure-tenant-id",
                JwksJson = "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .build());
    
            var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
                .workloadIdentityPoolId(pool.workloadIdentityPoolId())
                .workloadIdentityPoolProviderId("example-prvdr")
                .displayName("Name of provider")
                .description("OIDC identity pool provider for automated test")
                .disabled(true)
                .attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups")
                .attributeMapping(Map.ofEntries(
                    Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
                    Map.entry("attribute.tid", "assertion.tid"),
                    Map.entry("attribute.managed_identity_name", """
          {
            "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
            "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
          }[assertion.oid]
                    """)
                ))
                .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
                    .allowedAudiences(                
                        "https://example.com/gcp-oidc-federation",
                        "example.com/gcp-oidc-federation")
                    .issuerUri("https://sts.windows.net/azure-tenant-id")
                    .jwksJson("{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}")
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
      example:
        type: gcp:iam:WorkloadIdentityPoolProvider
        properties:
          workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
          workloadIdentityPoolProviderId: example-prvdr
          displayName: Name of provider
          description: OIDC identity pool provider for automated test
          disabled: true
          attributeCondition: '"e968c2ef-047c-498d-8d79-16ca1b61e77e" in assertion.groups'
          attributeMapping:
            google.subject: '"azure::" + assertion.tid + "::" + assertion.sub'
            attribute.tid: assertion.tid
            attribute.managed_identity_name: |2
                    {
                      "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
                      "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
                    }[assertion.oid]
          oidc:
            allowedAudiences:
              - https://example.com/gcp-oidc-federation
              - example.com/gcp-oidc-federation
            issuerUri: https://sts.windows.net/azure-tenant-id
            jwksJson: '{"keys":[{"kty":"RSA","alg":"RS256","kid":"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA","use":"sig","e":"AQAB","n":"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw"}]}'
    

    Iam Workload Identity Pool Provider X509 Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    
    const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
    const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
        workloadIdentityPoolId: pool.workloadIdentityPoolId,
        workloadIdentityPoolProviderId: "example-prvdr",
        attributeMapping: {
            "google.subject": "assertion.subject.dn.cn",
        },
        x509: {
            trustStore: {
                trustAnchors: [{
                    pemCertificate: std.file({
                        input: "test-fixtures/trust_anchor.pem",
                    }).then(invoke => invoke.result),
                }],
            },
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    
    pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
    example = gcp.iam.WorkloadIdentityPoolProvider("example",
        workload_identity_pool_id=pool.workload_identity_pool_id,
        workload_identity_pool_provider_id="example-prvdr",
        attribute_mapping={
            "google.subject": "assertion.subject.dn.cn",
        },
        x509={
            "trust_store": {
                "trust_anchors": [{
                    "pem_certificate": std.file(input="test-fixtures/trust_anchor.pem").result,
                }],
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    		})
    		if err != nil {
    			return err
    		}
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "test-fixtures/trust_anchor.pem",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
    			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
    			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject": pulumi.String("assertion.subject.dn.cn"),
    			},
    			X509: &iam.WorkloadIdentityPoolProviderX509Args{
    				TrustStore: &iam.WorkloadIdentityPoolProviderX509TrustStoreArgs{
    					TrustAnchors: iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArray{
    						&iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs{
    							PemCertificate: pulumi.String(invokeFile.Result),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
        {
            WorkloadIdentityPoolId = "example-pool",
        });
    
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            AttributeMapping = 
            {
                { "google.subject", "assertion.subject.dn.cn" },
            },
            X509 = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509Args
            {
                TrustStore = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs
                {
                    TrustAnchors = new[]
                    {
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs
                        {
                            PemCertificate = Std.File.Invoke(new()
                            {
                                Input = "test-fixtures/trust_anchor.pem",
                            }).Apply(invoke => invoke.Result),
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509Args;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .build());
    
            var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
                .workloadIdentityPoolId(pool.workloadIdentityPoolId())
                .workloadIdentityPoolProviderId("example-prvdr")
                .attributeMapping(Map.of("google.subject", "assertion.subject.dn.cn"))
                .x509(WorkloadIdentityPoolProviderX509Args.builder()
                    .trustStore(WorkloadIdentityPoolProviderX509TrustStoreArgs.builder()
                        .trustAnchors(WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs.builder()
                            .pemCertificate(StdFunctions.file(FileArgs.builder()
                                .input("test-fixtures/trust_anchor.pem")
                                .build()).result())
                            .build())
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
      example:
        type: gcp:iam:WorkloadIdentityPoolProvider
        properties:
          workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
          workloadIdentityPoolProviderId: example-prvdr
          attributeMapping:
            google.subject: assertion.subject.dn.cn
          x509:
            trustStore:
              trustAnchors:
                - pemCertificate:
                    fn::invoke:
                      Function: std:file
                      Arguments:
                        input: test-fixtures/trust_anchor.pem
                      Return: result
    

    Iam Workload Identity Pool Provider X509 Full

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    
    const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
    const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
        workloadIdentityPoolId: pool.workloadIdentityPoolId,
        workloadIdentityPoolProviderId: "example-prvdr",
        displayName: "Name of provider",
        description: "X.509 identity pool provider for automated test",
        disabled: true,
        attributeMapping: {
            "google.subject": "assertion.subject.dn.cn",
        },
        x509: {
            trustStore: {
                trustAnchors: [{
                    pemCertificate: std.file({
                        input: "test-fixtures/trust_anchor.pem",
                    }).then(invoke => invoke.result),
                }],
                intermediateCas: [{
                    pemCertificate: std.file({
                        input: "test-fixtures/intermediate_ca.pem",
                    }).then(invoke => invoke.result),
                }],
            },
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    
    pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
    example = gcp.iam.WorkloadIdentityPoolProvider("example",
        workload_identity_pool_id=pool.workload_identity_pool_id,
        workload_identity_pool_provider_id="example-prvdr",
        display_name="Name of provider",
        description="X.509 identity pool provider for automated test",
        disabled=True,
        attribute_mapping={
            "google.subject": "assertion.subject.dn.cn",
        },
        x509={
            "trust_store": {
                "trust_anchors": [{
                    "pem_certificate": std.file(input="test-fixtures/trust_anchor.pem").result,
                }],
                "intermediate_cas": [{
                    "pem_certificate": std.file(input="test-fixtures/intermediate_ca.pem").result,
                }],
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    		})
    		if err != nil {
    			return err
    		}
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "test-fixtures/trust_anchor.pem",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		invokeFile1, err := std.File(ctx, &std.FileArgs{
    			Input: "test-fixtures/intermediate_ca.pem",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
    			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
    			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
    			DisplayName:                    pulumi.String("Name of provider"),
    			Description:                    pulumi.String("X.509 identity pool provider for automated test"),
    			Disabled:                       pulumi.Bool(true),
    			AttributeMapping: pulumi.StringMap{
    				"google.subject": pulumi.String("assertion.subject.dn.cn"),
    			},
    			X509: &iam.WorkloadIdentityPoolProviderX509Args{
    				TrustStore: &iam.WorkloadIdentityPoolProviderX509TrustStoreArgs{
    					TrustAnchors: iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArray{
    						&iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs{
    							PemCertificate: pulumi.String(invokeFile.Result),
    						},
    					},
    					IntermediateCas: iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArray{
    						&iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs{
    							PemCertificate: pulumi.String(invokeFile1.Result),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
        {
            WorkloadIdentityPoolId = "example-pool",
        });
    
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            DisplayName = "Name of provider",
            Description = "X.509 identity pool provider for automated test",
            Disabled = true,
            AttributeMapping = 
            {
                { "google.subject", "assertion.subject.dn.cn" },
            },
            X509 = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509Args
            {
                TrustStore = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs
                {
                    TrustAnchors = new[]
                    {
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs
                        {
                            PemCertificate = Std.File.Invoke(new()
                            {
                                Input = "test-fixtures/trust_anchor.pem",
                            }).Apply(invoke => invoke.Result),
                        },
                    },
                    IntermediateCas = new[]
                    {
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs
                        {
                            PemCertificate = Std.File.Invoke(new()
                            {
                                Input = "test-fixtures/intermediate_ca.pem",
                            }).Apply(invoke => invoke.Result),
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509Args;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .build());
    
            var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
                .workloadIdentityPoolId(pool.workloadIdentityPoolId())
                .workloadIdentityPoolProviderId("example-prvdr")
                .displayName("Name of provider")
                .description("X.509 identity pool provider for automated test")
                .disabled(true)
                .attributeMapping(Map.of("google.subject", "assertion.subject.dn.cn"))
                .x509(WorkloadIdentityPoolProviderX509Args.builder()
                    .trustStore(WorkloadIdentityPoolProviderX509TrustStoreArgs.builder()
                        .trustAnchors(WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs.builder()
                            .pemCertificate(StdFunctions.file(FileArgs.builder()
                                .input("test-fixtures/trust_anchor.pem")
                                .build()).result())
                            .build())
                        .intermediateCas(WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs.builder()
                            .pemCertificate(StdFunctions.file(FileArgs.builder()
                                .input("test-fixtures/intermediate_ca.pem")
                                .build()).result())
                            .build())
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      pool:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
      example:
        type: gcp:iam:WorkloadIdentityPoolProvider
        properties:
          workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
          workloadIdentityPoolProviderId: example-prvdr
          displayName: Name of provider
          description: X.509 identity pool provider for automated test
          disabled: true
          attributeMapping:
            google.subject: assertion.subject.dn.cn
          x509:
            trustStore:
              trustAnchors:
                - pemCertificate:
                    fn::invoke:
                      Function: std:file
                      Arguments:
                        input: test-fixtures/trust_anchor.pem
                      Return: result
              intermediateCas:
                - pemCertificate:
                    fn::invoke:
                      Function: std:file
                      Arguments:
                        input: test-fixtures/intermediate_ca.pem
                      Return: result
    

    Create WorkloadIdentityPoolProvider Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new WorkloadIdentityPoolProvider(name: string, args: WorkloadIdentityPoolProviderArgs, opts?: CustomResourceOptions);
    @overload
    def WorkloadIdentityPoolProvider(resource_name: str,
                                     args: WorkloadIdentityPoolProviderArgs,
                                     opts: Optional[ResourceOptions] = None)
    
    @overload
    def WorkloadIdentityPoolProvider(resource_name: str,
                                     opts: Optional[ResourceOptions] = None,
                                     workload_identity_pool_id: Optional[str] = None,
                                     workload_identity_pool_provider_id: Optional[str] = None,
                                     attribute_condition: Optional[str] = None,
                                     attribute_mapping: Optional[Mapping[str, str]] = None,
                                     aws: Optional[WorkloadIdentityPoolProviderAwsArgs] = None,
                                     description: Optional[str] = None,
                                     disabled: Optional[bool] = None,
                                     display_name: Optional[str] = None,
                                     oidc: Optional[WorkloadIdentityPoolProviderOidcArgs] = None,
                                     project: Optional[str] = None,
                                     saml: Optional[WorkloadIdentityPoolProviderSamlArgs] = None,
                                     x509: Optional[WorkloadIdentityPoolProviderX509Args] = None)
    func NewWorkloadIdentityPoolProvider(ctx *Context, name string, args WorkloadIdentityPoolProviderArgs, opts ...ResourceOption) (*WorkloadIdentityPoolProvider, error)
    public WorkloadIdentityPoolProvider(string name, WorkloadIdentityPoolProviderArgs args, CustomResourceOptions? opts = null)
    public WorkloadIdentityPoolProvider(String name, WorkloadIdentityPoolProviderArgs args)
    public WorkloadIdentityPoolProvider(String name, WorkloadIdentityPoolProviderArgs args, CustomResourceOptions options)
    
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args WorkloadIdentityPoolProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args WorkloadIdentityPoolProviderArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args WorkloadIdentityPoolProviderArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args WorkloadIdentityPoolProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args WorkloadIdentityPoolProviderArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var workloadIdentityPoolProviderResource = new Gcp.Iam.WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource", new()
    {
        WorkloadIdentityPoolId = "string",
        WorkloadIdentityPoolProviderId = "string",
        AttributeCondition = "string",
        AttributeMapping = 
        {
            { "string", "string" },
        },
        Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
        {
            AccountId = "string",
        },
        Description = "string",
        Disabled = false,
        DisplayName = "string",
        Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
        {
            IssuerUri = "string",
            AllowedAudiences = new[]
            {
                "string",
            },
            JwksJson = "string",
        },
        Project = "string",
        Saml = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderSamlArgs
        {
            IdpMetadataXml = "string",
        },
        X509 = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509Args
        {
            TrustStore = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs
            {
                TrustAnchors = new[]
                {
                    new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs
                    {
                        PemCertificate = "string",
                    },
                },
                IntermediateCas = new[]
                {
                    new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs
                    {
                        PemCertificate = "string",
                    },
                },
            },
        },
    });
    
    example, err := iam.NewWorkloadIdentityPoolProvider(ctx, "workloadIdentityPoolProviderResource", &iam.WorkloadIdentityPoolProviderArgs{
    	WorkloadIdentityPoolId:         pulumi.String("string"),
    	WorkloadIdentityPoolProviderId: pulumi.String("string"),
    	AttributeCondition:             pulumi.String("string"),
    	AttributeMapping: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
    		AccountId: pulumi.String("string"),
    	},
    	Description: pulumi.String("string"),
    	Disabled:    pulumi.Bool(false),
    	DisplayName: pulumi.String("string"),
    	Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
    		IssuerUri: pulumi.String("string"),
    		AllowedAudiences: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		JwksJson: pulumi.String("string"),
    	},
    	Project: pulumi.String("string"),
    	Saml: &iam.WorkloadIdentityPoolProviderSamlArgs{
    		IdpMetadataXml: pulumi.String("string"),
    	},
    	X509: &iam.WorkloadIdentityPoolProviderX509Args{
    		TrustStore: &iam.WorkloadIdentityPoolProviderX509TrustStoreArgs{
    			TrustAnchors: iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArray{
    				&iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs{
    					PemCertificate: pulumi.String("string"),
    				},
    			},
    			IntermediateCas: iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArray{
    				&iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs{
    					PemCertificate: pulumi.String("string"),
    				},
    			},
    		},
    	},
    })
    
    var workloadIdentityPoolProviderResource = new WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource", WorkloadIdentityPoolProviderArgs.builder()
        .workloadIdentityPoolId("string")
        .workloadIdentityPoolProviderId("string")
        .attributeCondition("string")
        .attributeMapping(Map.of("string", "string"))
        .aws(WorkloadIdentityPoolProviderAwsArgs.builder()
            .accountId("string")
            .build())
        .description("string")
        .disabled(false)
        .displayName("string")
        .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
            .issuerUri("string")
            .allowedAudiences("string")
            .jwksJson("string")
            .build())
        .project("string")
        .saml(WorkloadIdentityPoolProviderSamlArgs.builder()
            .idpMetadataXml("string")
            .build())
        .x509(WorkloadIdentityPoolProviderX509Args.builder()
            .trustStore(WorkloadIdentityPoolProviderX509TrustStoreArgs.builder()
                .trustAnchors(WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs.builder()
                    .pemCertificate("string")
                    .build())
                .intermediateCas(WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs.builder()
                    .pemCertificate("string")
                    .build())
                .build())
            .build())
        .build());
    
    workload_identity_pool_provider_resource = gcp.iam.WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource",
        workload_identity_pool_id="string",
        workload_identity_pool_provider_id="string",
        attribute_condition="string",
        attribute_mapping={
            "string": "string",
        },
        aws={
            "account_id": "string",
        },
        description="string",
        disabled=False,
        display_name="string",
        oidc={
            "issuer_uri": "string",
            "allowed_audiences": ["string"],
            "jwks_json": "string",
        },
        project="string",
        saml={
            "idp_metadata_xml": "string",
        },
        x509={
            "trust_store": {
                "trust_anchors": [{
                    "pem_certificate": "string",
                }],
                "intermediate_cas": [{
                    "pem_certificate": "string",
                }],
            },
        })
    
    const workloadIdentityPoolProviderResource = new gcp.iam.WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource", {
        workloadIdentityPoolId: "string",
        workloadIdentityPoolProviderId: "string",
        attributeCondition: "string",
        attributeMapping: {
            string: "string",
        },
        aws: {
            accountId: "string",
        },
        description: "string",
        disabled: false,
        displayName: "string",
        oidc: {
            issuerUri: "string",
            allowedAudiences: ["string"],
            jwksJson: "string",
        },
        project: "string",
        saml: {
            idpMetadataXml: "string",
        },
        x509: {
            trustStore: {
                trustAnchors: [{
                    pemCertificate: "string",
                }],
                intermediateCas: [{
                    pemCertificate: "string",
                }],
            },
        },
    });
    
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties:
        attributeCondition: string
        attributeMapping:
            string: string
        aws:
            accountId: string
        description: string
        disabled: false
        displayName: string
        oidc:
            allowedAudiences:
                - string
            issuerUri: string
            jwksJson: string
        project: string
        saml:
            idpMetadataXml: string
        workloadIdentityPoolId: string
        workloadIdentityPoolProviderId: string
        x509:
            trustStore:
                intermediateCas:
                    - pemCertificate: string
                trustAnchors:
                    - pemCertificate: string
    

    WorkloadIdentityPoolProvider Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The WorkloadIdentityPoolProvider resource accepts the following input properties:

    WorkloadIdentityPoolId string
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    WorkloadIdentityPoolProviderId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    AttributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    AttributeMapping Dictionary<string, string>
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    Aws WorkloadIdentityPoolProviderAws
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    Description string
    A description for the provider. Cannot exceed 256 characters.
    Disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    DisplayName string
    A display name for the provider. Cannot exceed 32 characters.
    Oidc WorkloadIdentityPoolProviderOidc
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    Saml WorkloadIdentityPoolProviderSaml
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    X509 WorkloadIdentityPoolProviderX509
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
    WorkloadIdentityPoolId string
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    WorkloadIdentityPoolProviderId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    AttributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    AttributeMapping map[string]string
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    Aws WorkloadIdentityPoolProviderAwsArgs
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    Description string
    A description for the provider. Cannot exceed 256 characters.
    Disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    DisplayName string
    A display name for the provider. Cannot exceed 32 characters.
    Oidc WorkloadIdentityPoolProviderOidcArgs
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    Saml WorkloadIdentityPoolProviderSamlArgs
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    X509 WorkloadIdentityPoolProviderX509Args
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
    workloadIdentityPoolId String
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    workloadIdentityPoolProviderId String
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    attributeCondition String
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping Map<String,String>
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    aws WorkloadIdentityPoolProviderAws
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    description String
    A description for the provider. Cannot exceed 256 characters.
    disabled Boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName String
    A display name for the provider. Cannot exceed 32 characters.
    oidc WorkloadIdentityPoolProviderOidc
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    saml WorkloadIdentityPoolProviderSaml
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    x509 WorkloadIdentityPoolProviderX509
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
    workloadIdentityPoolId string
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    workloadIdentityPoolProviderId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    attributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping {[key: string]: string}
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    aws WorkloadIdentityPoolProviderAws
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    description string
    A description for the provider. Cannot exceed 256 characters.
    disabled boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName string
    A display name for the provider. Cannot exceed 32 characters.
    oidc WorkloadIdentityPoolProviderOidc
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    saml WorkloadIdentityPoolProviderSaml
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    x509 WorkloadIdentityPoolProviderX509
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
    workload_identity_pool_id str
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    workload_identity_pool_provider_id str
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    attribute_condition str
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attribute_mapping Mapping[str, str]
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    aws WorkloadIdentityPoolProviderAwsArgs
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    description str
    A description for the provider. Cannot exceed 256 characters.
    disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    display_name str
    A display name for the provider. Cannot exceed 32 characters.
    oidc WorkloadIdentityPoolProviderOidcArgs
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    saml WorkloadIdentityPoolProviderSamlArgs
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    x509 WorkloadIdentityPoolProviderX509Args
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
    workloadIdentityPoolId String
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    workloadIdentityPoolProviderId String
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    attributeCondition String
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping Map<String>
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    aws Property Map
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    description String
    A description for the provider. Cannot exceed 256 characters.
    disabled Boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName String
    A display name for the provider. Cannot exceed 32 characters.
    oidc Property Map
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    saml Property Map
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    x509 Property Map
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the WorkloadIdentityPoolProvider resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    State string
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    State string
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    state String
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    state string
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    state str
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    state String
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.

    Look up Existing WorkloadIdentityPoolProvider Resource

    Get an existing WorkloadIdentityPoolProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: WorkloadIdentityPoolProviderState, opts?: CustomResourceOptions): WorkloadIdentityPoolProvider
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            attribute_condition: Optional[str] = None,
            attribute_mapping: Optional[Mapping[str, str]] = None,
            aws: Optional[WorkloadIdentityPoolProviderAwsArgs] = None,
            description: Optional[str] = None,
            disabled: Optional[bool] = None,
            display_name: Optional[str] = None,
            name: Optional[str] = None,
            oidc: Optional[WorkloadIdentityPoolProviderOidcArgs] = None,
            project: Optional[str] = None,
            saml: Optional[WorkloadIdentityPoolProviderSamlArgs] = None,
            state: Optional[str] = None,
            workload_identity_pool_id: Optional[str] = None,
            workload_identity_pool_provider_id: Optional[str] = None,
            x509: Optional[WorkloadIdentityPoolProviderX509Args] = None) -> WorkloadIdentityPoolProvider
    func GetWorkloadIdentityPoolProvider(ctx *Context, name string, id IDInput, state *WorkloadIdentityPoolProviderState, opts ...ResourceOption) (*WorkloadIdentityPoolProvider, error)
    public static WorkloadIdentityPoolProvider Get(string name, Input<string> id, WorkloadIdentityPoolProviderState? state, CustomResourceOptions? opts = null)
    public static WorkloadIdentityPoolProvider get(String name, Output<String> id, WorkloadIdentityPoolProviderState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AttributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    AttributeMapping Dictionary<string, string>
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    Aws WorkloadIdentityPoolProviderAws
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    Description string
    A description for the provider. Cannot exceed 256 characters.
    Disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    DisplayName string
    A display name for the provider. Cannot exceed 32 characters.
    Name string
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    Oidc WorkloadIdentityPoolProviderOidc
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    Saml WorkloadIdentityPoolProviderSaml
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    State string
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
    WorkloadIdentityPoolId string
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    WorkloadIdentityPoolProviderId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    X509 WorkloadIdentityPoolProviderX509
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
    AttributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    AttributeMapping map[string]string
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    Aws WorkloadIdentityPoolProviderAwsArgs
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    Description string
    A description for the provider. Cannot exceed 256 characters.
    Disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    DisplayName string
    A display name for the provider. Cannot exceed 32 characters.
    Name string
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    Oidc WorkloadIdentityPoolProviderOidcArgs
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    Saml WorkloadIdentityPoolProviderSamlArgs
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    State string
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
    WorkloadIdentityPoolId string
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    WorkloadIdentityPoolProviderId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    X509 WorkloadIdentityPoolProviderX509Args
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
    attributeCondition String
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping Map<String,String>
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    aws WorkloadIdentityPoolProviderAws
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    description String
    A description for the provider. Cannot exceed 256 characters.
    disabled Boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName String
    A display name for the provider. Cannot exceed 32 characters.
    name String
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    oidc WorkloadIdentityPoolProviderOidc
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    saml WorkloadIdentityPoolProviderSaml
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    state String
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
    workloadIdentityPoolId String
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    workloadIdentityPoolProviderId String
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    x509 WorkloadIdentityPoolProviderX509
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
    attributeCondition string
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping {[key: string]: string}
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    aws WorkloadIdentityPoolProviderAws
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    description string
    A description for the provider. Cannot exceed 256 characters.
    disabled boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName string
    A display name for the provider. Cannot exceed 32 characters.
    name string
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    oidc WorkloadIdentityPoolProviderOidc
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    saml WorkloadIdentityPoolProviderSaml
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    state string
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
    workloadIdentityPoolId string
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    workloadIdentityPoolProviderId string
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    x509 WorkloadIdentityPoolProviderX509
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
    attribute_condition str
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attribute_mapping Mapping[str, str]
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    aws WorkloadIdentityPoolProviderAwsArgs
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    description str
    A description for the provider. Cannot exceed 256 characters.
    disabled bool
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    display_name str
    A display name for the provider. Cannot exceed 32 characters.
    name str
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    oidc WorkloadIdentityPoolProviderOidcArgs
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    saml WorkloadIdentityPoolProviderSamlArgs
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    state str
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
    workload_identity_pool_id str
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    workload_identity_pool_provider_id str
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    x509 WorkloadIdentityPoolProviderX509Args
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
    attributeCondition String
    A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
    attributeMapping Map<String>
    Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

    • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
    • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
    • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
    • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
    • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
    • If no attribute mapping is defined, the following default mapping applies:
    {
    "google.subject":"assertion.arn",
    "attribute.aws_role":
    "assertion.arn.contains('assumed-role')"
    " ? assertion.arn.extract('{account_arn}assumed-role/')"
    "   + 'assumed-role/'"
    "   + assertion.arn.extract('assumed-role/{role_name}/')"
    " : assertion.arn",
    }
    
    • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
    • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
    {"google.subject": "assertion.sub"}
    
    aws Property Map
    An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
    description String
    A description for the provider. Cannot exceed 256 characters.
    disabled Boolean
    Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
    displayName String
    A display name for the provider. Cannot exceed 32 characters.
    name String
    The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
    oidc Property Map
    An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    saml Property Map
    An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
    state String
    The state of the provider.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The provider is active, and may be used to validate authentication credentials.
    • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
    workloadIdentityPoolId String
    The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
    workloadIdentityPoolProviderId String
    The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    x509 Property Map
    An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.

    Supporting Types

    WorkloadIdentityPoolProviderAws, WorkloadIdentityPoolProviderAwsArgs

    AccountId string
    The AWS account ID.
    AccountId string
    The AWS account ID.
    accountId String
    The AWS account ID.
    accountId string
    The AWS account ID.
    account_id str
    The AWS account ID.
    accountId String
    The AWS account ID.

    WorkloadIdentityPoolProviderOidc, WorkloadIdentityPoolProviderOidcArgs

    IssuerUri string
    The OIDC issuer URL.
    AllowedAudiences List<string>
    Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

    //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    
    JwksJson string
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    
    IssuerUri string
    The OIDC issuer URL.
    AllowedAudiences []string
    Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

    //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    
    JwksJson string
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    
    issuerUri String
    The OIDC issuer URL.
    allowedAudiences List<String>
    Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

    //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    
    jwksJson String
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    
    issuerUri string
    The OIDC issuer URL.
    allowedAudiences string[]
    Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

    //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    
    jwksJson string
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    
    issuer_uri str
    The OIDC issuer URL.
    allowed_audiences Sequence[str]
    Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

    //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    
    jwks_json str
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    
    issuerUri String
    The OIDC issuer URL.
    allowedAudiences List<String>
    Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

    //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
    
    jwksJson String
    OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

    {
    "keys": [
    {
    "kty": "RSA/EC",
    "alg": "<algorithm>",
    "use": "sig",
    "kid": "<key-id>",
    "n": "",
    "e": "",
    "x": "",
    "y": "",
    "crv": ""
    }
    ]
    }
    

    WorkloadIdentityPoolProviderSaml, WorkloadIdentityPoolProviderSamlArgs

    IdpMetadataXml string

    SAML Identity provider configuration metadata xml doc.

    The x509 block supports:

    IdpMetadataXml string

    SAML Identity provider configuration metadata xml doc.

    The x509 block supports:

    idpMetadataXml String

    SAML Identity provider configuration metadata xml doc.

    The x509 block supports:

    idpMetadataXml string

    SAML Identity provider configuration metadata xml doc.

    The x509 block supports:

    idp_metadata_xml str

    SAML Identity provider configuration metadata xml doc.

    The x509 block supports:

    idpMetadataXml String

    SAML Identity provider configuration metadata xml doc.

    The x509 block supports:

    WorkloadIdentityPoolProviderX509, WorkloadIdentityPoolProviderX509Args

    TrustStore WorkloadIdentityPoolProviderX509TrustStore
    A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
    TrustStore WorkloadIdentityPoolProviderX509TrustStore
    A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
    trustStore WorkloadIdentityPoolProviderX509TrustStore
    A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
    trustStore WorkloadIdentityPoolProviderX509TrustStore
    A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
    trust_store WorkloadIdentityPoolProviderX509TrustStore
    A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
    trustStore Property Map
    A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.

    WorkloadIdentityPoolProviderX509TrustStore, WorkloadIdentityPoolProviderX509TrustStoreArgs

    TrustAnchors List<WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor>
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    IntermediateCas List<WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa>
    Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
    TrustAnchors []WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    IntermediateCas []WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa
    Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
    trustAnchors List<WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor>
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    intermediateCas List<WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa>
    Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
    trustAnchors WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor[]
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    intermediateCas WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa[]
    Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
    trust_anchors Sequence[WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor]
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    intermediate_cas Sequence[WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa]
    Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
    trustAnchors List<Property Map>
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    intermediateCas List<Property Map>
    Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.

    WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa, WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs

    PemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    PemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate String
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pem_certificate str
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate String
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

    WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor, WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs

    PemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    PemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate String
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pem_certificate str
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate String
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

    Import

    WorkloadIdentityPoolProvider can be imported using any of these accepted formats:

    • projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}

    • {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}

    • {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}

    When using the pulumi import command, WorkloadIdentityPoolProvider can be imported using one of the formats above. For example:

    $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}
    
    $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
    
    $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi