1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. iam
  5. WorkloadIdentityPoolProvider
Google Cloud v8.23.0 published on Monday, Mar 24, 2025 by Pulumi

gcp.iam.WorkloadIdentityPoolProvider

Explore with Pulumi AI

A configuration for an external identity provider.

To get more information about WorkloadIdentityPoolProvider, see:

Example Usage

Iam Workload Identity Pool Provider Aws Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    aws: {
        accountId: "999999999999",
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    aws={
        "account_id": "999999999999",
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
				AccountId: pulumi.String("999999999999"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
    {
        WorkloadIdentityPoolId = "example-pool",
    });

    var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
    {
        WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
        WorkloadIdentityPoolProviderId = "example-prvdr",
        Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
        {
            AccountId = "999999999999",
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());

        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .aws(WorkloadIdentityPoolProviderAwsArgs.builder()
                .accountId("999999999999")
                .build())
            .build());

    }
}
Copy
resources:
  pool:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
  example:
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties:
      workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
      workloadIdentityPoolProviderId: example-prvdr
      aws:
        accountId: '999999999999'
Copy

Iam Workload Identity Pool Provider Aws Full

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    displayName: "Name of provider",
    description: "AWS identity pool provider for automated test",
    disabled: true,
    attributeCondition: "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
    attributeMapping: {
        "google.subject": "assertion.arn",
        "attribute.aws_account": "assertion.account",
        "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
    },
    aws: {
        accountId: "999999999999",
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    display_name="Name of provider",
    description="AWS identity pool provider for automated test",
    disabled=True,
    attribute_condition="attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
    attribute_mapping={
        "google.subject": "assertion.arn",
        "attribute.aws_account": "assertion.account",
        "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
    },
    aws={
        "account_id": "999999999999",
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			DisplayName:                    pulumi.String("Name of provider"),
			Description:                    pulumi.String("AWS identity pool provider for automated test"),
			Disabled:                       pulumi.Bool(true),
			AttributeCondition:             pulumi.String("attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\""),
			AttributeMapping: pulumi.StringMap{
				"google.subject":        pulumi.String("assertion.arn"),
				"attribute.aws_account": pulumi.String("assertion.account"),
				"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
			},
			Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
				AccountId: pulumi.String("999999999999"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
    {
        WorkloadIdentityPoolId = "example-pool",
    });

    var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
    {
        WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
        WorkloadIdentityPoolProviderId = "example-prvdr",
        DisplayName = "Name of provider",
        Description = "AWS identity pool provider for automated test",
        Disabled = true,
        AttributeCondition = "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
        AttributeMapping = 
        {
            { "google.subject", "assertion.arn" },
            { "attribute.aws_account", "assertion.account" },
            { "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
        },
        Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
        {
            AccountId = "999999999999",
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());

        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .displayName("Name of provider")
            .description("AWS identity pool provider for automated test")
            .disabled(true)
            .attributeCondition("attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"")
            .attributeMapping(Map.ofEntries(
                Map.entry("google.subject", "assertion.arn"),
                Map.entry("attribute.aws_account", "assertion.account"),
                Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
            ))
            .aws(WorkloadIdentityPoolProviderAwsArgs.builder()
                .accountId("999999999999")
                .build())
            .build());

    }
}
Copy
resources:
  pool:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
  example:
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties:
      workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
      workloadIdentityPoolProviderId: example-prvdr
      displayName: Name of provider
      description: AWS identity pool provider for automated test
      disabled: true
      attributeCondition: attribute.aws_role=="arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole"
      attributeMapping:
        google.subject: assertion.arn
        attribute.aws_account: assertion.account
        attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
      aws:
        accountId: '999999999999'
Copy

Iam Workload Identity Pool Provider Github Actions

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    displayName: "Name of provider",
    description: "GitHub Actions identity pool provider for automated test",
    disabled: true,
    attributeCondition: `    assertion.repository_owner_id == "123456789" &&
    attribute.repository == "gh-org/gh-repo" &&
    assertion.ref == "refs/heads/main" &&
    assertion.ref_type == "branch"
`,
    attributeMapping: {
        "google.subject": "assertion.sub",
        "attribute.actor": "assertion.actor",
        "attribute.aud": "assertion.aud",
        "attribute.repository": "assertion.repository",
    },
    oidc: {
        issuerUri: "https://token.actions.githubusercontent.com",
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    display_name="Name of provider",
    description="GitHub Actions identity pool provider for automated test",
    disabled=True,
    attribute_condition="""    assertion.repository_owner_id == "123456789" &&
    attribute.repository == "gh-org/gh-repo" &&
    assertion.ref == "refs/heads/main" &&
    assertion.ref_type == "branch"
""",
    attribute_mapping={
        "google.subject": "assertion.sub",
        "attribute.actor": "assertion.actor",
        "attribute.aud": "assertion.aud",
        "attribute.repository": "assertion.repository",
    },
    oidc={
        "issuer_uri": "https://token.actions.githubusercontent.com",
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			DisplayName:                    pulumi.String("Name of provider"),
			Description:                    pulumi.String("GitHub Actions identity pool provider for automated test"),
			Disabled:                       pulumi.Bool(true),
			AttributeCondition:             pulumi.String("    assertion.repository_owner_id == \"123456789\" &&\n    attribute.repository == \"gh-org/gh-repo\" &&\n    assertion.ref == \"refs/heads/main\" &&\n    assertion.ref_type == \"branch\"\n"),
			AttributeMapping: pulumi.StringMap{
				"google.subject":       pulumi.String("assertion.sub"),
				"attribute.actor":      pulumi.String("assertion.actor"),
				"attribute.aud":        pulumi.String("assertion.aud"),
				"attribute.repository": pulumi.String("assertion.repository"),
			},
			Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
				IssuerUri: pulumi.String("https://token.actions.githubusercontent.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
    {
        WorkloadIdentityPoolId = "example-pool",
    });

    var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
    {
        WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
        WorkloadIdentityPoolProviderId = "example-prvdr",
        DisplayName = "Name of provider",
        Description = "GitHub Actions identity pool provider for automated test",
        Disabled = true,
        AttributeCondition = @"    assertion.repository_owner_id == ""123456789"" &&
    attribute.repository == ""gh-org/gh-repo"" &&
    assertion.ref == ""refs/heads/main"" &&
    assertion.ref_type == ""branch""
",
        AttributeMapping = 
        {
            { "google.subject", "assertion.sub" },
            { "attribute.actor", "assertion.actor" },
            { "attribute.aud", "assertion.aud" },
            { "attribute.repository", "assertion.repository" },
        },
        Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
        {
            IssuerUri = "https://token.actions.githubusercontent.com",
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());

        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .displayName("Name of provider")
            .description("GitHub Actions identity pool provider for automated test")
            .disabled(true)
            .attributeCondition("""
    assertion.repository_owner_id == "123456789" &&
    attribute.repository == "gh-org/gh-repo" &&
    assertion.ref == "refs/heads/main" &&
    assertion.ref_type == "branch"
            """)
            .attributeMapping(Map.ofEntries(
                Map.entry("google.subject", "assertion.sub"),
                Map.entry("attribute.actor", "assertion.actor"),
                Map.entry("attribute.aud", "assertion.aud"),
                Map.entry("attribute.repository", "assertion.repository")
            ))
            .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
                .issuerUri("https://token.actions.githubusercontent.com")
                .build())
            .build());

    }
}
Copy
resources:
  pool:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
  example:
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties:
      workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
      workloadIdentityPoolProviderId: example-prvdr
      displayName: Name of provider
      description: GitHub Actions identity pool provider for automated test
      disabled: true
      attributeCondition: |2
            assertion.repository_owner_id == "123456789" &&
            attribute.repository == "gh-org/gh-repo" &&
            assertion.ref == "refs/heads/main" &&
            assertion.ref_type == "branch"
      attributeMapping:
        google.subject: assertion.sub
        attribute.actor: assertion.actor
        attribute.aud: assertion.aud
        attribute.repository: assertion.repository
      oidc:
        issuerUri: https://token.actions.githubusercontent.com
Copy

Iam Workload Identity Pool Provider Oidc Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    attributeMapping: {
        "google.subject": "assertion.sub",
    },
    oidc: {
        issuerUri: "https://sts.windows.net/azure-tenant-id",
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    attribute_mapping={
        "google.subject": "assertion.sub",
    },
    oidc={
        "issuer_uri": "https://sts.windows.net/azure-tenant-id",
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			AttributeMapping: pulumi.StringMap{
				"google.subject": pulumi.String("assertion.sub"),
			},
			Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
				IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
    {
        WorkloadIdentityPoolId = "example-pool",
    });

    var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
    {
        WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
        WorkloadIdentityPoolProviderId = "example-prvdr",
        AttributeMapping = 
        {
            { "google.subject", "assertion.sub" },
        },
        Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
        {
            IssuerUri = "https://sts.windows.net/azure-tenant-id",
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());

        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .attributeMapping(Map.of("google.subject", "assertion.sub"))
            .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
                .issuerUri("https://sts.windows.net/azure-tenant-id")
                .build())
            .build());

    }
}
Copy
resources:
  pool:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
  example:
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties:
      workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
      workloadIdentityPoolProviderId: example-prvdr
      attributeMapping:
        google.subject: assertion.sub
      oidc:
        issuerUri: https://sts.windows.net/azure-tenant-id
Copy

Iam Workload Identity Pool Provider Oidc Full

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    displayName: "Name of provider",
    description: "OIDC identity pool provider for automated test",
    disabled: true,
    attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
    attributeMapping: {
        "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
        "attribute.tid": "assertion.tid",
        "attribute.managed_identity_name": `      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
`,
    },
    oidc: {
        allowedAudiences: [
            "https://example.com/gcp-oidc-federation",
            "example.com/gcp-oidc-federation",
        ],
        issuerUri: "https://sts.windows.net/azure-tenant-id",
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    display_name="Name of provider",
    description="OIDC identity pool provider for automated test",
    disabled=True,
    attribute_condition="\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
    attribute_mapping={
        "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
        "attribute.tid": "assertion.tid",
        "attribute.managed_identity_name": """      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
""",
    },
    oidc={
        "allowed_audiences": [
            "https://example.com/gcp-oidc-federation",
            "example.com/gcp-oidc-federation",
        ],
        "issuer_uri": "https://sts.windows.net/azure-tenant-id",
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			DisplayName:                    pulumi.String("Name of provider"),
			Description:                    pulumi.String("OIDC identity pool provider for automated test"),
			Disabled:                       pulumi.Bool(true),
			AttributeCondition:             pulumi.String("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"),
			AttributeMapping: pulumi.StringMap{
				"google.subject":                  pulumi.String("\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
				"attribute.tid":                   pulumi.String("assertion.tid"),
				"attribute.managed_identity_name": pulumi.String("      {\n        \"8bb39bdb-1cc5-4447-b7db-a19e920eb111\":\"workload1\",\n        \"55d36609-9bcf-48e0-a366-a3cf19027d2a\":\"workload2\"\n      }[assertion.oid]\n"),
			},
			Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
				AllowedAudiences: pulumi.StringArray{
					pulumi.String("https://example.com/gcp-oidc-federation"),
					pulumi.String("example.com/gcp-oidc-federation"),
				},
				IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
    {
        WorkloadIdentityPoolId = "example-pool",
    });

    var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
    {
        WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
        WorkloadIdentityPoolProviderId = "example-prvdr",
        DisplayName = "Name of provider",
        Description = "OIDC identity pool provider for automated test",
        Disabled = true,
        AttributeCondition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
        AttributeMapping = 
        {
            { "google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub" },
            { "attribute.tid", "assertion.tid" },
            { "attribute.managed_identity_name", @"      {
        ""8bb39bdb-1cc5-4447-b7db-a19e920eb111"":""workload1"",
        ""55d36609-9bcf-48e0-a366-a3cf19027d2a"":""workload2""
      }[assertion.oid]
" },
        },
        Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
        {
            AllowedAudiences = new[]
            {
                "https://example.com/gcp-oidc-federation",
                "example.com/gcp-oidc-federation",
            },
            IssuerUri = "https://sts.windows.net/azure-tenant-id",
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());

        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .displayName("Name of provider")
            .description("OIDC identity pool provider for automated test")
            .disabled(true)
            .attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups")
            .attributeMapping(Map.ofEntries(
                Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
                Map.entry("attribute.tid", "assertion.tid"),
                Map.entry("attribute.managed_identity_name", """
      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
                """)
            ))
            .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
                .allowedAudiences(                
                    "https://example.com/gcp-oidc-federation",
                    "example.com/gcp-oidc-federation")
                .issuerUri("https://sts.windows.net/azure-tenant-id")
                .build())
            .build());

    }
}
Copy
resources:
  pool:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
  example:
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties:
      workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
      workloadIdentityPoolProviderId: example-prvdr
      displayName: Name of provider
      description: OIDC identity pool provider for automated test
      disabled: true
      attributeCondition: '"e968c2ef-047c-498d-8d79-16ca1b61e77e" in assertion.groups'
      attributeMapping:
        google.subject: '"azure::" + assertion.tid + "::" + assertion.sub'
        attribute.tid: assertion.tid
        attribute.managed_identity_name: |2
                {
                  "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
                  "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
                }[assertion.oid]
      oidc:
        allowedAudiences:
          - https://example.com/gcp-oidc-federation
          - example.com/gcp-oidc-federation
        issuerUri: https://sts.windows.net/azure-tenant-id
Copy

Iam Workload Identity Pool Provider Saml Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    attributeMapping: {
        "google.subject": "assertion.arn",
        "attribute.aws_account": "assertion.account",
        "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
    },
    saml: {
        idpMetadataXml: std.file({
            input: "test-fixtures/metadata.xml",
        }).then(invoke => invoke.result),
    },
});
Copy
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    attribute_mapping={
        "google.subject": "assertion.arn",
        "attribute.aws_account": "assertion.account",
        "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
    },
    saml={
        "idp_metadata_xml": std.file(input="test-fixtures/metadata.xml").result,
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		})
		if err != nil {
			return err
		}
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/metadata.xml",
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			AttributeMapping: pulumi.StringMap{
				"google.subject":        pulumi.String("assertion.arn"),
				"attribute.aws_account": pulumi.String("assertion.account"),
				"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
			},
			Saml: &iam.WorkloadIdentityPoolProviderSamlArgs{
				IdpMetadataXml: pulumi.String(invokeFile.Result),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
    {
        WorkloadIdentityPoolId = "example-pool",
    });

    var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
    {
        WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
        WorkloadIdentityPoolProviderId = "example-prvdr",
        AttributeMapping = 
        {
            { "google.subject", "assertion.arn" },
            { "attribute.aws_account", "assertion.account" },
            { "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
        },
        Saml = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderSamlArgs
        {
            IdpMetadataXml = Std.File.Invoke(new()
            {
                Input = "test-fixtures/metadata.xml",
            }).Apply(invoke => invoke.Result),
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderSamlArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());

        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .attributeMapping(Map.ofEntries(
                Map.entry("google.subject", "assertion.arn"),
                Map.entry("attribute.aws_account", "assertion.account"),
                Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
            ))
            .saml(WorkloadIdentityPoolProviderSamlArgs.builder()
                .idpMetadataXml(StdFunctions.file(FileArgs.builder()
                    .input("test-fixtures/metadata.xml")
                    .build()).result())
                .build())
            .build());

    }
}
Copy
resources:
  pool:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
  example:
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties:
      workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
      workloadIdentityPoolProviderId: example-prvdr
      attributeMapping:
        google.subject: assertion.arn
        attribute.aws_account: assertion.account
        attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
      saml:
        idpMetadataXml:
          fn::invoke:
            function: std:file
            arguments:
              input: test-fixtures/metadata.xml
            return: result
Copy

Iam Workload Identity Pool Provider Saml Full

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    displayName: "Name of provider",
    description: "SAML 2.0 identity pool provider for automated test",
    disabled: true,
    attributeMapping: {
        "google.subject": "assertion.arn",
        "attribute.aws_account": "assertion.account",
        "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
    },
    saml: {
        idpMetadataXml: std.file({
            input: "test-fixtures/metadata.xml",
        }).then(invoke => invoke.result),
    },
});
Copy
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    display_name="Name of provider",
    description="SAML 2.0 identity pool provider for automated test",
    disabled=True,
    attribute_mapping={
        "google.subject": "assertion.arn",
        "attribute.aws_account": "assertion.account",
        "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
    },
    saml={
        "idp_metadata_xml": std.file(input="test-fixtures/metadata.xml").result,
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		})
		if err != nil {
			return err
		}
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/metadata.xml",
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			DisplayName:                    pulumi.String("Name of provider"),
			Description:                    pulumi.String("SAML 2.0 identity pool provider for automated test"),
			Disabled:                       pulumi.Bool(true),
			AttributeMapping: pulumi.StringMap{
				"google.subject":        pulumi.String("assertion.arn"),
				"attribute.aws_account": pulumi.String("assertion.account"),
				"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
			},
			Saml: &iam.WorkloadIdentityPoolProviderSamlArgs{
				IdpMetadataXml: pulumi.String(invokeFile.Result),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
    {
        WorkloadIdentityPoolId = "example-pool",
    });

    var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
    {
        WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
        WorkloadIdentityPoolProviderId = "example-prvdr",
        DisplayName = "Name of provider",
        Description = "SAML 2.0 identity pool provider for automated test",
        Disabled = true,
        AttributeMapping = 
        {
            { "google.subject", "assertion.arn" },
            { "attribute.aws_account", "assertion.account" },
            { "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
        },
        Saml = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderSamlArgs
        {
            IdpMetadataXml = Std.File.Invoke(new()
            {
                Input = "test-fixtures/metadata.xml",
            }).Apply(invoke => invoke.Result),
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderSamlArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());

        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .displayName("Name of provider")
            .description("SAML 2.0 identity pool provider for automated test")
            .disabled(true)
            .attributeMapping(Map.ofEntries(
                Map.entry("google.subject", "assertion.arn"),
                Map.entry("attribute.aws_account", "assertion.account"),
                Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
            ))
            .saml(WorkloadIdentityPoolProviderSamlArgs.builder()
                .idpMetadataXml(StdFunctions.file(FileArgs.builder()
                    .input("test-fixtures/metadata.xml")
                    .build()).result())
                .build())
            .build());

    }
}
Copy
resources:
  pool:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
  example:
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties:
      workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
      workloadIdentityPoolProviderId: example-prvdr
      displayName: Name of provider
      description: SAML 2.0 identity pool provider for automated test
      disabled: true
      attributeMapping:
        google.subject: assertion.arn
        attribute.aws_account: assertion.account
        attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
      saml:
        idpMetadataXml:
          fn::invoke:
            function: std:file
            arguments:
              input: test-fixtures/metadata.xml
            return: result
Copy

Iam Workload Identity Pool Provider Oidc Upload Key

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    displayName: "Name of provider",
    description: "OIDC identity pool provider for automated test",
    disabled: true,
    attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
    attributeMapping: {
        "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
        "attribute.tid": "assertion.tid",
        "attribute.managed_identity_name": `      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
`,
    },
    oidc: {
        allowedAudiences: [
            "https://example.com/gcp-oidc-federation",
            "example.com/gcp-oidc-federation",
        ],
        issuerUri: "https://sts.windows.net/azure-tenant-id",
        jwksJson: "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    display_name="Name of provider",
    description="OIDC identity pool provider for automated test",
    disabled=True,
    attribute_condition="\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
    attribute_mapping={
        "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
        "attribute.tid": "assertion.tid",
        "attribute.managed_identity_name": """      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
""",
    },
    oidc={
        "allowed_audiences": [
            "https://example.com/gcp-oidc-federation",
            "example.com/gcp-oidc-federation",
        ],
        "issuer_uri": "https://sts.windows.net/azure-tenant-id",
        "jwks_json": "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			DisplayName:                    pulumi.String("Name of provider"),
			Description:                    pulumi.String("OIDC identity pool provider for automated test"),
			Disabled:                       pulumi.Bool(true),
			AttributeCondition:             pulumi.String("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"),
			AttributeMapping: pulumi.StringMap{
				"google.subject":                  pulumi.String("\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
				"attribute.tid":                   pulumi.String("assertion.tid"),
				"attribute.managed_identity_name": pulumi.String("      {\n        \"8bb39bdb-1cc5-4447-b7db-a19e920eb111\":\"workload1\",\n        \"55d36609-9bcf-48e0-a366-a3cf19027d2a\":\"workload2\"\n      }[assertion.oid]\n"),
			},
			Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
				AllowedAudiences: pulumi.StringArray{
					pulumi.String("https://example.com/gcp-oidc-federation"),
					pulumi.String("example.com/gcp-oidc-federation"),
				},
				IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
				JwksJson:  pulumi.String("{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
    {
        WorkloadIdentityPoolId = "example-pool",
    });

    var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
    {
        WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
        WorkloadIdentityPoolProviderId = "example-prvdr",
        DisplayName = "Name of provider",
        Description = "OIDC identity pool provider for automated test",
        Disabled = true,
        AttributeCondition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
        AttributeMapping = 
        {
            { "google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub" },
            { "attribute.tid", "assertion.tid" },
            { "attribute.managed_identity_name", @"      {
        ""8bb39bdb-1cc5-4447-b7db-a19e920eb111"":""workload1"",
        ""55d36609-9bcf-48e0-a366-a3cf19027d2a"":""workload2""
      }[assertion.oid]
" },
        },
        Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
        {
            AllowedAudiences = new[]
            {
                "https://example.com/gcp-oidc-federation",
                "example.com/gcp-oidc-federation",
            },
            IssuerUri = "https://sts.windows.net/azure-tenant-id",
            JwksJson = "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());

        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .displayName("Name of provider")
            .description("OIDC identity pool provider for automated test")
            .disabled(true)
            .attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups")
            .attributeMapping(Map.ofEntries(
                Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
                Map.entry("attribute.tid", "assertion.tid"),
                Map.entry("attribute.managed_identity_name", """
      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
                """)
            ))
            .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
                .allowedAudiences(                
                    "https://example.com/gcp-oidc-federation",
                    "example.com/gcp-oidc-federation")
                .issuerUri("https://sts.windows.net/azure-tenant-id")
                .jwksJson("{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}")
                .build())
            .build());

    }
}
Copy
resources:
  pool:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
  example:
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties:
      workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
      workloadIdentityPoolProviderId: example-prvdr
      displayName: Name of provider
      description: OIDC identity pool provider for automated test
      disabled: true
      attributeCondition: '"e968c2ef-047c-498d-8d79-16ca1b61e77e" in assertion.groups'
      attributeMapping:
        google.subject: '"azure::" + assertion.tid + "::" + assertion.sub'
        attribute.tid: assertion.tid
        attribute.managed_identity_name: |2
                {
                  "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
                  "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
                }[assertion.oid]
      oidc:
        allowedAudiences:
          - https://example.com/gcp-oidc-federation
          - example.com/gcp-oidc-federation
        issuerUri: https://sts.windows.net/azure-tenant-id
        jwksJson: '{"keys":[{"kty":"RSA","alg":"RS256","kid":"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA","use":"sig","e":"AQAB","n":"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw"}]}'
Copy

Iam Workload Identity Pool Provider X509 Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    attributeMapping: {
        "google.subject": "assertion.subject.dn.cn",
    },
    x509: {
        trustStore: {
            trustAnchors: [{
                pemCertificate: std.file({
                    input: "test-fixtures/trust_anchor.pem",
                }).then(invoke => invoke.result),
            }],
        },
    },
});
Copy
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    attribute_mapping={
        "google.subject": "assertion.subject.dn.cn",
    },
    x509={
        "trust_store": {
            "trust_anchors": [{
                "pem_certificate": std.file(input="test-fixtures/trust_anchor.pem").result,
            }],
        },
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		})
		if err != nil {
			return err
		}
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/trust_anchor.pem",
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			AttributeMapping: pulumi.StringMap{
				"google.subject": pulumi.String("assertion.subject.dn.cn"),
			},
			X509: &iam.WorkloadIdentityPoolProviderX509Args{
				TrustStore: &iam.WorkloadIdentityPoolProviderX509TrustStoreArgs{
					TrustAnchors: iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArray{
						&iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs{
							PemCertificate: pulumi.String(invokeFile.Result),
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
    {
        WorkloadIdentityPoolId = "example-pool",
    });

    var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
    {
        WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
        WorkloadIdentityPoolProviderId = "example-prvdr",
        AttributeMapping = 
        {
            { "google.subject", "assertion.subject.dn.cn" },
        },
        X509 = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509Args
        {
            TrustStore = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs
            {
                TrustAnchors = new[]
                {
                    new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs
                    {
                        PemCertificate = Std.File.Invoke(new()
                        {
                            Input = "test-fixtures/trust_anchor.pem",
                        }).Apply(invoke => invoke.Result),
                    },
                },
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509Args;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());

        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .attributeMapping(Map.of("google.subject", "assertion.subject.dn.cn"))
            .x509(WorkloadIdentityPoolProviderX509Args.builder()
                .trustStore(WorkloadIdentityPoolProviderX509TrustStoreArgs.builder()
                    .trustAnchors(WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs.builder()
                        .pemCertificate(StdFunctions.file(FileArgs.builder()
                            .input("test-fixtures/trust_anchor.pem")
                            .build()).result())
                        .build())
                    .build())
                .build())
            .build());

    }
}
Copy
resources:
  pool:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
  example:
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties:
      workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
      workloadIdentityPoolProviderId: example-prvdr
      attributeMapping:
        google.subject: assertion.subject.dn.cn
      x509:
        trustStore:
          trustAnchors:
            - pemCertificate:
                fn::invoke:
                  function: std:file
                  arguments:
                    input: test-fixtures/trust_anchor.pem
                  return: result
Copy

Iam Workload Identity Pool Provider X509 Full

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    displayName: "Name of provider",
    description: "X.509 identity pool provider for automated test",
    disabled: true,
    attributeMapping: {
        "google.subject": "assertion.subject.dn.cn",
    },
    x509: {
        trustStore: {
            trustAnchors: [{
                pemCertificate: std.file({
                    input: "test-fixtures/trust_anchor.pem",
                }).then(invoke => invoke.result),
            }],
            intermediateCas: [{
                pemCertificate: std.file({
                    input: "test-fixtures/intermediate_ca.pem",
                }).then(invoke => invoke.result),
            }],
        },
    },
});
Copy
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    display_name="Name of provider",
    description="X.509 identity pool provider for automated test",
    disabled=True,
    attribute_mapping={
        "google.subject": "assertion.subject.dn.cn",
    },
    x509={
        "trust_store": {
            "trust_anchors": [{
                "pem_certificate": std.file(input="test-fixtures/trust_anchor.pem").result,
            }],
            "intermediate_cas": [{
                "pem_certificate": std.file(input="test-fixtures/intermediate_ca.pem").result,
            }],
        },
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		})
		if err != nil {
			return err
		}
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/trust_anchor.pem",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/intermediate_ca.pem",
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			DisplayName:                    pulumi.String("Name of provider"),
			Description:                    pulumi.String("X.509 identity pool provider for automated test"),
			Disabled:                       pulumi.Bool(true),
			AttributeMapping: pulumi.StringMap{
				"google.subject": pulumi.String("assertion.subject.dn.cn"),
			},
			X509: &iam.WorkloadIdentityPoolProviderX509Args{
				TrustStore: &iam.WorkloadIdentityPoolProviderX509TrustStoreArgs{
					TrustAnchors: iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArray{
						&iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs{
							PemCertificate: pulumi.String(invokeFile.Result),
						},
					},
					IntermediateCas: iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArray{
						&iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs{
							PemCertificate: pulumi.String(invokeFile1.Result),
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
    {
        WorkloadIdentityPoolId = "example-pool",
    });

    var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
    {
        WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
        WorkloadIdentityPoolProviderId = "example-prvdr",
        DisplayName = "Name of provider",
        Description = "X.509 identity pool provider for automated test",
        Disabled = true,
        AttributeMapping = 
        {
            { "google.subject", "assertion.subject.dn.cn" },
        },
        X509 = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509Args
        {
            TrustStore = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs
            {
                TrustAnchors = new[]
                {
                    new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs
                    {
                        PemCertificate = Std.File.Invoke(new()
                        {
                            Input = "test-fixtures/trust_anchor.pem",
                        }).Apply(invoke => invoke.Result),
                    },
                },
                IntermediateCas = new[]
                {
                    new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs
                    {
                        PemCertificate = Std.File.Invoke(new()
                        {
                            Input = "test-fixtures/intermediate_ca.pem",
                        }).Apply(invoke => invoke.Result),
                    },
                },
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509Args;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());

        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .displayName("Name of provider")
            .description("X.509 identity pool provider for automated test")
            .disabled(true)
            .attributeMapping(Map.of("google.subject", "assertion.subject.dn.cn"))
            .x509(WorkloadIdentityPoolProviderX509Args.builder()
                .trustStore(WorkloadIdentityPoolProviderX509TrustStoreArgs.builder()
                    .trustAnchors(WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs.builder()
                        .pemCertificate(StdFunctions.file(FileArgs.builder()
                            .input("test-fixtures/trust_anchor.pem")
                            .build()).result())
                        .build())
                    .intermediateCas(WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs.builder()
                        .pemCertificate(StdFunctions.file(FileArgs.builder()
                            .input("test-fixtures/intermediate_ca.pem")
                            .build()).result())
                        .build())
                    .build())
                .build())
            .build());

    }
}
Copy
resources:
  pool:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
  example:
    type: gcp:iam:WorkloadIdentityPoolProvider
    properties:
      workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
      workloadIdentityPoolProviderId: example-prvdr
      displayName: Name of provider
      description: X.509 identity pool provider for automated test
      disabled: true
      attributeMapping:
        google.subject: assertion.subject.dn.cn
      x509:
        trustStore:
          trustAnchors:
            - pemCertificate:
                fn::invoke:
                  function: std:file
                  arguments:
                    input: test-fixtures/trust_anchor.pem
                  return: result
          intermediateCas:
            - pemCertificate:
                fn::invoke:
                  function: std:file
                  arguments:
                    input: test-fixtures/intermediate_ca.pem
                  return: result
Copy

Create WorkloadIdentityPoolProvider Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new WorkloadIdentityPoolProvider(name: string, args: WorkloadIdentityPoolProviderArgs, opts?: CustomResourceOptions);
@overload
def WorkloadIdentityPoolProvider(resource_name: str,
                                 args: WorkloadIdentityPoolProviderArgs,
                                 opts: Optional[ResourceOptions] = None)

@overload
def WorkloadIdentityPoolProvider(resource_name: str,
                                 opts: Optional[ResourceOptions] = None,
                                 workload_identity_pool_id: Optional[str] = None,
                                 workload_identity_pool_provider_id: Optional[str] = None,
                                 attribute_condition: Optional[str] = None,
                                 attribute_mapping: Optional[Mapping[str, str]] = None,
                                 aws: Optional[WorkloadIdentityPoolProviderAwsArgs] = None,
                                 description: Optional[str] = None,
                                 disabled: Optional[bool] = None,
                                 display_name: Optional[str] = None,
                                 oidc: Optional[WorkloadIdentityPoolProviderOidcArgs] = None,
                                 project: Optional[str] = None,
                                 saml: Optional[WorkloadIdentityPoolProviderSamlArgs] = None,
                                 x509: Optional[WorkloadIdentityPoolProviderX509Args] = None)
func NewWorkloadIdentityPoolProvider(ctx *Context, name string, args WorkloadIdentityPoolProviderArgs, opts ...ResourceOption) (*WorkloadIdentityPoolProvider, error)
public WorkloadIdentityPoolProvider(string name, WorkloadIdentityPoolProviderArgs args, CustomResourceOptions? opts = null)
public WorkloadIdentityPoolProvider(String name, WorkloadIdentityPoolProviderArgs args)
public WorkloadIdentityPoolProvider(String name, WorkloadIdentityPoolProviderArgs args, CustomResourceOptions options)
type: gcp:iam:WorkloadIdentityPoolProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. WorkloadIdentityPoolProviderArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. WorkloadIdentityPoolProviderArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. WorkloadIdentityPoolProviderArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. WorkloadIdentityPoolProviderArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. WorkloadIdentityPoolProviderArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var workloadIdentityPoolProviderResource = new Gcp.Iam.WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource", new()
{
    WorkloadIdentityPoolId = "string",
    WorkloadIdentityPoolProviderId = "string",
    AttributeCondition = "string",
    AttributeMapping = 
    {
        { "string", "string" },
    },
    Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
    {
        AccountId = "string",
    },
    Description = "string",
    Disabled = false,
    DisplayName = "string",
    Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
    {
        IssuerUri = "string",
        AllowedAudiences = new[]
        {
            "string",
        },
        JwksJson = "string",
    },
    Project = "string",
    Saml = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderSamlArgs
    {
        IdpMetadataXml = "string",
    },
    X509 = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509Args
    {
        TrustStore = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreArgs
        {
            TrustAnchors = new[]
            {
                new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs
                {
                    PemCertificate = "string",
                },
            },
            IntermediateCas = new[]
            {
                new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs
                {
                    PemCertificate = "string",
                },
            },
        },
    },
});
Copy
example, err := iam.NewWorkloadIdentityPoolProvider(ctx, "workloadIdentityPoolProviderResource", &iam.WorkloadIdentityPoolProviderArgs{
	WorkloadIdentityPoolId:         pulumi.String("string"),
	WorkloadIdentityPoolProviderId: pulumi.String("string"),
	AttributeCondition:             pulumi.String("string"),
	AttributeMapping: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
		AccountId: pulumi.String("string"),
	},
	Description: pulumi.String("string"),
	Disabled:    pulumi.Bool(false),
	DisplayName: pulumi.String("string"),
	Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
		IssuerUri: pulumi.String("string"),
		AllowedAudiences: pulumi.StringArray{
			pulumi.String("string"),
		},
		JwksJson: pulumi.String("string"),
	},
	Project: pulumi.String("string"),
	Saml: &iam.WorkloadIdentityPoolProviderSamlArgs{
		IdpMetadataXml: pulumi.String("string"),
	},
	X509: &iam.WorkloadIdentityPoolProviderX509Args{
		TrustStore: &iam.WorkloadIdentityPoolProviderX509TrustStoreArgs{
			TrustAnchors: iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArray{
				&iam.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs{
					PemCertificate: pulumi.String("string"),
				},
			},
			IntermediateCas: iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArray{
				&iam.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs{
					PemCertificate: pulumi.String("string"),
				},
			},
		},
	},
})
Copy
var workloadIdentityPoolProviderResource = new WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource", WorkloadIdentityPoolProviderArgs.builder()
    .workloadIdentityPoolId("string")
    .workloadIdentityPoolProviderId("string")
    .attributeCondition("string")
    .attributeMapping(Map.of("string", "string"))
    .aws(WorkloadIdentityPoolProviderAwsArgs.builder()
        .accountId("string")
        .build())
    .description("string")
    .disabled(false)
    .displayName("string")
    .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
        .issuerUri("string")
        .allowedAudiences("string")
        .jwksJson("string")
        .build())
    .project("string")
    .saml(WorkloadIdentityPoolProviderSamlArgs.builder()
        .idpMetadataXml("string")
        .build())
    .x509(WorkloadIdentityPoolProviderX509Args.builder()
        .trustStore(WorkloadIdentityPoolProviderX509TrustStoreArgs.builder()
            .trustAnchors(WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs.builder()
                .pemCertificate("string")
                .build())
            .intermediateCas(WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs.builder()
                .pemCertificate("string")
                .build())
            .build())
        .build())
    .build());
Copy
workload_identity_pool_provider_resource = gcp.iam.WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource",
    workload_identity_pool_id="string",
    workload_identity_pool_provider_id="string",
    attribute_condition="string",
    attribute_mapping={
        "string": "string",
    },
    aws={
        "account_id": "string",
    },
    description="string",
    disabled=False,
    display_name="string",
    oidc={
        "issuer_uri": "string",
        "allowed_audiences": ["string"],
        "jwks_json": "string",
    },
    project="string",
    saml={
        "idp_metadata_xml": "string",
    },
    x509={
        "trust_store": {
            "trust_anchors": [{
                "pem_certificate": "string",
            }],
            "intermediate_cas": [{
                "pem_certificate": "string",
            }],
        },
    })
Copy
const workloadIdentityPoolProviderResource = new gcp.iam.WorkloadIdentityPoolProvider("workloadIdentityPoolProviderResource", {
    workloadIdentityPoolId: "string",
    workloadIdentityPoolProviderId: "string",
    attributeCondition: "string",
    attributeMapping: {
        string: "string",
    },
    aws: {
        accountId: "string",
    },
    description: "string",
    disabled: false,
    displayName: "string",
    oidc: {
        issuerUri: "string",
        allowedAudiences: ["string"],
        jwksJson: "string",
    },
    project: "string",
    saml: {
        idpMetadataXml: "string",
    },
    x509: {
        trustStore: {
            trustAnchors: [{
                pemCertificate: "string",
            }],
            intermediateCas: [{
                pemCertificate: "string",
            }],
        },
    },
});
Copy
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
    attributeCondition: string
    attributeMapping:
        string: string
    aws:
        accountId: string
    description: string
    disabled: false
    displayName: string
    oidc:
        allowedAudiences:
            - string
        issuerUri: string
        jwksJson: string
    project: string
    saml:
        idpMetadataXml: string
    workloadIdentityPoolId: string
    workloadIdentityPoolProviderId: string
    x509:
        trustStore:
            intermediateCas:
                - pemCertificate: string
            trustAnchors:
                - pemCertificate: string
Copy

WorkloadIdentityPoolProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The WorkloadIdentityPoolProvider resource accepts the following input properties:

WorkloadIdentityPoolId
This property is required.
Changes to this property will trigger replacement.
string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
WorkloadIdentityPoolProviderId
This property is required.
Changes to this property will trigger replacement.
string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


AttributeCondition string
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
AttributeMapping Dictionary<string, string>
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
Aws WorkloadIdentityPoolProviderAws
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
Description string
A description for the provider. Cannot exceed 256 characters.
Disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
DisplayName string
A display name for the provider. Cannot exceed 32 characters.
Oidc WorkloadIdentityPoolProviderOidc
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
Project Changes to this property will trigger replacement. string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
Saml WorkloadIdentityPoolProviderSaml
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
X509 WorkloadIdentityPoolProviderX509
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
WorkloadIdentityPoolId
This property is required.
Changes to this property will trigger replacement.
string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
WorkloadIdentityPoolProviderId
This property is required.
Changes to this property will trigger replacement.
string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


AttributeCondition string
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
AttributeMapping map[string]string
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
Aws WorkloadIdentityPoolProviderAwsArgs
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
Description string
A description for the provider. Cannot exceed 256 characters.
Disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
DisplayName string
A display name for the provider. Cannot exceed 32 characters.
Oidc WorkloadIdentityPoolProviderOidcArgs
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
Project Changes to this property will trigger replacement. string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
Saml WorkloadIdentityPoolProviderSamlArgs
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
X509 WorkloadIdentityPoolProviderX509Args
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
workloadIdentityPoolId
This property is required.
Changes to this property will trigger replacement.
String
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workloadIdentityPoolProviderId
This property is required.
Changes to this property will trigger replacement.
String
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


attributeCondition String
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
attributeMapping Map<String,String>
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
aws WorkloadIdentityPoolProviderAws
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
description String
A description for the provider. Cannot exceed 256 characters.
disabled Boolean
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
displayName String
A display name for the provider. Cannot exceed 32 characters.
oidc WorkloadIdentityPoolProviderOidc
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
project Changes to this property will trigger replacement. String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
saml WorkloadIdentityPoolProviderSaml
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
x509 WorkloadIdentityPoolProviderX509
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
workloadIdentityPoolId
This property is required.
Changes to this property will trigger replacement.
string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workloadIdentityPoolProviderId
This property is required.
Changes to this property will trigger replacement.
string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


attributeCondition string
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
attributeMapping {[key: string]: string}
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
aws WorkloadIdentityPoolProviderAws
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
description string
A description for the provider. Cannot exceed 256 characters.
disabled boolean
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
displayName string
A display name for the provider. Cannot exceed 32 characters.
oidc WorkloadIdentityPoolProviderOidc
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
project Changes to this property will trigger replacement. string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
saml WorkloadIdentityPoolProviderSaml
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
x509 WorkloadIdentityPoolProviderX509
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
workload_identity_pool_id
This property is required.
Changes to this property will trigger replacement.
str
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workload_identity_pool_provider_id
This property is required.
Changes to this property will trigger replacement.
str
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


attribute_condition str
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
attribute_mapping Mapping[str, str]
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
aws WorkloadIdentityPoolProviderAwsArgs
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
description str
A description for the provider. Cannot exceed 256 characters.
disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
display_name str
A display name for the provider. Cannot exceed 32 characters.
oidc WorkloadIdentityPoolProviderOidcArgs
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
project Changes to this property will trigger replacement. str
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
saml WorkloadIdentityPoolProviderSamlArgs
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
x509 WorkloadIdentityPoolProviderX509Args
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
workloadIdentityPoolId
This property is required.
Changes to this property will trigger replacement.
String
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workloadIdentityPoolProviderId
This property is required.
Changes to this property will trigger replacement.
String
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


attributeCondition String
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
attributeMapping Map<String>
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
aws Property Map
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
description String
A description for the provider. Cannot exceed 256 characters.
disabled Boolean
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
displayName String
A display name for the provider. Cannot exceed 32 characters.
oidc Property Map
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
project Changes to this property will trigger replacement. String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
saml Property Map
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
x509 Property Map
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.

Outputs

All input properties are implicitly available as output properties. Additionally, the WorkloadIdentityPoolProvider resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Name string
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
State string
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
Id string
The provider-assigned unique ID for this managed resource.
Name string
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
State string
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
id String
The provider-assigned unique ID for this managed resource.
name String
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
state String
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
id string
The provider-assigned unique ID for this managed resource.
name string
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
state string
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
id str
The provider-assigned unique ID for this managed resource.
name str
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
state str
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
id String
The provider-assigned unique ID for this managed resource.
name String
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
state String
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.

Look up Existing WorkloadIdentityPoolProvider Resource

Get an existing WorkloadIdentityPoolProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: WorkloadIdentityPoolProviderState, opts?: CustomResourceOptions): WorkloadIdentityPoolProvider
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        attribute_condition: Optional[str] = None,
        attribute_mapping: Optional[Mapping[str, str]] = None,
        aws: Optional[WorkloadIdentityPoolProviderAwsArgs] = None,
        description: Optional[str] = None,
        disabled: Optional[bool] = None,
        display_name: Optional[str] = None,
        name: Optional[str] = None,
        oidc: Optional[WorkloadIdentityPoolProviderOidcArgs] = None,
        project: Optional[str] = None,
        saml: Optional[WorkloadIdentityPoolProviderSamlArgs] = None,
        state: Optional[str] = None,
        workload_identity_pool_id: Optional[str] = None,
        workload_identity_pool_provider_id: Optional[str] = None,
        x509: Optional[WorkloadIdentityPoolProviderX509Args] = None) -> WorkloadIdentityPoolProvider
func GetWorkloadIdentityPoolProvider(ctx *Context, name string, id IDInput, state *WorkloadIdentityPoolProviderState, opts ...ResourceOption) (*WorkloadIdentityPoolProvider, error)
public static WorkloadIdentityPoolProvider Get(string name, Input<string> id, WorkloadIdentityPoolProviderState? state, CustomResourceOptions? opts = null)
public static WorkloadIdentityPoolProvider get(String name, Output<String> id, WorkloadIdentityPoolProviderState state, CustomResourceOptions options)
resources:  _:    type: gcp:iam:WorkloadIdentityPoolProvider    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AttributeCondition string
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
AttributeMapping Dictionary<string, string>
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
Aws WorkloadIdentityPoolProviderAws
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
Description string
A description for the provider. Cannot exceed 256 characters.
Disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
DisplayName string
A display name for the provider. Cannot exceed 32 characters.
Name string
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
Oidc WorkloadIdentityPoolProviderOidc
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
Project Changes to this property will trigger replacement. string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
Saml WorkloadIdentityPoolProviderSaml
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
State string
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
WorkloadIdentityPoolId Changes to this property will trigger replacement. string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
WorkloadIdentityPoolProviderId Changes to this property will trigger replacement. string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


X509 WorkloadIdentityPoolProviderX509
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
AttributeCondition string
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
AttributeMapping map[string]string
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
Aws WorkloadIdentityPoolProviderAwsArgs
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
Description string
A description for the provider. Cannot exceed 256 characters.
Disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
DisplayName string
A display name for the provider. Cannot exceed 32 characters.
Name string
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
Oidc WorkloadIdentityPoolProviderOidcArgs
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
Project Changes to this property will trigger replacement. string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
Saml WorkloadIdentityPoolProviderSamlArgs
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
State string
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
WorkloadIdentityPoolId Changes to this property will trigger replacement. string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
WorkloadIdentityPoolProviderId Changes to this property will trigger replacement. string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


X509 WorkloadIdentityPoolProviderX509Args
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
attributeCondition String
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
attributeMapping Map<String,String>
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
aws WorkloadIdentityPoolProviderAws
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
description String
A description for the provider. Cannot exceed 256 characters.
disabled Boolean
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
displayName String
A display name for the provider. Cannot exceed 32 characters.
name String
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
oidc WorkloadIdentityPoolProviderOidc
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
project Changes to this property will trigger replacement. String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
saml WorkloadIdentityPoolProviderSaml
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
state String
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
workloadIdentityPoolId Changes to this property will trigger replacement. String
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workloadIdentityPoolProviderId Changes to this property will trigger replacement. String
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


x509 WorkloadIdentityPoolProviderX509
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
attributeCondition string
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
attributeMapping {[key: string]: string}
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
aws WorkloadIdentityPoolProviderAws
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
description string
A description for the provider. Cannot exceed 256 characters.
disabled boolean
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
displayName string
A display name for the provider. Cannot exceed 32 characters.
name string
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
oidc WorkloadIdentityPoolProviderOidc
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
project Changes to this property will trigger replacement. string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
saml WorkloadIdentityPoolProviderSaml
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
state string
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
workloadIdentityPoolId Changes to this property will trigger replacement. string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workloadIdentityPoolProviderId Changes to this property will trigger replacement. string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


x509 WorkloadIdentityPoolProviderX509
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
attribute_condition str
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
attribute_mapping Mapping[str, str]
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
aws WorkloadIdentityPoolProviderAwsArgs
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
description str
A description for the provider. Cannot exceed 256 characters.
disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
display_name str
A display name for the provider. Cannot exceed 32 characters.
name str
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
oidc WorkloadIdentityPoolProviderOidcArgs
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
project Changes to this property will trigger replacement. str
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
saml WorkloadIdentityPoolProviderSamlArgs
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
state str
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
workload_identity_pool_id Changes to this property will trigger replacement. str
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workload_identity_pool_provider_id Changes to this property will trigger replacement. str
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


x509 WorkloadIdentityPoolProviderX509Args
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.
attributeCondition String
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
attributeMapping Map<String>
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
{
"google.subject":"assertion.arn",
"attribute.aws_role":
"assertion.arn.contains('assumed-role')"
" ? assertion.arn.extract('{account_arn}assumed-role/')"
"   + 'assumed-role/'"
"   + assertion.arn.extract('assumed-role/{role_name}/')"
" : assertion.arn",
}
  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
{"google.subject": "assertion.sub"}
aws Property Map
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
description String
A description for the provider. Cannot exceed 256 characters.
disabled Boolean
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
displayName String
A display name for the provider. Cannot exceed 32 characters.
name String
The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.
oidc Property Map
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
project Changes to this property will trigger replacement. String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
saml Property Map
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
state String
The state of the provider.

  • STATE_UNSPECIFIED: State unspecified.
  • ACTIVE: The provider is active, and may be used to validate authentication credentials.
  • DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
workloadIdentityPoolId Changes to this property will trigger replacement. String
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workloadIdentityPoolProviderId Changes to this property will trigger replacement. String
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


x509 Property Map
An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is documented below.

Supporting Types

WorkloadIdentityPoolProviderAws
, WorkloadIdentityPoolProviderAwsArgs

AccountId This property is required. string
The AWS account ID.
AccountId This property is required. string
The AWS account ID.
accountId This property is required. String
The AWS account ID.
accountId This property is required. string
The AWS account ID.
account_id This property is required. str
The AWS account ID.
accountId This property is required. String
The AWS account ID.

WorkloadIdentityPoolProviderOidc
, WorkloadIdentityPoolProviderOidcArgs

IssuerUri This property is required. string
The OIDC issuer URL.
AllowedAudiences List<string>
Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

//iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
JwksJson string
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}
IssuerUri This property is required. string
The OIDC issuer URL.
AllowedAudiences []string
Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

//iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
JwksJson string
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}
issuerUri This property is required. String
The OIDC issuer URL.
allowedAudiences List<String>
Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

//iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
jwksJson String
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}
issuerUri This property is required. string
The OIDC issuer URL.
allowedAudiences string[]
Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

//iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
jwksJson string
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}
issuer_uri This property is required. str
The OIDC issuer URL.
allowed_audiences Sequence[str]
Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

//iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
jwks_json str
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}
issuerUri This property is required. String
The OIDC issuer URL.
allowedAudiences List<String>
Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

//iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
jwksJson String
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}

WorkloadIdentityPoolProviderSaml
, WorkloadIdentityPoolProviderSamlArgs

IdpMetadataXml This property is required. string

SAML Identity provider configuration metadata xml doc.

The x509 block supports:

IdpMetadataXml This property is required. string

SAML Identity provider configuration metadata xml doc.

The x509 block supports:

idpMetadataXml This property is required. String

SAML Identity provider configuration metadata xml doc.

The x509 block supports:

idpMetadataXml This property is required. string

SAML Identity provider configuration metadata xml doc.

The x509 block supports:

idp_metadata_xml This property is required. str

SAML Identity provider configuration metadata xml doc.

The x509 block supports:

idpMetadataXml This property is required. String

SAML Identity provider configuration metadata xml doc.

The x509 block supports:

WorkloadIdentityPoolProviderX509
, WorkloadIdentityPoolProviderX509Args

TrustStore This property is required. WorkloadIdentityPoolProviderX509TrustStore
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
TrustStore This property is required. WorkloadIdentityPoolProviderX509TrustStore
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
trustStore This property is required. WorkloadIdentityPoolProviderX509TrustStore
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
trustStore This property is required. WorkloadIdentityPoolProviderX509TrustStore
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
trust_store This property is required. WorkloadIdentityPoolProviderX509TrustStore
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
trustStore This property is required. Property Map
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.

WorkloadIdentityPoolProviderX509TrustStore
, WorkloadIdentityPoolProviderX509TrustStoreArgs

TrustAnchors This property is required. List<WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor>
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
IntermediateCas List<WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa>
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
TrustAnchors This property is required. []WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
IntermediateCas []WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
trustAnchors This property is required. List<WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor>
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
intermediateCas List<WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa>
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
trustAnchors This property is required. WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor[]
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
intermediateCas WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa[]
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
trust_anchors This property is required. Sequence[WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor]
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
intermediate_cas Sequence[WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa]
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.
trustAnchors This property is required. List<Property Map>
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
intermediateCas List<Property Map>
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is documented below.

WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa
, WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs

PemCertificate string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
PemCertificate string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate String
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pem_certificate str
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate String
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor
, WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs

PemCertificate string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
PemCertificate string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate String
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pem_certificate str
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate String
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

Import

WorkloadIdentityPoolProvider can be imported using any of these accepted formats:

  • projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}

  • {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}

  • {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}

When using the pulumi import command, WorkloadIdentityPoolProvider can be imported using one of the formats above. For example:

$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}
Copy
$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
Copy
$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Google Cloud (GCP) Classic pulumi/pulumi-gcp
License
Apache-2.0
Notes
This Pulumi package is based on the google-beta Terraform Provider.