Google Cloud Classic v7.20.0, Apr 24 24

Google Cloud Classic v7.20.0 published on Wednesday, Apr 24, 2024 by Pulumi

gcp.iam.WorkforcePoolProvider

Explore with Pulumi AI

Google Cloud Classic v7.20.0 published on Wednesday, Apr 24, 2024 by Pulumi

pulumi/pulumi-gcp

Example Usage

Iam Workforce Pool Provider Saml Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkforcePool("pool", {
    workforcePoolId: "example-pool",
    parent: "organizations/123456789",
    location: "global",
});
const example = new gcp.iam.WorkforcePoolProvider("example", {
    workforcePoolId: pool.workforcePoolId,
    location: pool.location,
    providerId: "example-prvdr",
    attributeMapping: {
        "google.subject": "assertion.sub",
    },
    saml: {
        idpMetadataXml: "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
    },
});

import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkforcePool("pool",
    workforce_pool_id="example-pool",
    parent="organizations/123456789",
    location="global")
example = gcp.iam.WorkforcePoolProvider("example",
    workforce_pool_id=pool.workforce_pool_id,
    location=pool.location,
    provider_id="example-prvdr",
    attribute_mapping={
        "google.subject": "assertion.sub",
    },
    saml=gcp.iam.WorkforcePoolProviderSamlArgs(
        idp_metadata_xml="<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
    ))

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
			WorkforcePoolId: pulumi.String("example-pool"),
			Parent:          pulumi.String("organizations/123456789"),
			Location:        pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
			WorkforcePoolId: pool.WorkforcePoolId,
			Location:        pool.Location,
			ProviderId:      pulumi.String("example-prvdr"),
			AttributeMapping: pulumi.StringMap{
				"google.subject": pulumi.String("assertion.sub"),
			},
			Saml: &iam.WorkforcePoolProviderSamlArgs{
				IdpMetadataXml: pulumi.String("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkforcePool("pool", new()
    {
        WorkforcePoolId = "example-pool",
        Parent = "organizations/123456789",
        Location = "global",
    });

    var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
    {
        WorkforcePoolId = pool.WorkforcePoolId,
        Location = pool.Location,
        ProviderId = "example-prvdr",
        AttributeMapping = 
        {
            { "google.subject", "assertion.sub" },
        },
        Saml = new Gcp.Iam.Inputs.WorkforcePoolProviderSamlArgs
        {
            IdpMetadataXml = "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePool;
import com.pulumi.gcp.iam.WorkforcePoolArgs;
import com.pulumi.gcp.iam.WorkforcePoolProvider;
import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderSamlArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()        
            .workforcePoolId("example-pool")
            .parent("organizations/123456789")
            .location("global")
            .build());

        var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()        
            .workforcePoolId(pool.workforcePoolId())
            .location(pool.location())
            .providerId("example-prvdr")
            .attributeMapping(Map.of("google.subject", "assertion.sub"))
            .saml(WorkforcePoolProviderSamlArgs.builder()
                .idpMetadataXml("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>")
                .build())
            .build());

    }
}

resources:
  pool:
    type: gcp:iam:WorkforcePool
    properties:
      workforcePoolId: example-pool
      parent: organizations/123456789
      location: global
  example:
    type: gcp:iam:WorkforcePoolProvider
    properties:
      workforcePoolId: ${pool.workforcePoolId}
      location: ${pool.location}
      providerId: example-prvdr
      attributeMapping:
        google.subject: assertion.sub
      saml:
        idpMetadataXml: <?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://test.com"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test.com/sso"/></md:IDPSSODescriptor></md:EntityDescriptor>

Iam Workforce Pool Provider Saml Full

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkforcePool("pool", {
    workforcePoolId: "example-pool",
    parent: "organizations/123456789",
    location: "global",
});
const example = new gcp.iam.WorkforcePoolProvider("example", {
    workforcePoolId: pool.workforcePoolId,
    location: pool.location,
    providerId: "example-prvdr",
    attributeMapping: {
        "google.subject": "assertion.sub",
    },
    saml: {
        idpMetadataXml: "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
    },
    displayName: "Display name",
    description: "A sample SAML workforce pool provider.",
    disabled: false,
    attributeCondition: "true",
});

import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkforcePool("pool",
    workforce_pool_id="example-pool",
    parent="organizations/123456789",
    location="global")
example = gcp.iam.WorkforcePoolProvider("example",
    workforce_pool_id=pool.workforce_pool_id,
    location=pool.location,
    provider_id="example-prvdr",
    attribute_mapping={
        "google.subject": "assertion.sub",
    },
    saml=gcp.iam.WorkforcePoolProviderSamlArgs(
        idp_metadata_xml="<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
    ),
    display_name="Display name",
    description="A sample SAML workforce pool provider.",
    disabled=False,
    attribute_condition="true")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
			WorkforcePoolId: pulumi.String("example-pool"),
			Parent:          pulumi.String("organizations/123456789"),
			Location:        pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
			WorkforcePoolId: pool.WorkforcePoolId,
			Location:        pool.Location,
			ProviderId:      pulumi.String("example-prvdr"),
			AttributeMapping: pulumi.StringMap{
				"google.subject": pulumi.String("assertion.sub"),
			},
			Saml: &iam.WorkforcePoolProviderSamlArgs{
				IdpMetadataXml: pulumi.String("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>"),
			},
			DisplayName:        pulumi.String("Display name"),
			Description:        pulumi.String("A sample SAML workforce pool provider."),
			Disabled:           pulumi.Bool(false),
			AttributeCondition: pulumi.String("true"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkforcePool("pool", new()
    {
        WorkforcePoolId = "example-pool",
        Parent = "organizations/123456789",
        Location = "global",
    });

    var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
    {
        WorkforcePoolId = pool.WorkforcePoolId,
        Location = pool.Location,
        ProviderId = "example-prvdr",
        AttributeMapping = 
        {
            { "google.subject", "assertion.sub" },
        },
        Saml = new Gcp.Iam.Inputs.WorkforcePoolProviderSamlArgs
        {
            IdpMetadataXml = "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
        },
        DisplayName = "Display name",
        Description = "A sample SAML workforce pool provider.",
        Disabled = false,
        AttributeCondition = "true",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePool;
import com.pulumi.gcp.iam.WorkforcePoolArgs;
import com.pulumi.gcp.iam.WorkforcePoolProvider;
import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderSamlArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()        
            .workforcePoolId("example-pool")
            .parent("organizations/123456789")
            .location("global")
            .build());

        var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()        
            .workforcePoolId(pool.workforcePoolId())
            .location(pool.location())
            .providerId("example-prvdr")
            .attributeMapping(Map.of("google.subject", "assertion.sub"))
            .saml(WorkforcePoolProviderSamlArgs.builder()
                .idpMetadataXml("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>")
                .build())
            .displayName("Display name")
            .description("A sample SAML workforce pool provider.")
            .disabled(false)
            .attributeCondition("true")
            .build());

    }
}

resources:
  pool:
    type: gcp:iam:WorkforcePool
    properties:
      workforcePoolId: example-pool
      parent: organizations/123456789
      location: global
  example:
    type: gcp:iam:WorkforcePoolProvider
    properties:
      workforcePoolId: ${pool.workforcePoolId}
      location: ${pool.location}
      providerId: example-prvdr
      attributeMapping:
        google.subject: assertion.sub
      saml:
        idpMetadataXml: <?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://test.com"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test.com/sso"/></md:IDPSSODescriptor></md:EntityDescriptor>
      displayName: Display name
      description: A sample SAML workforce pool provider.
      disabled: false
      attributeCondition: 'true'

Iam Workforce Pool Provider Oidc Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkforcePool("pool", {
    workforcePoolId: "example-pool",
    parent: "organizations/123456789",
    location: "global",
});
const example = new gcp.iam.WorkforcePoolProvider("example", {
    workforcePoolId: pool.workforcePoolId,
    location: pool.location,
    providerId: "example-prvdr",
    attributeMapping: {
        "google.subject": "assertion.sub",
    },
    oidc: {
        issuerUri: "https://accounts.thirdparty.com",
        clientId: "client-id",
        clientSecret: {
            value: {
                plainText: "client-secret",
            },
        },
        webSsoConfig: {
            responseType: "CODE",
            assertionClaimsBehavior: "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
        },
    },
});

import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkforcePool("pool",
    workforce_pool_id="example-pool",
    parent="organizations/123456789",
    location="global")
example = gcp.iam.WorkforcePoolProvider("example",
    workforce_pool_id=pool.workforce_pool_id,
    location=pool.location,
    provider_id="example-prvdr",
    attribute_mapping={
        "google.subject": "assertion.sub",
    },
    oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
        issuer_uri="https://accounts.thirdparty.com",
        client_id="client-id",
        client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
            value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
                plain_text="client-secret",
            ),
        ),
        web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
            response_type="CODE",
            assertion_claims_behavior="MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
        ),
    ))

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
			WorkforcePoolId: pulumi.String("example-pool"),
			Parent:          pulumi.String("organizations/123456789"),
			Location:        pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
			WorkforcePoolId: pool.WorkforcePoolId,
			Location:        pool.Location,
			ProviderId:      pulumi.String("example-prvdr"),
			AttributeMapping: pulumi.StringMap{
				"google.subject": pulumi.String("assertion.sub"),
			},
			Oidc: &iam.WorkforcePoolProviderOidcArgs{
				IssuerUri: pulumi.String("https://accounts.thirdparty.com"),
				ClientId:  pulumi.String("client-id"),
				ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
					Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
						PlainText: pulumi.String("client-secret"),
					},
				},
				WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
					ResponseType:            pulumi.String("CODE"),
					AssertionClaimsBehavior: pulumi.String("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkforcePool("pool", new()
    {
        WorkforcePoolId = "example-pool",
        Parent = "organizations/123456789",
        Location = "global",
    });

    var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
    {
        WorkforcePoolId = pool.WorkforcePoolId,
        Location = pool.Location,
        ProviderId = "example-prvdr",
        AttributeMapping = 
        {
            { "google.subject", "assertion.sub" },
        },
        Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
        {
            IssuerUri = "https://accounts.thirdparty.com",
            ClientId = "client-id",
            ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
            {
                Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
                {
                    PlainText = "client-secret",
                },
            },
            WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
            {
                ResponseType = "CODE",
                AssertionClaimsBehavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePool;
import com.pulumi.gcp.iam.WorkforcePoolArgs;
import com.pulumi.gcp.iam.WorkforcePoolProvider;
import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretValueArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcWebSsoConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()        
            .workforcePoolId("example-pool")
            .parent("organizations/123456789")
            .location("global")
            .build());

        var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()        
            .workforcePoolId(pool.workforcePoolId())
            .location(pool.location())
            .providerId("example-prvdr")
            .attributeMapping(Map.of("google.subject", "assertion.sub"))
            .oidc(WorkforcePoolProviderOidcArgs.builder()
                .issuerUri("https://accounts.thirdparty.com")
                .clientId("client-id")
                .clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
                    .value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
                        .plainText("client-secret")
                        .build())
                    .build())
                .webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
                    .responseType("CODE")
                    .assertionClaimsBehavior("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS")
                    .build())
                .build())
            .build());

    }
}

resources:
  pool:
    type: gcp:iam:WorkforcePool
    properties:
      workforcePoolId: example-pool
      parent: organizations/123456789
      location: global
  example:
    type: gcp:iam:WorkforcePoolProvider
    properties:
      workforcePoolId: ${pool.workforcePoolId}
      location: ${pool.location}
      providerId: example-prvdr
      attributeMapping:
        google.subject: assertion.sub
      oidc:
        issuerUri: https://accounts.thirdparty.com
        clientId: client-id
        clientSecret:
          value:
            plainText: client-secret
        webSsoConfig:
          responseType: CODE
          assertionClaimsBehavior: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS

Iam Workforce Pool Provider Oidc Full

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkforcePool("pool", {
    workforcePoolId: "example-pool",
    parent: "organizations/123456789",
    location: "global",
});
const example = new gcp.iam.WorkforcePoolProvider("example", {
    workforcePoolId: pool.workforcePoolId,
    location: pool.location,
    providerId: "example-prvdr",
    attributeMapping: {
        "google.subject": "assertion.sub",
    },
    oidc: {
        issuerUri: "https://accounts.thirdparty.com",
        clientId: "client-id",
        clientSecret: {
            value: {
                plainText: "client-secret",
            },
        },
        webSsoConfig: {
            responseType: "CODE",
            assertionClaimsBehavior: "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
            additionalScopes: [
                "groups",
                "roles",
            ],
        },
    },
    displayName: "Display name",
    description: "A sample OIDC workforce pool provider.",
    disabled: false,
    attributeCondition: "true",
});

import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkforcePool("pool",
    workforce_pool_id="example-pool",
    parent="organizations/123456789",
    location="global")
example = gcp.iam.WorkforcePoolProvider("example",
    workforce_pool_id=pool.workforce_pool_id,
    location=pool.location,
    provider_id="example-prvdr",
    attribute_mapping={
        "google.subject": "assertion.sub",
    },
    oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
        issuer_uri="https://accounts.thirdparty.com",
        client_id="client-id",
        client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
            value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
                plain_text="client-secret",
            ),
        ),
        web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
            response_type="CODE",
            assertion_claims_behavior="MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
            additional_scopes=[
                "groups",
                "roles",
            ],
        ),
    ),
    display_name="Display name",
    description="A sample OIDC workforce pool provider.",
    disabled=False,
    attribute_condition="true")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
			WorkforcePoolId: pulumi.String("example-pool"),
			Parent:          pulumi.String("organizations/123456789"),
			Location:        pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
			WorkforcePoolId: pool.WorkforcePoolId,
			Location:        pool.Location,
			ProviderId:      pulumi.String("example-prvdr"),
			AttributeMapping: pulumi.StringMap{
				"google.subject": pulumi.String("assertion.sub"),
			},
			Oidc: &iam.WorkforcePoolProviderOidcArgs{
				IssuerUri: pulumi.String("https://accounts.thirdparty.com"),
				ClientId:  pulumi.String("client-id"),
				ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
					Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
						PlainText: pulumi.String("client-secret"),
					},
				},
				WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
					ResponseType:            pulumi.String("CODE"),
					AssertionClaimsBehavior: pulumi.String("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"),
					AdditionalScopes: pulumi.StringArray{
						pulumi.String("groups"),
						pulumi.String("roles"),
					},
				},
			},
			DisplayName:        pulumi.String("Display name"),
			Description:        pulumi.String("A sample OIDC workforce pool provider."),
			Disabled:           pulumi.Bool(false),
			AttributeCondition: pulumi.String("true"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var pool = new Gcp.Iam.WorkforcePool("pool", new()
    {
        WorkforcePoolId = "example-pool",
        Parent = "organizations/123456789",
        Location = "global",
    });

    var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
    {
        WorkforcePoolId = pool.WorkforcePoolId,
        Location = pool.Location,
        ProviderId = "example-prvdr",
        AttributeMapping = 
        {
            { "google.subject", "assertion.sub" },
        },
        Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
        {
            IssuerUri = "https://accounts.thirdparty.com",
            ClientId = "client-id",
            ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
            {
                Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
                {
                    PlainText = "client-secret",
                },
            },
            WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
            {
                ResponseType = "CODE",
                AssertionClaimsBehavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
                AdditionalScopes = new[]
                {
                    "groups",
                    "roles",
                },
            },
        },
        DisplayName = "Display name",
        Description = "A sample OIDC workforce pool provider.",
        Disabled = false,
        AttributeCondition = "true",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePool;
import com.pulumi.gcp.iam.WorkforcePoolArgs;
import com.pulumi.gcp.iam.WorkforcePoolProvider;
import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretValueArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcWebSsoConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()        
            .workforcePoolId("example-pool")
            .parent("organizations/123456789")
            .location("global")
            .build());

        var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()        
            .workforcePoolId(pool.workforcePoolId())
            .location(pool.location())
            .providerId("example-prvdr")
            .attributeMapping(Map.of("google.subject", "assertion.sub"))
            .oidc(WorkforcePoolProviderOidcArgs.builder()
                .issuerUri("https://accounts.thirdparty.com")
                .clientId("client-id")
                .clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
                    .value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
                        .plainText("client-secret")
                        .build())
                    .build())
                .webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
                    .responseType("CODE")
                    .assertionClaimsBehavior("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS")
                    .additionalScopes(                    
                        "groups",
                        "roles")
                    .build())
                .build())
            .displayName("Display name")
            .description("A sample OIDC workforce pool provider.")
            .disabled(false)
            .attributeCondition("true")
            .build());

    }
}

resources:
  pool:
    type: gcp:iam:WorkforcePool
    properties:
      workforcePoolId: example-pool
      parent: organizations/123456789
      location: global
  example:
    type: gcp:iam:WorkforcePoolProvider
    properties:
      workforcePoolId: ${pool.workforcePoolId}
      location: ${pool.location}
      providerId: example-prvdr
      attributeMapping:
        google.subject: assertion.sub
      oidc:
        issuerUri: https://accounts.thirdparty.com
        clientId: client-id
        clientSecret:
          value:
            plainText: client-secret
        webSsoConfig:
          responseType: CODE
          assertionClaimsBehavior: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
          additionalScopes:
            - groups
            - roles
      displayName: Display name
      description: A sample OIDC workforce pool provider.
      disabled: false
      attributeCondition: 'true'

Create WorkforcePoolProvider Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new WorkforcePoolProvider(name: string, args: WorkforcePoolProviderArgs, opts?: CustomResourceOptions);

@overload
def WorkforcePoolProvider(resource_name: str,
                          args: WorkforcePoolProviderArgs,
                          opts: Optional[ResourceOptions] = None)

@overload
def WorkforcePoolProvider(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          location: Optional[str] = None,
                          provider_id: Optional[str] = None,
                          workforce_pool_id: Optional[str] = None,
                          attribute_condition: Optional[str] = None,
                          attribute_mapping: Optional[Mapping[str, str]] = None,
                          description: Optional[str] = None,
                          disabled: Optional[bool] = None,
                          display_name: Optional[str] = None,
                          oidc: Optional[WorkforcePoolProviderOidcArgs] = None,
                          saml: Optional[WorkforcePoolProviderSamlArgs] = None)

func NewWorkforcePoolProvider(ctx *Context, name string, args WorkforcePoolProviderArgs, opts ...ResourceOption) (*WorkforcePoolProvider, error)

public WorkforcePoolProvider(string name, WorkforcePoolProviderArgs args, CustomResourceOptions? opts = null)

public WorkforcePoolProvider(String name, WorkforcePoolProviderArgs args)
public WorkforcePoolProvider(String name, WorkforcePoolProviderArgs args, CustomResourceOptions options)

type: gcp:iam:WorkforcePoolProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args WorkforcePoolProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args WorkforcePoolProviderArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args WorkforcePoolProviderArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args WorkforcePoolProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args WorkforcePoolProviderArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Example

The following reference example uses placeholder values for all input properties.

var workforcePoolProviderResource = new Gcp.Iam.WorkforcePoolProvider("workforcePoolProviderResource", new()
{
    Location = "string",
    ProviderId = "string",
    WorkforcePoolId = "string",
    AttributeCondition = "string",
    AttributeMapping = 
    {
        { "string", "string" },
    },
    Description = "string",
    Disabled = false,
    DisplayName = "string",
    Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
    {
        ClientId = "string",
        IssuerUri = "string",
        ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
        {
            Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
            {
                PlainText = "string",
                Thumbprint = "string",
            },
        },
        JwksJson = "string",
        WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
        {
            AssertionClaimsBehavior = "string",
            ResponseType = "string",
            AdditionalScopes = new[]
            {
                "string",
            },
        },
    },
    Saml = new Gcp.Iam.Inputs.WorkforcePoolProviderSamlArgs
    {
        IdpMetadataXml = "string",
    },
});

example, err := iam.NewWorkforcePoolProvider(ctx, "workforcePoolProviderResource", &iam.WorkforcePoolProviderArgs{
	Location:           pulumi.String("string"),
	ProviderId:         pulumi.String("string"),
	WorkforcePoolId:    pulumi.String("string"),
	AttributeCondition: pulumi.String("string"),
	AttributeMapping: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	Description: pulumi.String("string"),
	Disabled:    pulumi.Bool(false),
	DisplayName: pulumi.String("string"),
	Oidc: &iam.WorkforcePoolProviderOidcArgs{
		ClientId:  pulumi.String("string"),
		IssuerUri: pulumi.String("string"),
		ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
			Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
				PlainText:  pulumi.String("string"),
				Thumbprint: pulumi.String("string"),
			},
		},
		JwksJson: pulumi.String("string"),
		WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
			AssertionClaimsBehavior: pulumi.String("string"),
			ResponseType:            pulumi.String("string"),
			AdditionalScopes: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	Saml: &iam.WorkforcePoolProviderSamlArgs{
		IdpMetadataXml: pulumi.String("string"),
	},
})

var workforcePoolProviderResource = new WorkforcePoolProvider("workforcePoolProviderResource", WorkforcePoolProviderArgs.builder()        
    .location("string")
    .providerId("string")
    .workforcePoolId("string")
    .attributeCondition("string")
    .attributeMapping(Map.of("string", "string"))
    .description("string")
    .disabled(false)
    .displayName("string")
    .oidc(WorkforcePoolProviderOidcArgs.builder()
        .clientId("string")
        .issuerUri("string")
        .clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
            .value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
                .plainText("string")
                .thumbprint("string")
                .build())
            .build())
        .jwksJson("string")
        .webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
            .assertionClaimsBehavior("string")
            .responseType("string")
            .additionalScopes("string")
            .build())
        .build())
    .saml(WorkforcePoolProviderSamlArgs.builder()
        .idpMetadataXml("string")
        .build())
    .build());

workforce_pool_provider_resource = gcp.iam.WorkforcePoolProvider("workforcePoolProviderResource",
    location="string",
    provider_id="string",
    workforce_pool_id="string",
    attribute_condition="string",
    attribute_mapping={
        "string": "string",
    },
    description="string",
    disabled=False,
    display_name="string",
    oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
        client_id="string",
        issuer_uri="string",
        client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
            value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
                plain_text="string",
                thumbprint="string",
            ),
        ),
        jwks_json="string",
        web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
            assertion_claims_behavior="string",
            response_type="string",
            additional_scopes=["string"],
        ),
    ),
    saml=gcp.iam.WorkforcePoolProviderSamlArgs(
        idp_metadata_xml="string",
    ))

const workforcePoolProviderResource = new gcp.iam.WorkforcePoolProvider("workforcePoolProviderResource", {
    location: "string",
    providerId: "string",
    workforcePoolId: "string",
    attributeCondition: "string",
    attributeMapping: {
        string: "string",
    },
    description: "string",
    disabled: false,
    displayName: "string",
    oidc: {
        clientId: "string",
        issuerUri: "string",
        clientSecret: {
            value: {
                plainText: "string",
                thumbprint: "string",
            },
        },
        jwksJson: "string",
        webSsoConfig: {
            assertionClaimsBehavior: "string",
            responseType: "string",
            additionalScopes: ["string"],
        },
    },
    saml: {
        idpMetadataXml: "string",
    },
});

type: gcp:iam:WorkforcePoolProvider
properties:
    attributeCondition: string
    attributeMapping:
        string: string
    description: string
    disabled: false
    displayName: string
    location: string
    oidc:
        clientId: string
        clientSecret:
            value:
                plainText: string
                thumbprint: string
        issuerUri: string
        jwksJson: string
        webSsoConfig:
            additionalScopes:
                - string
            assertionClaimsBehavior: string
            responseType: string
    providerId: string
    saml:
        idpMetadataXml: string
    workforcePoolId: string

WorkforcePoolProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The WorkforcePoolProvider resource accepts the following input properties:

Location string

The location for the resource.

ProviderId string

The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.

WorkforcePoolId string

The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified.

AttributeCondition string

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:

AttributeMapping Dictionary<string, string>

Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Description string

A user-specified description of the provider. Cannot exceed 256 characters.

Disabled bool

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

DisplayName string

A user-specified display name for the provider. Cannot exceed 32 characters.

Oidc WorkforcePoolProviderOidc

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

Saml WorkforcePoolProviderSaml

Represents a SAML identity provider. Structure is documented below.

Location string

The location for the resource.

ProviderId string

WorkforcePoolId string

AttributeCondition string

AttributeMapping map[string]string

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Description string

A user-specified description of the provider. Cannot exceed 256 characters.

Disabled bool

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

DisplayName string

A user-specified display name for the provider. Cannot exceed 32 characters.

Oidc WorkforcePoolProviderOidcArgs

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

Saml WorkforcePoolProviderSamlArgs

Represents a SAML identity provider. Structure is documented below.

location String

The location for the resource.

providerId String

workforcePoolId String

attributeCondition String

attributeMapping Map<String,String>

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

description String

A user-specified description of the provider. Cannot exceed 256 characters.

disabled Boolean

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

displayName String

A user-specified display name for the provider. Cannot exceed 32 characters.

oidc WorkforcePoolProviderOidc

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

saml WorkforcePoolProviderSaml

Represents a SAML identity provider. Structure is documented below.

location string

The location for the resource.

providerId string

workforcePoolId string

attributeCondition string

attributeMapping {[key: string]: string}

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

description string

A user-specified description of the provider. Cannot exceed 256 characters.

disabled boolean

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

displayName string

A user-specified display name for the provider. Cannot exceed 32 characters.

oidc WorkforcePoolProviderOidc

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

saml WorkforcePoolProviderSaml

Represents a SAML identity provider. Structure is documented below.

location str

The location for the resource.

provider_id str

workforce_pool_id str

attribute_condition str

attribute_mapping Mapping[str, str]

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

description str

A user-specified description of the provider. Cannot exceed 256 characters.

disabled bool

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

display_name str

A user-specified display name for the provider. Cannot exceed 32 characters.

oidc WorkforcePoolProviderOidcArgs

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

saml WorkforcePoolProviderSamlArgs

Represents a SAML identity provider. Structure is documented below.

location String

The location for the resource.

providerId String

workforcePoolId String

attributeCondition String

attributeMapping Map<String>

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

description String

A user-specified description of the provider. Cannot exceed 256 characters.

disabled Boolean

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

displayName String

A user-specified display name for the provider. Cannot exceed 32 characters.

oidc Property Map

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

saml Property Map

Represents a SAML identity provider. Structure is documented below.

Outputs

All input properties are implicitly available as output properties. Additionally, the WorkforcePoolProvider resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Name string

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

State string

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

Id string

The provider-assigned unique ID for this managed resource.

Name string

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

State string

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

id String

The provider-assigned unique ID for this managed resource.

name String

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

state String

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

id string

The provider-assigned unique ID for this managed resource.

name string

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

state string

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

id str

The provider-assigned unique ID for this managed resource.

name str

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

state str

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

id String

The provider-assigned unique ID for this managed resource.

name String

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

state String

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

Look up Existing WorkforcePoolProvider Resource

Get an existing WorkforcePoolProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: WorkforcePoolProviderState, opts?: CustomResourceOptions): WorkforcePoolProvider

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        attribute_condition: Optional[str] = None,
        attribute_mapping: Optional[Mapping[str, str]] = None,
        description: Optional[str] = None,
        disabled: Optional[bool] = None,
        display_name: Optional[str] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        oidc: Optional[WorkforcePoolProviderOidcArgs] = None,
        provider_id: Optional[str] = None,
        saml: Optional[WorkforcePoolProviderSamlArgs] = None,
        state: Optional[str] = None,
        workforce_pool_id: Optional[str] = None) -> WorkforcePoolProvider

func GetWorkforcePoolProvider(ctx *Context, name string, id IDInput, state *WorkforcePoolProviderState, opts ...ResourceOption) (*WorkforcePoolProvider, error)

public static WorkforcePoolProvider Get(string name, Input<string> id, WorkforcePoolProviderState? state, CustomResourceOptions? opts = null)

public static WorkforcePoolProvider get(String name, Output<String> id, WorkforcePoolProviderState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AttributeCondition string

AttributeMapping Dictionary<string, string>

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Description string

A user-specified description of the provider. Cannot exceed 256 characters.

Disabled bool

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

DisplayName string

A user-specified display name for the provider. Cannot exceed 32 characters.

Location string

The location for the resource.

Name string

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

Oidc WorkforcePoolProviderOidc

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

ProviderId string

Saml WorkforcePoolProviderSaml

Represents a SAML identity provider. Structure is documented below.

State string

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

WorkforcePoolId string

AttributeCondition string

AttributeMapping map[string]string

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Description string

A user-specified description of the provider. Cannot exceed 256 characters.

Disabled bool

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

DisplayName string

A user-specified display name for the provider. Cannot exceed 32 characters.

Location string

The location for the resource.

Name string

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

Oidc WorkforcePoolProviderOidcArgs

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

ProviderId string

Saml WorkforcePoolProviderSamlArgs

Represents a SAML identity provider. Structure is documented below.

State string

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

WorkforcePoolId string

attributeCondition String

attributeMapping Map<String,String>

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

description String

A user-specified description of the provider. Cannot exceed 256 characters.

disabled Boolean

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

displayName String

A user-specified display name for the provider. Cannot exceed 32 characters.

location String

The location for the resource.

name String

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

oidc WorkforcePoolProviderOidc

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

providerId String

saml WorkforcePoolProviderSaml

Represents a SAML identity provider. Structure is documented below.

state String

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

workforcePoolId String

attributeCondition string

attributeMapping {[key: string]: string}

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

description string

A user-specified description of the provider. Cannot exceed 256 characters.

disabled boolean

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

displayName string

A user-specified display name for the provider. Cannot exceed 32 characters.

location string

The location for the resource.

name string

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

oidc WorkforcePoolProviderOidc

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

providerId string

saml WorkforcePoolProviderSaml

Represents a SAML identity provider. Structure is documented below.

state string

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

workforcePoolId string

attribute_condition str

attribute_mapping Mapping[str, str]

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

description str

A user-specified description of the provider. Cannot exceed 256 characters.

disabled bool

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

display_name str

A user-specified display name for the provider. Cannot exceed 32 characters.

location str

The location for the resource.

name str

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

oidc WorkforcePoolProviderOidcArgs

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

provider_id str

saml WorkforcePoolProviderSamlArgs

Represents a SAML identity provider. Structure is documented below.

state str

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

workforce_pool_id str

attributeCondition String

attributeMapping Map<String>

google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.
google.groups: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group.
google.display_name: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, google.subject will be displayed instead. This attribute cannot be referenced in IAM bindings.
google.profile_photo: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:
google.subject: principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token:

{"google.subject": "assertion.sub"}

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

description String

A user-specified description of the provider. Cannot exceed 256 characters.

disabled Boolean

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

displayName String

A user-specified display name for the provider. Cannot exceed 32 characters.

location String

The location for the resource.

name String

Output only. The resource name of the provider. Format: locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}

oidc Property Map

Represents an OpenId Connect 1.0 identity provider. Structure is documented below.

providerId String

saml Property Map

Represents a SAML identity provider. Structure is documented below.

state String

The current state of the provider.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The provider is active and may be used to validate authentication credentials.
DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.

workforcePoolId String

Supporting Types

WorkforcePoolProviderOidc, WorkforcePoolProviderOidcArgs

ClientId string

The client ID. Must match the audience claim of the JWT issued by the identity provider.

IssuerUri string

The OIDC issuer URI. Must be a valid URI using the 'https' scheme.

ClientSecret WorkforcePoolProviderOidcClientSecret

The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.

JwksJson string

OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the jwks_uri from the discovery document fetched from the .well-known path for the issuer_uri. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}

WebSsoConfig WorkforcePoolProviderOidcWebSsoConfig

Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.

ClientId string

The client ID. Must match the audience claim of the JWT issued by the identity provider.

IssuerUri string

The OIDC issuer URI. Must be a valid URI using the 'https' scheme.

ClientSecret WorkforcePoolProviderOidcClientSecret

The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.

JwksJson string

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}

WebSsoConfig WorkforcePoolProviderOidcWebSsoConfig

Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.

clientId String

The client ID. Must match the audience claim of the JWT issued by the identity provider.

issuerUri String

The OIDC issuer URI. Must be a valid URI using the 'https' scheme.

clientSecret WorkforcePoolProviderOidcClientSecret

The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.

jwksJson String

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}

webSsoConfig WorkforcePoolProviderOidcWebSsoConfig

Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.

clientId string

The client ID. Must match the audience claim of the JWT issued by the identity provider.

issuerUri string

The OIDC issuer URI. Must be a valid URI using the 'https' scheme.

clientSecret WorkforcePoolProviderOidcClientSecret

The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.

jwksJson string

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}

webSsoConfig WorkforcePoolProviderOidcWebSsoConfig

Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.

client_id str

The client ID. Must match the audience claim of the JWT issued by the identity provider.

issuer_uri str

The OIDC issuer URI. Must be a valid URI using the 'https' scheme.

client_secret WorkforcePoolProviderOidcClientSecret

The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.

jwks_json str

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}

web_sso_config WorkforcePoolProviderOidcWebSsoConfig

Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.

clientId String

The client ID. Must match the audience claim of the JWT issued by the identity provider.

issuerUri String

The OIDC issuer URI. Must be a valid URI using the 'https' scheme.

clientSecret Property Map

The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.

jwksJson String

{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}

webSsoConfig Property Map

Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.

WorkforcePoolProviderOidcClientSecret, WorkforcePoolProviderOidcClientSecretArgs

Value WorkforcePoolProviderOidcClientSecretValue: The value of the client secret. Structure is documented below.

Value WorkforcePoolProviderOidcClientSecretValue: The value of the client secret. Structure is documented below.

value WorkforcePoolProviderOidcClientSecretValue: The value of the client secret. Structure is documented below.

value WorkforcePoolProviderOidcClientSecretValue: The value of the client secret. Structure is documented below.

value WorkforcePoolProviderOidcClientSecretValue: The value of the client secret. Structure is documented below.

value Property Map: The value of the client secret. Structure is documented below.

WorkforcePoolProviderOidcClientSecretValue, WorkforcePoolProviderOidcClientSecretValueArgs

PlainText string: The plain text of the client secret value. Note: This property is sensitive and will not be displayed in the plan.
Thumbprint string: (Output) A thumbprint to represent the current client secret value.

PlainText string: The plain text of the client secret value. Note: This property is sensitive and will not be displayed in the plan.
Thumbprint string: (Output) A thumbprint to represent the current client secret value.

plainText String: The plain text of the client secret value. Note: This property is sensitive and will not be displayed in the plan.
thumbprint String: (Output) A thumbprint to represent the current client secret value.

plainText string: The plain text of the client secret value. Note: This property is sensitive and will not be displayed in the plan.
thumbprint string: (Output) A thumbprint to represent the current client secret value.

plain_text str: The plain text of the client secret value. Note: This property is sensitive and will not be displayed in the plan.
thumbprint str: (Output) A thumbprint to represent the current client secret value.

plainText String: The plain text of the client secret value. Note: This property is sensitive and will not be displayed in the plan.
thumbprint String: (Output) A thumbprint to represent the current client secret value.

WorkforcePoolProviderOidcWebSsoConfig, WorkforcePoolProviderOidcWebSsoConfigArgs

AssertionClaimsBehavior string

The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.

ResponseType string

The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.

AdditionalScopes List<string>

Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the openid, profile and email scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.

AssertionClaimsBehavior string

The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.

ResponseType string

The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.

AdditionalScopes []string

assertionClaimsBehavior String

The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.

responseType String

The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.

additionalScopes List<String>

assertionClaimsBehavior string

The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.

responseType string

The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.

additionalScopes string[]

assertion_claims_behavior str

The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.

response_type str

The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.

additional_scopes Sequence[str]

assertionClaimsBehavior String

The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS, ONLY_ID_TOKEN_CLAIMS.

responseType String

The Response Type to request for in the OIDC Authorization Request for web sign-in. The CODE Response Type is recommended to avoid the Implicit Flow, for security reasons.

CODE: The response_type=code selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
ID_TOKEN: The response_type=id_token selection uses the Implicit Flow for web sign-in. Possible values are: CODE, ID_TOKEN.

additionalScopes List<String>

WorkforcePoolProviderSaml, WorkforcePoolProviderSamlArgs

IdpMetadataXml string

SAML Identity provider configuration metadata xml doc. The xml document should comply with SAML 2.0 specification. The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints:

Must contain an Identity Provider Entity ID.
Must contain at least one non-expired signing key certificate.
For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.

IdpMetadataXml string

Must contain an Identity Provider Entity ID.
Must contain at least one non-expired signing key certificate.
For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.

idpMetadataXml String

Must contain an Identity Provider Entity ID.
Must contain at least one non-expired signing key certificate.
For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.

idpMetadataXml string

Must contain an Identity Provider Entity ID.
Must contain at least one non-expired signing key certificate.
For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.

idp_metadata_xml str

Must contain an Identity Provider Entity ID.
Must contain at least one non-expired signing key certificate.
For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.

idpMetadataXml String

Must contain an Identity Provider Entity ID.
Must contain at least one non-expired signing key certificate.
For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.

Import

WorkforcePoolProvider can be imported using any of these accepted formats:

locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}
{{location}}/{{workforce_pool_id}}/{{provider_id}}

When using the pulumi import command, WorkforcePoolProvider can be imported using one of the formats above. For example:

$ pulumi import gcp:iam/workforcePoolProvider:WorkforcePoolProvider default locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}

$ pulumi import gcp:iam/workforcePoolProvider:WorkforcePoolProvider default {{location}}/{{workforce_pool_id}}/{{provider_id}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud Classic v7.20.0 published on Wednesday, Apr 24, 2024 by Pulumi

pulumi/pulumi-gcp

gcp.iam.WorkforcePoolProvider

On this page

On this page

Example Usage

Iam Workforce Pool Provider Saml Basic

Iam Workforce Pool Provider Saml Full

Iam Workforce Pool Provider Oidc Basic

Iam Workforce Pool Provider Oidc Full

Create WorkforcePoolProvider Resource

Constructor syntax

Parameters

Example

WorkforcePoolProvider Resource Properties

Inputs

Outputs

Look up Existing WorkforcePoolProvider Resource

Supporting Types

WorkforcePoolProviderOidc, WorkforcePoolProviderOidcArgs

WorkforcePoolProviderOidcClientSecret, WorkforcePoolProviderOidcClientSecretArgs

WorkforcePoolProviderOidcClientSecretValue, WorkforcePoolProviderOidcClientSecretValueArgs

WorkforcePoolProviderOidcWebSsoConfig, WorkforcePoolProviderOidcWebSsoConfigArgs

WorkforcePoolProviderSaml, WorkforcePoolProviderSamlArgs

Import

Package Details

On this page

On this page