WorkloadIdentityPoolProvider

A configuration for an external identity provider.

To get more information about WorkloadIdentityPoolProvider, see:

Example Usage

Iam Workload Identity Pool Provider Aws Basic

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new Gcp.Iam.WorkloadIdentityPoolArgs
        {
            WorkloadIdentityPoolId = "example-pool",
        }, new CustomResourceOptions
        {
            Provider = google_beta,
        });
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new Gcp.Iam.WorkloadIdentityPoolProviderArgs
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
            {
                AccountId = "999999999999",
            },
        }, new CustomResourceOptions
        {
            Provider = google_beta,
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		}, pulumi.Provider(google_beta))
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
				AccountId: pulumi.String("999999999999"),
			},
		}, pulumi.Provider(google_beta))
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool",
opts=pulumi.ResourceOptions(provider=google_beta))
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    aws=gcp.iam.WorkloadIdentityPoolProviderAwsArgs(
        account_id="999999999999",
    ),
    opts=pulumi.ResourceOptions(provider=google_beta))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}, {
    provider: google_beta,
});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    aws: {
        accountId: "999999999999",
    },
}, {
    provider: google_beta,
});

Iam Workload Identity Pool Provider Aws Full

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new Gcp.Iam.WorkloadIdentityPoolArgs
        {
            WorkloadIdentityPoolId = "example-pool",
        }, new CustomResourceOptions
        {
            Provider = google_beta,
        });
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new Gcp.Iam.WorkloadIdentityPoolProviderArgs
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            DisplayName = "Name of provider",
            Description = "AWS identity pool provider for automated test",
            Disabled = true,
            AttributeCondition = "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
            AttributeMapping = 
            {
                { "google.subject", "assertion.arn" },
                { "attribute.aws_account", "assertion.account" },
                { "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
            },
            Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
            {
                AccountId = "999999999999",
            },
        }, new CustomResourceOptions
        {
            Provider = google_beta,
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		}, pulumi.Provider(google_beta))
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			DisplayName:                    pulumi.String("Name of provider"),
			Description:                    pulumi.String("AWS identity pool provider for automated test"),
			Disabled:                       pulumi.Bool(true),
			AttributeCondition:             pulumi.String("attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\""),
			AttributeMapping: pulumi.StringMap{
				"google.subject":        pulumi.String("assertion.arn"),
				"attribute.aws_account": pulumi.String("assertion.account"),
				"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
			},
			Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
				AccountId: pulumi.String("999999999999"),
			},
		}, pulumi.Provider(google_beta))
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool",
opts=pulumi.ResourceOptions(provider=google_beta))
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    display_name="Name of provider",
    description="AWS identity pool provider for automated test",
    disabled=True,
    attribute_condition="attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
    attribute_mapping={
        "google.subject": "assertion.arn",
        "attribute.aws_account": "assertion.account",
        "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
    },
    aws=gcp.iam.WorkloadIdentityPoolProviderAwsArgs(
        account_id="999999999999",
    ),
    opts=pulumi.ResourceOptions(provider=google_beta))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}, {
    provider: google_beta,
});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    displayName: "Name of provider",
    description: "AWS identity pool provider for automated test",
    disabled: true,
    attributeCondition: "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
    attributeMapping: {
        "google.subject": "assertion.arn",
        "attribute.aws_account": "assertion.account",
        "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
    },
    aws: {
        accountId: "999999999999",
    },
}, {
    provider: google_beta,
});

Iam Workload Identity Pool Provider Oidc Basic

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new Gcp.Iam.WorkloadIdentityPoolArgs
        {
            WorkloadIdentityPoolId = "example-pool",
        }, new CustomResourceOptions
        {
            Provider = google_beta,
        });
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new Gcp.Iam.WorkloadIdentityPoolProviderArgs
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            AttributeMapping = 
            {
                { "google.subject", "assertion.sub" },
            },
            Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
            {
                IssuerUri = "https://sts.windows.net/azure-tenant-id",
            },
        }, new CustomResourceOptions
        {
            Provider = google_beta,
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		}, pulumi.Provider(google_beta))
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			AttributeMapping: pulumi.StringMap{
				"google.subject": pulumi.String("assertion.sub"),
			},
			Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
				IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
			},
		}, pulumi.Provider(google_beta))
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool",
opts=pulumi.ResourceOptions(provider=google_beta))
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    attribute_mapping={
        "google.subject": "assertion.sub",
    },
    oidc=gcp.iam.WorkloadIdentityPoolProviderOidcArgs(
        issuer_uri="https://sts.windows.net/azure-tenant-id",
    ),
    opts=pulumi.ResourceOptions(provider=google_beta))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}, {
    provider: google_beta,
});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    attributeMapping: {
        "google.subject": "assertion.sub",
    },
    oidc: {
        issuerUri: "https://sts.windows.net/azure-tenant-id",
    },
}, {
    provider: google_beta,
});

Iam Workload Identity Pool Provider Oidc Full

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new Gcp.Iam.WorkloadIdentityPoolArgs
        {
            WorkloadIdentityPoolId = "example-pool",
        }, new CustomResourceOptions
        {
            Provider = google_beta,
        });
        var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new Gcp.Iam.WorkloadIdentityPoolProviderArgs
        {
            WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
            WorkloadIdentityPoolProviderId = "example-prvdr",
            DisplayName = "Name of provider",
            Description = "OIDC identity pool provider for automated test",
            Disabled = true,
            AttributeCondition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
            AttributeMapping = 
            {
                { "google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub" },
                { "attribute.tid", "assertion.tid" },
                { "attribute.managed_identity_name", @"      {
        ""8bb39bdb-1cc5-4447-b7db-a19e920eb111"":""workload1"",
        ""55d36609-9bcf-48e0-a366-a3cf19027d2a"":""workload2""
      }[assertion.oid]
" },
            },
            Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
            {
                AllowedAudiences = 
                {
                    "https://example.com/gcp-oidc-federation",
                    "example.com/gcp-oidc-federation",
                },
                IssuerUri = "https://sts.windows.net/azure-tenant-id",
            },
        }, new CustomResourceOptions
        {
            Provider = google_beta,
        });
    }

}
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		}, pulumi.Provider(google_beta))
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         pool.WorkloadIdentityPoolId,
			WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
			DisplayName:                    pulumi.String("Name of provider"),
			Description:                    pulumi.String("OIDC identity pool provider for automated test"),
			Disabled:                       pulumi.Bool(true),
			AttributeCondition:             pulumi.String("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"),
			AttributeMapping: pulumi.StringMap{
				"google.subject":                  pulumi.String("\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
				"attribute.tid":                   pulumi.String("assertion.tid"),
				"attribute.managed_identity_name": pulumi.String(fmt.Sprintf("%v%v%v%v", "      {\n", "        \"8bb39bdb-1cc5-4447-b7db-a19e920eb111\":\"workload1\",\n", "        \"55d36609-9bcf-48e0-a366-a3cf19027d2a\":\"workload2\"\n", "      }[assertion.oid]\n")),
			},
			Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
				AllowedAudiences: pulumi.StringArray{
					pulumi.String("https://example.com/gcp-oidc-federation"),
					pulumi.String("example.com/gcp-oidc-federation"),
				},
				IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
			},
		}, pulumi.Provider(google_beta))
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_gcp as gcp

pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool",
opts=pulumi.ResourceOptions(provider=google_beta))
example = gcp.iam.WorkloadIdentityPoolProvider("example",
    workload_identity_pool_id=pool.workload_identity_pool_id,
    workload_identity_pool_provider_id="example-prvdr",
    display_name="Name of provider",
    description="OIDC identity pool provider for automated test",
    disabled=True,
    attribute_condition="\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
    attribute_mapping={
        "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
        "attribute.tid": "assertion.tid",
        "attribute.managed_identity_name": """      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
""",
    },
    oidc=gcp.iam.WorkloadIdentityPoolProviderOidcArgs(
        allowed_audiences=[
            "https://example.com/gcp-oidc-federation",
            "example.com/gcp-oidc-federation",
        ],
        issuer_uri="https://sts.windows.net/azure-tenant-id",
    ),
    opts=pulumi.ResourceOptions(provider=google_beta))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}, {
    provider: google_beta,
});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
    workloadIdentityPoolId: pool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "example-prvdr",
    displayName: "Name of provider",
    description: "OIDC identity pool provider for automated test",
    disabled: true,
    attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
    attributeMapping: {
        "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
        "attribute.tid": "assertion.tid",
        "attribute.managed_identity_name": `      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
`,
    },
    oidc: {
        allowedAudiences: [
            "https://example.com/gcp-oidc-federation",
            "example.com/gcp-oidc-federation",
        ],
        issuerUri: "https://sts.windows.net/azure-tenant-id",
    },
}, {
    provider: google_beta,
});

Create a WorkloadIdentityPoolProvider Resource

new WorkloadIdentityPoolProvider(name: string, args: WorkloadIdentityPoolProviderArgs, opts?: CustomResourceOptions);
@overload
def WorkloadIdentityPoolProvider(resource_name: str,
                                 opts: Optional[ResourceOptions] = None,
                                 attribute_condition: Optional[str] = None,
                                 attribute_mapping: Optional[Mapping[str, str]] = None,
                                 aws: Optional[WorkloadIdentityPoolProviderAwsArgs] = None,
                                 description: Optional[str] = None,
                                 disabled: Optional[bool] = None,
                                 display_name: Optional[str] = None,
                                 oidc: Optional[WorkloadIdentityPoolProviderOidcArgs] = None,
                                 project: Optional[str] = None,
                                 workload_identity_pool_id: Optional[str] = None,
                                 workload_identity_pool_provider_id: Optional[str] = None)
@overload
def WorkloadIdentityPoolProvider(resource_name: str,
                                 args: WorkloadIdentityPoolProviderArgs,
                                 opts: Optional[ResourceOptions] = None)
func NewWorkloadIdentityPoolProvider(ctx *Context, name string, args WorkloadIdentityPoolProviderArgs, opts ...ResourceOption) (*WorkloadIdentityPoolProvider, error)
public WorkloadIdentityPoolProvider(string name, WorkloadIdentityPoolProviderArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args WorkloadIdentityPoolProviderArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args WorkloadIdentityPoolProviderArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args WorkloadIdentityPoolProviderArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args WorkloadIdentityPoolProviderArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

WorkloadIdentityPoolProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The WorkloadIdentityPoolProvider resource accepts the following input properties:

WorkloadIdentityPoolId string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
WorkloadIdentityPoolProviderId string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
AttributeCondition string

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:

  • assertion: JSON representing the authentication credential issued by the provider.
  • google: The Google attributes mapped from the assertion in the attribute_mappings.
  • attribute: The custom attributes mapped from the assertion in the attribute_mappings. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped google.groups value of admins:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

AttributeMapping Dictionary<string, string>

Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

Aws WorkloadIdentityPoolProviderAwsArgs
An Amazon Web Services identity provider. Not compatible with the property oidc. Structure is documented below.
Description string
A description for the provider. Cannot exceed 256 characters.
Disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
DisplayName string
A display name for the provider. Cannot exceed 32 characters.
Oidc WorkloadIdentityPoolProviderOidcArgs
An OpenId Connect 1.0 identity provider. Not compatible with the property aws. Structure is documented below.
Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
WorkloadIdentityPoolId string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
WorkloadIdentityPoolProviderId string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
AttributeCondition string

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:

  • assertion: JSON representing the authentication credential issued by the provider.
  • google: The Google attributes mapped from the assertion in the attribute_mappings.
  • attribute: The custom attributes mapped from the assertion in the attribute_mappings. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped google.groups value of admins:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

AttributeMapping map[string]string

Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

Aws WorkloadIdentityPoolProviderAws
An Amazon Web Services identity provider. Not compatible with the property oidc. Structure is documented below.
Description string
A description for the provider. Cannot exceed 256 characters.
Disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
DisplayName string
A display name for the provider. Cannot exceed 32 characters.
Oidc WorkloadIdentityPoolProviderOidc
An OpenId Connect 1.0 identity provider. Not compatible with the property aws. Structure is documented below.
Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
workloadIdentityPoolId string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workloadIdentityPoolProviderId string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
attributeCondition string

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:

  • assertion: JSON representing the authentication credential issued by the provider.
  • google: The Google attributes mapped from the assertion in the attribute_mappings.
  • attribute: The custom attributes mapped from the assertion in the attribute_mappings. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped google.groups value of admins:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

attributeMapping {[key: string]: string}

Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

aws WorkloadIdentityPoolProviderAwsArgs
An Amazon Web Services identity provider. Not compatible with the property oidc. Structure is documented below.
description string
A description for the provider. Cannot exceed 256 characters.
disabled boolean
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
displayName string
A display name for the provider. Cannot exceed 32 characters.
oidc WorkloadIdentityPoolProviderOidcArgs
An OpenId Connect 1.0 identity provider. Not compatible with the property aws. Structure is documented below.
project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
workload_identity_pool_id str
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workload_identity_pool_provider_id str
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
attribute_condition str

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:

  • assertion: JSON representing the authentication credential issued by the provider.
  • google: The Google attributes mapped from the assertion in the attribute_mappings.
  • attribute: The custom attributes mapped from the assertion in the attribute_mappings. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped google.groups value of admins:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

attribute_mapping Mapping[str, str]

Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

aws WorkloadIdentityPoolProviderAwsArgs
An Amazon Web Services identity provider. Not compatible with the property oidc. Structure is documented below.
description str
A description for the provider. Cannot exceed 256 characters.
disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
display_name str
A display name for the provider. Cannot exceed 32 characters.
oidc WorkloadIdentityPoolProviderOidcArgs
An OpenId Connect 1.0 identity provider. Not compatible with the property aws. Structure is documented below.
project str
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the WorkloadIdentityPoolProvider resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Name string
The resource name of the provider as ‘projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}’.
State string
The state of the provider. * STATE_UNSPECIFIED: State unspecified. * ACTIVE: The provider is active, and may be used to validate authentication credentials. * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
Id string
The provider-assigned unique ID for this managed resource.
Name string
The resource name of the provider as ‘projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}’.
State string
The state of the provider. * STATE_UNSPECIFIED: State unspecified. * ACTIVE: The provider is active, and may be used to validate authentication credentials. * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
id string
The provider-assigned unique ID for this managed resource.
name string
The resource name of the provider as ‘projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}’.
state string
The state of the provider. * STATE_UNSPECIFIED: State unspecified. * ACTIVE: The provider is active, and may be used to validate authentication credentials. * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
id str
The provider-assigned unique ID for this managed resource.
name str
The resource name of the provider as ‘projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}’.
state str
The state of the provider. * STATE_UNSPECIFIED: State unspecified. * ACTIVE: The provider is active, and may be used to validate authentication credentials. * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.

Look up an Existing WorkloadIdentityPoolProvider Resource

Get an existing WorkloadIdentityPoolProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: WorkloadIdentityPoolProviderState, opts?: CustomResourceOptions): WorkloadIdentityPoolProvider
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        attribute_condition: Optional[str] = None,
        attribute_mapping: Optional[Mapping[str, str]] = None,
        aws: Optional[WorkloadIdentityPoolProviderAwsArgs] = None,
        description: Optional[str] = None,
        disabled: Optional[bool] = None,
        display_name: Optional[str] = None,
        name: Optional[str] = None,
        oidc: Optional[WorkloadIdentityPoolProviderOidcArgs] = None,
        project: Optional[str] = None,
        state: Optional[str] = None,
        workload_identity_pool_id: Optional[str] = None,
        workload_identity_pool_provider_id: Optional[str] = None) -> WorkloadIdentityPoolProvider
func GetWorkloadIdentityPoolProvider(ctx *Context, name string, id IDInput, state *WorkloadIdentityPoolProviderState, opts ...ResourceOption) (*WorkloadIdentityPoolProvider, error)
public static WorkloadIdentityPoolProvider Get(string name, Input<string> id, WorkloadIdentityPoolProviderState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

AttributeCondition string

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:

  • assertion: JSON representing the authentication credential issued by the provider.
  • google: The Google attributes mapped from the assertion in the attribute_mappings.
  • attribute: The custom attributes mapped from the assertion in the attribute_mappings. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped google.groups value of admins:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

AttributeMapping Dictionary<string, string>

Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

Aws WorkloadIdentityPoolProviderAwsArgs
An Amazon Web Services identity provider. Not compatible with the property oidc. Structure is documented below.
Description string
A description for the provider. Cannot exceed 256 characters.
Disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
DisplayName string
A display name for the provider. Cannot exceed 32 characters.
Name string
The resource name of the provider as ‘projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}’.
Oidc WorkloadIdentityPoolProviderOidcArgs
An OpenId Connect 1.0 identity provider. Not compatible with the property aws. Structure is documented below.
Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
State string
The state of the provider. * STATE_UNSPECIFIED: State unspecified. * ACTIVE: The provider is active, and may be used to validate authentication credentials. * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
WorkloadIdentityPoolId string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
WorkloadIdentityPoolProviderId string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
AttributeCondition string

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:

  • assertion: JSON representing the authentication credential issued by the provider.
  • google: The Google attributes mapped from the assertion in the attribute_mappings.
  • attribute: The custom attributes mapped from the assertion in the attribute_mappings. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped google.groups value of admins:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

AttributeMapping map[string]string

Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

Aws WorkloadIdentityPoolProviderAws
An Amazon Web Services identity provider. Not compatible with the property oidc. Structure is documented below.
Description string
A description for the provider. Cannot exceed 256 characters.
Disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
DisplayName string
A display name for the provider. Cannot exceed 32 characters.
Name string
The resource name of the provider as ‘projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}’.
Oidc WorkloadIdentityPoolProviderOidc
An OpenId Connect 1.0 identity provider. Not compatible with the property aws. Structure is documented below.
Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
State string
The state of the provider. * STATE_UNSPECIFIED: State unspecified. * ACTIVE: The provider is active, and may be used to validate authentication credentials. * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
WorkloadIdentityPoolId string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
WorkloadIdentityPoolProviderId string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
attributeCondition string

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:

  • assertion: JSON representing the authentication credential issued by the provider.
  • google: The Google attributes mapped from the assertion in the attribute_mappings.
  • attribute: The custom attributes mapped from the assertion in the attribute_mappings. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped google.groups value of admins:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

attributeMapping {[key: string]: string}

Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

aws WorkloadIdentityPoolProviderAwsArgs
An Amazon Web Services identity provider. Not compatible with the property oidc. Structure is documented below.
description string
A description for the provider. Cannot exceed 256 characters.
disabled boolean
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
displayName string
A display name for the provider. Cannot exceed 32 characters.
name string
The resource name of the provider as ‘projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}’.
oidc WorkloadIdentityPoolProviderOidcArgs
An OpenId Connect 1.0 identity provider. Not compatible with the property aws. Structure is documented below.
project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
state string
The state of the provider. * STATE_UNSPECIFIED: State unspecified. * ACTIVE: The provider is active, and may be used to validate authentication credentials. * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
workloadIdentityPoolId string
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workloadIdentityPoolProviderId string
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
attribute_condition str

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:

  • assertion: JSON representing the authentication credential issued by the provider.
  • google: The Google attributes mapped from the assertion in the attribute_mappings.
  • attribute: The custom attributes mapped from the assertion in the attribute_mappings. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped google.groups value of admins:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

attribute_mapping Mapping[str, str]

Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters.
  • google.groups: Groups the external identity belongs to. You can grant groups access to resources using an IAM principalSet binding; access applies to all members of the group. You can also provide custom attributes by specifying attribute.{custom_attribute}, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
  • google.subject: principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
  • google.groups: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
  • attribute.{custom_attribute}: principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value} Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the assertion keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply:
  • If no attribute mapping is defined, the following default mapping applies:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

  • If any custom attribute mappings are defined, they must include a mapping to the google.subject attribute. For OIDC providers, the following rules apply:
  • Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.
import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

aws WorkloadIdentityPoolProviderAwsArgs
An Amazon Web Services identity provider. Not compatible with the property oidc. Structure is documented below.
description str
A description for the provider. Cannot exceed 256 characters.
disabled bool
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
display_name str
A display name for the provider. Cannot exceed 32 characters.
name str
The resource name of the provider as ‘projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}’.
oidc WorkloadIdentityPoolProviderOidcArgs
An OpenId Connect 1.0 identity provider. Not compatible with the property aws. Structure is documented below.
project str
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
state str
The state of the provider. * STATE_UNSPECIFIED: State unspecified. * ACTIVE: The provider is active, and may be used to validate authentication credentials. * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
workload_identity_pool_id str
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.
workload_identity_pool_provider_id str
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.

Supporting Types

WorkloadIdentityPoolProviderAws

AccountId string
The AWS account ID.
AccountId string
The AWS account ID.
accountId string
The AWS account ID.
account_id str
The AWS account ID.

WorkloadIdentityPoolProviderOidc

IssuerUri string
The OIDC issuer URL.
AllowedAudiences List<string>

Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

IssuerUri string
The OIDC issuer URL.
AllowedAudiences []string

Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

issuerUri string
The OIDC issuer URL.
allowedAudiences string[]

Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

issuer_uri str
The OIDC issuer URL.
allowed_audiences Sequence[str]

Acceptable values for the aud field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:

import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack { public MyStack() { }

}

package main

import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" )

func main() { pulumi.Run(func(ctx *pulumi.Context) error { return nil }) }

Import

WorkloadIdentityPoolProvider can be imported using any of these accepted formats

 $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}
 $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
 $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}

Package Details

Repository
https://github.com/pulumi/pulumi-gcp
License
Apache-2.0
Notes
This Pulumi package is based on the google-beta Terraform Provider.