gcp.iam.WorkloadIdentityPool

Google Cloud v9.21.0, Apr 24 26

Viewing docs for Google Cloud v9.21.0
published on Friday, Apr 24, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Viewing docs for Google Cloud v9.21.0
published on Friday, Apr 24, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Example Usage

Iam Workload Identity Pool Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const example = new gcp.iam.WorkloadIdentityPool("example", {workloadIdentityPoolId: "example-pool"});

import pulumi
import pulumi_gcp as gcp

example = gcp.iam.WorkloadIdentityPool("example", workload_identity_pool_id="example-pool")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewWorkloadIdentityPool(ctx, "example", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var example = new Gcp.Iam.WorkloadIdentityPool("example", new()
    {
        WorkloadIdentityPoolId = "example-pool",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new WorkloadIdentityPool("example", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());

    }
}

resources:
  example:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool

Iam Workload Identity Pool Full Federation Only Mode

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const example = new gcp.iam.WorkloadIdentityPool("example", {
    workloadIdentityPoolId: "example-pool",
    displayName: "Name of the pool",
    description: "Identity pool operates in FEDERATION_ONLY mode",
    disabled: true,
    mode: "FEDERATION_ONLY",
});

import pulumi
import pulumi_gcp as gcp

example = gcp.iam.WorkloadIdentityPool("example",
    workload_identity_pool_id="example-pool",
    display_name="Name of the pool",
    description="Identity pool operates in FEDERATION_ONLY mode",
    disabled=True,
    mode="FEDERATION_ONLY")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewWorkloadIdentityPool(ctx, "example", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
			DisplayName:            pulumi.String("Name of the pool"),
			Description:            pulumi.String("Identity pool operates in FEDERATION_ONLY mode"),
			Disabled:               pulumi.Bool(true),
			Mode:                   pulumi.String("FEDERATION_ONLY"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var example = new Gcp.Iam.WorkloadIdentityPool("example", new()
    {
        WorkloadIdentityPoolId = "example-pool",
        DisplayName = "Name of the pool",
        Description = "Identity pool operates in FEDERATION_ONLY mode",
        Disabled = true,
        Mode = "FEDERATION_ONLY",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new WorkloadIdentityPool("example", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .displayName("Name of the pool")
            .description("Identity pool operates in FEDERATION_ONLY mode")
            .disabled(true)
            .mode("FEDERATION_ONLY")
            .build());

    }
}

resources:
  example:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
      displayName: Name of the pool
      description: Identity pool operates in FEDERATION_ONLY mode
      disabled: true
      mode: FEDERATION_ONLY

Iam Workload Identity Pool Full Trust Domain Mode

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";

const example = new gcp.iam.WorkloadIdentityPool("example", {
    workloadIdentityPoolId: "example-pool",
    displayName: "Name of the pool",
    description: "Identity pool operates in TRUST_DOMAIN mode",
    disabled: true,
    mode: "TRUST_DOMAIN",
    inlineCertificateIssuanceConfig: {
        caPools: {
            "us-central1": "projects/project-bar/locations/us-central1/caPools/ca-pool-bar",
            "asia-east2": "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo",
        },
        lifetime: "86400s",
        rotationWindowPercentage: 50,
        keyAlgorithm: "ECDSA_P256",
    },
    inlineTrustConfig: {
        additionalTrustBundles: [
            {
                trustDomain: "example.com",
                trustDefaultSharedCa: false,
                trustAnchors: [
                    {
                        pemCertificate: std.file({
                            input: "test-fixtures/trust_anchor_1.pem",
                        }).then(invoke => invoke.result),
                    },
                    {
                        pemCertificate: std.file({
                            input: "test-fixtures/trust_anchor_2.pem",
                        }).then(invoke => invoke.result),
                    },
                ],
            },
            {
                trustDomain: "example.net",
                trustDefaultSharedCa: false,
                trustAnchors: [
                    {
                        pemCertificate: std.file({
                            input: "test-fixtures/trust_anchor_3.pem",
                        }).then(invoke => invoke.result),
                    },
                    {
                        pemCertificate: std.file({
                            input: "test-fixtures/trust_anchor_4.pem",
                        }).then(invoke => invoke.result),
                    },
                ],
            },
        ],
    },
    attestationRules: [{
        googleCloudResource: "//run.googleapis.com/projects/1111111111111/type/Service/*",
    }],
});

import pulumi
import pulumi_gcp as gcp
import pulumi_std as std

example = gcp.iam.WorkloadIdentityPool("example",
    workload_identity_pool_id="example-pool",
    display_name="Name of the pool",
    description="Identity pool operates in TRUST_DOMAIN mode",
    disabled=True,
    mode="TRUST_DOMAIN",
    inline_certificate_issuance_config={
        "ca_pools": {
            "us-central1": "projects/project-bar/locations/us-central1/caPools/ca-pool-bar",
            "asia-east2": "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo",
        },
        "lifetime": "86400s",
        "rotation_window_percentage": 50,
        "key_algorithm": "ECDSA_P256",
    },
    inline_trust_config={
        "additional_trust_bundles": [
            {
                "trust_domain": "example.com",
                "trust_default_shared_ca": False,
                "trust_anchors": [
                    {
                        "pem_certificate": std.file(input="test-fixtures/trust_anchor_1.pem").result,
                    },
                    {
                        "pem_certificate": std.file(input="test-fixtures/trust_anchor_2.pem").result,
                    },
                ],
            },
            {
                "trust_domain": "example.net",
                "trust_default_shared_ca": False,
                "trust_anchors": [
                    {
                        "pem_certificate": std.file(input="test-fixtures/trust_anchor_3.pem").result,
                    },
                    {
                        "pem_certificate": std.file(input="test-fixtures/trust_anchor_4.pem").result,
                    },
                ],
            },
        ],
    },
    attestation_rules=[{
        "google_cloud_resource": "//run.googleapis.com/projects/1111111111111/type/Service/*",
    }])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iam"
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/trust_anchor_1.pem",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/trust_anchor_2.pem",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile2, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/trust_anchor_3.pem",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile3, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/trust_anchor_4.pem",
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPool(ctx, "example", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
			DisplayName:            pulumi.String("Name of the pool"),
			Description:            pulumi.String("Identity pool operates in TRUST_DOMAIN mode"),
			Disabled:               pulumi.Bool(true),
			Mode:                   pulumi.String("TRUST_DOMAIN"),
			InlineCertificateIssuanceConfig: &iam.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs{
				CaPools: pulumi.StringMap{
					"us-central1": pulumi.String("projects/project-bar/locations/us-central1/caPools/ca-pool-bar"),
					"asia-east2":  pulumi.String("projects/project-foo/locations/asia-east2/caPools/ca-pool-foo"),
				},
				Lifetime:                 pulumi.String("86400s"),
				RotationWindowPercentage: pulumi.Int(50),
				KeyAlgorithm:             pulumi.String("ECDSA_P256"),
			},
			InlineTrustConfig: &iam.WorkloadIdentityPoolInlineTrustConfigArgs{
				AdditionalTrustBundles: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArray{
					&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs{
						TrustDomain:          pulumi.String("example.com"),
						TrustDefaultSharedCa: pulumi.Bool(false),
						TrustAnchors: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArray{
							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
								PemCertificate: pulumi.String(invokeFile.Result),
							},
							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
								PemCertificate: pulumi.String(invokeFile1.Result),
							},
						},
					},
					&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs{
						TrustDomain:          pulumi.String("example.net"),
						TrustDefaultSharedCa: pulumi.Bool(false),
						TrustAnchors: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArray{
							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
								PemCertificate: pulumi.String(invokeFile2.Result),
							},
							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
								PemCertificate: pulumi.String(invokeFile3.Result),
							},
						},
					},
				},
			},
			AttestationRules: iam.WorkloadIdentityPoolAttestationRuleArray{
				&iam.WorkloadIdentityPoolAttestationRuleArgs{
					GoogleCloudResource: pulumi.String("//run.googleapis.com/projects/1111111111111/type/Service/*"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;

return await Deployment.RunAsync(() => 
{
    var example = new Gcp.Iam.WorkloadIdentityPool("example", new()
    {
        WorkloadIdentityPoolId = "example-pool",
        DisplayName = "Name of the pool",
        Description = "Identity pool operates in TRUST_DOMAIN mode",
        Disabled = true,
        Mode = "TRUST_DOMAIN",
        InlineCertificateIssuanceConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs
        {
            CaPools = 
            {
                { "us-central1", "projects/project-bar/locations/us-central1/caPools/ca-pool-bar" },
                { "asia-east2", "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo" },
            },
            Lifetime = "86400s",
            RotationWindowPercentage = 50,
            KeyAlgorithm = "ECDSA_P256",
        },
        InlineTrustConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigArgs
        {
            AdditionalTrustBundles = new[]
            {
                new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs
                {
                    TrustDomain = "example.com",
                    TrustDefaultSharedCa = false,
                    TrustAnchors = new[]
                    {
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                        {
                            PemCertificate = Std.Index.File.Invoke(new()
                            {
                                Input = "test-fixtures/trust_anchor_1.pem",
                            }).Apply(invoke => invoke.Result),
                        },
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                        {
                            PemCertificate = Std.Index.File.Invoke(new()
                            {
                                Input = "test-fixtures/trust_anchor_2.pem",
                            }).Apply(invoke => invoke.Result),
                        },
                    },
                },
                new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs
                {
                    TrustDomain = "example.net",
                    TrustDefaultSharedCa = false,
                    TrustAnchors = new[]
                    {
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                        {
                            PemCertificate = Std.Index.File.Invoke(new()
                            {
                                Input = "test-fixtures/trust_anchor_3.pem",
                            }).Apply(invoke => invoke.Result),
                        },
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                        {
                            PemCertificate = Std.Index.File.Invoke(new()
                            {
                                Input = "test-fixtures/trust_anchor_4.pem",
                            }).Apply(invoke => invoke.Result),
                        },
                    },
                },
            },
        },
        AttestationRules = new[]
        {
            new Gcp.Iam.Inputs.WorkloadIdentityPoolAttestationRuleArgs
            {
                GoogleCloudResource = "//run.googleapis.com/projects/1111111111111/type/Service/*",
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolInlineTrustConfigArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolAttestationRuleArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new WorkloadIdentityPool("example", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .displayName("Name of the pool")
            .description("Identity pool operates in TRUST_DOMAIN mode")
            .disabled(true)
            .mode("TRUST_DOMAIN")
            .inlineCertificateIssuanceConfig(WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs.builder()
                .caPools(Map.ofEntries(
                    Map.entry("us-central1", "projects/project-bar/locations/us-central1/caPools/ca-pool-bar"),
                    Map.entry("asia-east2", "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo")
                ))
                .lifetime("86400s")
                .rotationWindowPercentage(50)
                .keyAlgorithm("ECDSA_P256")
                .build())
            .inlineTrustConfig(WorkloadIdentityPoolInlineTrustConfigArgs.builder()
                .additionalTrustBundles(                
                    WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs.builder()
                        .trustDomain("example.com")
                        .trustDefaultSharedCa(false)
                        .trustAnchors(                        
                            WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                .pemCertificate(StdFunctions.file(FileArgs.builder()
                                    .input("test-fixtures/trust_anchor_1.pem")
                                    .build()).result())
                                .build(),
                            WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                .pemCertificate(StdFunctions.file(FileArgs.builder()
                                    .input("test-fixtures/trust_anchor_2.pem")
                                    .build()).result())
                                .build())
                        .build(),
                    WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs.builder()
                        .trustDomain("example.net")
                        .trustDefaultSharedCa(false)
                        .trustAnchors(                        
                            WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                .pemCertificate(StdFunctions.file(FileArgs.builder()
                                    .input("test-fixtures/trust_anchor_3.pem")
                                    .build()).result())
                                .build(),
                            WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                .pemCertificate(StdFunctions.file(FileArgs.builder()
                                    .input("test-fixtures/trust_anchor_4.pem")
                                    .build()).result())
                                .build())
                        .build())
                .build())
            .attestationRules(WorkloadIdentityPoolAttestationRuleArgs.builder()
                .googleCloudResource("//run.googleapis.com/projects/1111111111111/type/Service/*")
                .build())
            .build());

    }
}

resources:
  example:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
      displayName: Name of the pool
      description: Identity pool operates in TRUST_DOMAIN mode
      disabled: true
      mode: TRUST_DOMAIN
      inlineCertificateIssuanceConfig:
        caPools:
          us-central1: projects/project-bar/locations/us-central1/caPools/ca-pool-bar
          asia-east2: projects/project-foo/locations/asia-east2/caPools/ca-pool-foo
        lifetime: 86400s
        rotationWindowPercentage: 50
        keyAlgorithm: ECDSA_P256
      inlineTrustConfig:
        additionalTrustBundles:
          - trustDomain: example.com
            trustDefaultSharedCa: false
            trustAnchors:
              - pemCertificate:
                  fn::invoke:
                    function: std:file
                    arguments:
                      input: test-fixtures/trust_anchor_1.pem
                    return: result
              - pemCertificate:
                  fn::invoke:
                    function: std:file
                    arguments:
                      input: test-fixtures/trust_anchor_2.pem
                    return: result
          - trustDomain: example.net
            trustDefaultSharedCa: false
            trustAnchors:
              - pemCertificate:
                  fn::invoke:
                    function: std:file
                    arguments:
                      input: test-fixtures/trust_anchor_3.pem
                    return: result
              - pemCertificate:
                  fn::invoke:
                    function: std:file
                    arguments:
                      input: test-fixtures/trust_anchor_4.pem
                    return: result
      attestationRules:
        - googleCloudResource: //run.googleapis.com/projects/1111111111111/type/Service/*

Iam Workload Identity Pool Full Trust Domain Mode With Default Shared Ca

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";

const example = new gcp.iam.WorkloadIdentityPool("example", {
    workloadIdentityPoolId: "example-pool",
    displayName: "Name of the pool",
    description: "Identity pool operates in TRUST_DOMAIN mode",
    disabled: true,
    mode: "TRUST_DOMAIN",
    inlineCertificateIssuanceConfig: {
        useDefaultSharedCa: true,
        lifetime: "86400s",
        rotationWindowPercentage: 50,
        keyAlgorithm: "ECDSA_P256",
    },
    inlineTrustConfig: {
        additionalTrustBundles: [
            {
                trustDomain: "example.com",
                trustDefaultSharedCa: true,
                trustAnchors: [
                    {
                        pemCertificate: std.file({
                            input: "test-fixtures/trust_anchor_1.pem",
                        }).then(invoke => invoke.result),
                    },
                    {
                        pemCertificate: std.file({
                            input: "test-fixtures/trust_anchor_2.pem",
                        }).then(invoke => invoke.result),
                    },
                ],
            },
            {
                trustDomain: "example.net",
                trustDefaultSharedCa: true,
                trustAnchors: [
                    {
                        pemCertificate: std.file({
                            input: "test-fixtures/trust_anchor_3.pem",
                        }).then(invoke => invoke.result),
                    },
                    {
                        pemCertificate: std.file({
                            input: "test-fixtures/trust_anchor_4.pem",
                        }).then(invoke => invoke.result),
                    },
                ],
            },
        ],
    },
});

import pulumi
import pulumi_gcp as gcp
import pulumi_std as std

example = gcp.iam.WorkloadIdentityPool("example",
    workload_identity_pool_id="example-pool",
    display_name="Name of the pool",
    description="Identity pool operates in TRUST_DOMAIN mode",
    disabled=True,
    mode="TRUST_DOMAIN",
    inline_certificate_issuance_config={
        "use_default_shared_ca": True,
        "lifetime": "86400s",
        "rotation_window_percentage": 50,
        "key_algorithm": "ECDSA_P256",
    },
    inline_trust_config={
        "additional_trust_bundles": [
            {
                "trust_domain": "example.com",
                "trust_default_shared_ca": True,
                "trust_anchors": [
                    {
                        "pem_certificate": std.file(input="test-fixtures/trust_anchor_1.pem").result,
                    },
                    {
                        "pem_certificate": std.file(input="test-fixtures/trust_anchor_2.pem").result,
                    },
                ],
            },
            {
                "trust_domain": "example.net",
                "trust_default_shared_ca": True,
                "trust_anchors": [
                    {
                        "pem_certificate": std.file(input="test-fixtures/trust_anchor_3.pem").result,
                    },
                    {
                        "pem_certificate": std.file(input="test-fixtures/trust_anchor_4.pem").result,
                    },
                ],
            },
        ],
    })

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iam"
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/trust_anchor_1.pem",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/trust_anchor_2.pem",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile2, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/trust_anchor_3.pem",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile3, err := std.File(ctx, &std.FileArgs{
			Input: "test-fixtures/trust_anchor_4.pem",
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewWorkloadIdentityPool(ctx, "example", &iam.WorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: pulumi.String("example-pool"),
			DisplayName:            pulumi.String("Name of the pool"),
			Description:            pulumi.String("Identity pool operates in TRUST_DOMAIN mode"),
			Disabled:               pulumi.Bool(true),
			Mode:                   pulumi.String("TRUST_DOMAIN"),
			InlineCertificateIssuanceConfig: &iam.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs{
				UseDefaultSharedCa:       pulumi.Bool(true),
				Lifetime:                 pulumi.String("86400s"),
				RotationWindowPercentage: pulumi.Int(50),
				KeyAlgorithm:             pulumi.String("ECDSA_P256"),
			},
			InlineTrustConfig: &iam.WorkloadIdentityPoolInlineTrustConfigArgs{
				AdditionalTrustBundles: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArray{
					&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs{
						TrustDomain:          pulumi.String("example.com"),
						TrustDefaultSharedCa: pulumi.Bool(true),
						TrustAnchors: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArray{
							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
								PemCertificate: pulumi.String(invokeFile.Result),
							},
							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
								PemCertificate: pulumi.String(invokeFile1.Result),
							},
						},
					},
					&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs{
						TrustDomain:          pulumi.String("example.net"),
						TrustDefaultSharedCa: pulumi.Bool(true),
						TrustAnchors: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArray{
							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
								PemCertificate: pulumi.String(invokeFile2.Result),
							},
							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
								PemCertificate: pulumi.String(invokeFile3.Result),
							},
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;

return await Deployment.RunAsync(() => 
{
    var example = new Gcp.Iam.WorkloadIdentityPool("example", new()
    {
        WorkloadIdentityPoolId = "example-pool",
        DisplayName = "Name of the pool",
        Description = "Identity pool operates in TRUST_DOMAIN mode",
        Disabled = true,
        Mode = "TRUST_DOMAIN",
        InlineCertificateIssuanceConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs
        {
            UseDefaultSharedCa = true,
            Lifetime = "86400s",
            RotationWindowPercentage = 50,
            KeyAlgorithm = "ECDSA_P256",
        },
        InlineTrustConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigArgs
        {
            AdditionalTrustBundles = new[]
            {
                new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs
                {
                    TrustDomain = "example.com",
                    TrustDefaultSharedCa = true,
                    TrustAnchors = new[]
                    {
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                        {
                            PemCertificate = Std.Index.File.Invoke(new()
                            {
                                Input = "test-fixtures/trust_anchor_1.pem",
                            }).Apply(invoke => invoke.Result),
                        },
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                        {
                            PemCertificate = Std.Index.File.Invoke(new()
                            {
                                Input = "test-fixtures/trust_anchor_2.pem",
                            }).Apply(invoke => invoke.Result),
                        },
                    },
                },
                new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs
                {
                    TrustDomain = "example.net",
                    TrustDefaultSharedCa = true,
                    TrustAnchors = new[]
                    {
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                        {
                            PemCertificate = Std.Index.File.Invoke(new()
                            {
                                Input = "test-fixtures/trust_anchor_3.pem",
                            }).Apply(invoke => invoke.Result),
                        },
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                        {
                            PemCertificate = Std.Index.File.Invoke(new()
                            {
                                Input = "test-fixtures/trust_anchor_4.pem",
                            }).Apply(invoke => invoke.Result),
                        },
                    },
                },
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolInlineTrustConfigArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new WorkloadIdentityPool("example", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .displayName("Name of the pool")
            .description("Identity pool operates in TRUST_DOMAIN mode")
            .disabled(true)
            .mode("TRUST_DOMAIN")
            .inlineCertificateIssuanceConfig(WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs.builder()
                .useDefaultSharedCa(true)
                .lifetime("86400s")
                .rotationWindowPercentage(50)
                .keyAlgorithm("ECDSA_P256")
                .build())
            .inlineTrustConfig(WorkloadIdentityPoolInlineTrustConfigArgs.builder()
                .additionalTrustBundles(                
                    WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs.builder()
                        .trustDomain("example.com")
                        .trustDefaultSharedCa(true)
                        .trustAnchors(                        
                            WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                .pemCertificate(StdFunctions.file(FileArgs.builder()
                                    .input("test-fixtures/trust_anchor_1.pem")
                                    .build()).result())
                                .build(),
                            WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                .pemCertificate(StdFunctions.file(FileArgs.builder()
                                    .input("test-fixtures/trust_anchor_2.pem")
                                    .build()).result())
                                .build())
                        .build(),
                    WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs.builder()
                        .trustDomain("example.net")
                        .trustDefaultSharedCa(true)
                        .trustAnchors(                        
                            WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                .pemCertificate(StdFunctions.file(FileArgs.builder()
                                    .input("test-fixtures/trust_anchor_3.pem")
                                    .build()).result())
                                .build(),
                            WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                .pemCertificate(StdFunctions.file(FileArgs.builder()
                                    .input("test-fixtures/trust_anchor_4.pem")
                                    .build()).result())
                                .build())
                        .build())
                .build())
            .build());

    }
}

resources:
  example:
    type: gcp:iam:WorkloadIdentityPool
    properties:
      workloadIdentityPoolId: example-pool
      displayName: Name of the pool
      description: Identity pool operates in TRUST_DOMAIN mode
      disabled: true
      mode: TRUST_DOMAIN
      inlineCertificateIssuanceConfig:
        useDefaultSharedCa: true
        lifetime: 86400s
        rotationWindowPercentage: 50
        keyAlgorithm: ECDSA_P256
      inlineTrustConfig:
        additionalTrustBundles:
          - trustDomain: example.com
            trustDefaultSharedCa: true
            trustAnchors:
              - pemCertificate:
                  fn::invoke:
                    function: std:file
                    arguments:
                      input: test-fixtures/trust_anchor_1.pem
                    return: result
              - pemCertificate:
                  fn::invoke:
                    function: std:file
                    arguments:
                      input: test-fixtures/trust_anchor_2.pem
                    return: result
          - trustDomain: example.net
            trustDefaultSharedCa: true
            trustAnchors:
              - pemCertificate:
                  fn::invoke:
                    function: std:file
                    arguments:
                      input: test-fixtures/trust_anchor_3.pem
                    return: result
              - pemCertificate:
                  fn::invoke:
                    function: std:file
                    arguments:
                      input: test-fixtures/trust_anchor_4.pem
                    return: result

Create WorkloadIdentityPool Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new WorkloadIdentityPool(name: string, args: WorkloadIdentityPoolArgs, opts?: CustomResourceOptions);

@overload
def WorkloadIdentityPool(resource_name: str,
                         args: WorkloadIdentityPoolArgs,
                         opts: Optional[ResourceOptions] = None)

@overload
def WorkloadIdentityPool(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         workload_identity_pool_id: Optional[str] = None,
                         attestation_rules: Optional[Sequence[WorkloadIdentityPoolAttestationRuleArgs]] = None,
                         description: Optional[str] = None,
                         disabled: Optional[bool] = None,
                         display_name: Optional[str] = None,
                         inline_certificate_issuance_config: Optional[WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs] = None,
                         inline_trust_config: Optional[WorkloadIdentityPoolInlineTrustConfigArgs] = None,
                         mode: Optional[str] = None,
                         project: Optional[str] = None)

func NewWorkloadIdentityPool(ctx *Context, name string, args WorkloadIdentityPoolArgs, opts ...ResourceOption) (*WorkloadIdentityPool, error)

public WorkloadIdentityPool(string name, WorkloadIdentityPoolArgs args, CustomResourceOptions? opts = null)

public WorkloadIdentityPool(String name, WorkloadIdentityPoolArgs args)
public WorkloadIdentityPool(String name, WorkloadIdentityPoolArgs args, CustomResourceOptions options)

type: gcp:iam:WorkloadIdentityPool
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args WorkloadIdentityPoolArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args WorkloadIdentityPoolArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args WorkloadIdentityPoolArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args WorkloadIdentityPoolArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args WorkloadIdentityPoolArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

WorkloadIdentityPool Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The WorkloadIdentityPool resource accepts the following input properties:

WorkloadIdentityPoolId string

The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.

AttestationRules List<WorkloadIdentityPoolAttestationRule>

Defines which workloads can receive an identity within a pool. When an AttestationRule is defined under a managed identity, matching workloads may receive that identity. A maximum of 50 AttestationRules can be set. Structure is documented below.

Description string

A description of the pool. Cannot exceed 256 characters.

Disabled bool

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

DisplayName string

A display name for the pool. Cannot exceed 32 characters.

InlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig

Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.

InlineTrustConfig WorkloadIdentityPoolInlineTrustConfig

Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.

Mode string

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

WorkloadIdentityPoolId string

AttestationRules []WorkloadIdentityPoolAttestationRuleArgs

Description string

A description of the pool. Cannot exceed 256 characters.

Disabled bool

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

DisplayName string

A display name for the pool. Cannot exceed 32 characters.

InlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs

InlineTrustConfig WorkloadIdentityPoolInlineTrustConfigArgs

Mode string

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

workloadIdentityPoolId String

attestationRules List<WorkloadIdentityPoolAttestationRule>

description String

A description of the pool. Cannot exceed 256 characters.

disabled Boolean

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

displayName String

A display name for the pool. Cannot exceed 32 characters.

inlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig

inlineTrustConfig WorkloadIdentityPoolInlineTrustConfig

mode String

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

workloadIdentityPoolId string

attestationRules WorkloadIdentityPoolAttestationRule[]

description string

A description of the pool. Cannot exceed 256 characters.

disabled boolean

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

displayName string

A display name for the pool. Cannot exceed 32 characters.

inlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig

inlineTrustConfig WorkloadIdentityPoolInlineTrustConfig

mode string

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

workload_identity_pool_id str

attestation_rules Sequence[WorkloadIdentityPoolAttestationRuleArgs]

description str

A description of the pool. Cannot exceed 256 characters.

disabled bool

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

display_name str

A display name for the pool. Cannot exceed 32 characters.

inline_certificate_issuance_config WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs

inline_trust_config WorkloadIdentityPoolInlineTrustConfigArgs

mode str

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

workloadIdentityPoolId String

attestationRules List<Property Map>

description String

A description of the pool. Cannot exceed 256 characters.

disabled Boolean

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

displayName String

A display name for the pool. Cannot exceed 32 characters.

inlineCertificateIssuanceConfig Property Map

inlineTrustConfig Property Map

mode String

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the WorkloadIdentityPool resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Name string

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

State string

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

Id string

The provider-assigned unique ID for this managed resource.

Name string

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

State string

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

id String

The provider-assigned unique ID for this managed resource.

name String

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

state String

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

id string

The provider-assigned unique ID for this managed resource.

name string

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

state string

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

id str

The provider-assigned unique ID for this managed resource.

name str

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

state str

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

id String

The provider-assigned unique ID for this managed resource.

name String

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

state String

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

Look up Existing WorkloadIdentityPool Resource

Get an existing WorkloadIdentityPool resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: WorkloadIdentityPoolState, opts?: CustomResourceOptions): WorkloadIdentityPool

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        attestation_rules: Optional[Sequence[WorkloadIdentityPoolAttestationRuleArgs]] = None,
        description: Optional[str] = None,
        disabled: Optional[bool] = None,
        display_name: Optional[str] = None,
        inline_certificate_issuance_config: Optional[WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs] = None,
        inline_trust_config: Optional[WorkloadIdentityPoolInlineTrustConfigArgs] = None,
        mode: Optional[str] = None,
        name: Optional[str] = None,
        project: Optional[str] = None,
        state: Optional[str] = None,
        workload_identity_pool_id: Optional[str] = None) -> WorkloadIdentityPool

func GetWorkloadIdentityPool(ctx *Context, name string, id IDInput, state *WorkloadIdentityPoolState, opts ...ResourceOption) (*WorkloadIdentityPool, error)

public static WorkloadIdentityPool Get(string name, Input<string> id, WorkloadIdentityPoolState? state, CustomResourceOptions? opts = null)

public static WorkloadIdentityPool get(String name, Output<String> id, WorkloadIdentityPoolState state, CustomResourceOptions options)

resources:  _:    type: gcp:iam:WorkloadIdentityPool    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AttestationRules List<WorkloadIdentityPoolAttestationRule>

Description string

A description of the pool. Cannot exceed 256 characters.

Disabled bool

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

DisplayName string

A display name for the pool. Cannot exceed 32 characters.

InlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig

InlineTrustConfig WorkloadIdentityPoolInlineTrustConfig

Mode string

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

Name string

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

State string

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

WorkloadIdentityPoolId string

AttestationRules []WorkloadIdentityPoolAttestationRuleArgs

Description string

A description of the pool. Cannot exceed 256 characters.

Disabled bool

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

DisplayName string

A display name for the pool. Cannot exceed 32 characters.

InlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs

InlineTrustConfig WorkloadIdentityPoolInlineTrustConfigArgs

Mode string

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

Name string

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

State string

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

WorkloadIdentityPoolId string

attestationRules List<WorkloadIdentityPoolAttestationRule>

description String

A description of the pool. Cannot exceed 256 characters.

disabled Boolean

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

displayName String

A display name for the pool. Cannot exceed 32 characters.

inlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig

inlineTrustConfig WorkloadIdentityPoolInlineTrustConfig

mode String

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

name String

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

state String

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

workloadIdentityPoolId String

attestationRules WorkloadIdentityPoolAttestationRule[]

description string

A description of the pool. Cannot exceed 256 characters.

disabled boolean

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

displayName string

A display name for the pool. Cannot exceed 32 characters.

inlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig

inlineTrustConfig WorkloadIdentityPoolInlineTrustConfig

mode string

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

name string

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

state string

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

workloadIdentityPoolId string

attestation_rules Sequence[WorkloadIdentityPoolAttestationRuleArgs]

description str

A description of the pool. Cannot exceed 256 characters.

disabled bool

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

display_name str

A display name for the pool. Cannot exceed 32 characters.

inline_certificate_issuance_config WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs

inline_trust_config WorkloadIdentityPoolInlineTrustConfigArgs

mode str

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

name str

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

state str

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

workload_identity_pool_id str

attestationRules List<Property Map>

description String

A description of the pool. Cannot exceed 256 characters.

disabled Boolean

Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

displayName String

A display name for the pool. Cannot exceed 32 characters.

inlineCertificateIssuanceConfig Property Map

inlineTrustConfig Property Map

mode String

The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools.
SYSTEM_TRUST_DOMAIN: Pools are managed by Google Cloud services. Neither gcp.iam.WorkloadIdentityPoolNamespaces nor gcp.iam.WorkloadIdentityPoolProviders can be created within SYSTEM_TRUST_DOMAIN mode pools. All identities within a SYSTEM_TRUST_DOMAIN mode pool are in one of the following formats:
spiffe://<trust-domain>/ns/<kubernetes-namespace>/sa/<kubernetes-service-account>
spiffe://<trust-domain>/resources/<resource-scope>/<resource-name> Possible values are: FEDERATION_ONLY, TRUST_DOMAIN, SYSTEM_TRUST_DOMAIN.

name String

The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

state String

The state of the pool.

STATE_UNSPECIFIED: State unspecified.
ACTIVE: The pool is active, and may be used in Google Cloud policies.
DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

workloadIdentityPoolId String

Supporting Types

WorkloadIdentityPoolAttestationRule, WorkloadIdentityPoolAttestationRuleArgs

GoogleCloudResource string: A single workload operating on Google Cloud. For example: //run.googleapis.com/projects/123/type/Service/*.

GoogleCloudResource string: A single workload operating on Google Cloud. For example: //run.googleapis.com/projects/123/type/Service/*.

googleCloudResource String: A single workload operating on Google Cloud. For example: //run.googleapis.com/projects/123/type/Service/*.

googleCloudResource string: A single workload operating on Google Cloud. For example: //run.googleapis.com/projects/123/type/Service/*.

google_cloud_resource str: A single workload operating on Google Cloud. For example: //run.googleapis.com/projects/123/type/Service/*.

googleCloudResource String: A single workload operating on Google Cloud. For example: //run.googleapis.com/projects/123/type/Service/*.

WorkloadIdentityPoolInlineCertificateIssuanceConfig, WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs

CaPools Dictionary<string, string>

A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).

KeyAlgorithm string

Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

RSA_2048: Specifies RSA with a 2048-bit modulus.
RSA_3072: Specifies RSA with a 3072-bit modulus.
RSA_4096: Specifies RSA with a 4096-bit modulus.
ECDSA_P256: Specifies ECDSA with curve P256.
ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.

Lifetime string

Lifetime of the workload certificates issued by the CA pool in seconds. Must be between 86400s (24 hours) to 2592000s (30 days), ends in the suffix "s" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to 86400s (24 hours).

RotationWindowPercentage int

Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.

UseDefaultSharedCa bool

If set to true, the trust domain will utilize the GCP-provisioned default CA. A default CA in the same region as the workload will be selected to issue the certificate. Enabling this will clear any existing caPools configuration to provision the certificates.

CaPools map[string]string

A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).

KeyAlgorithm string

Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

RSA_2048: Specifies RSA with a 2048-bit modulus.
RSA_3072: Specifies RSA with a 3072-bit modulus.
RSA_4096: Specifies RSA with a 4096-bit modulus.
ECDSA_P256: Specifies ECDSA with curve P256.
ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.

Lifetime string

RotationWindowPercentage int

Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.

UseDefaultSharedCa bool

caPools Map<String,String>

A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).

keyAlgorithm String

Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

RSA_2048: Specifies RSA with a 2048-bit modulus.
RSA_3072: Specifies RSA with a 3072-bit modulus.
RSA_4096: Specifies RSA with a 4096-bit modulus.
ECDSA_P256: Specifies ECDSA with curve P256.
ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.

lifetime String

rotationWindowPercentage Integer

Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.

useDefaultSharedCa Boolean

caPools {[key: string]: string}

A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).

keyAlgorithm string

Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

RSA_2048: Specifies RSA with a 2048-bit modulus.
RSA_3072: Specifies RSA with a 3072-bit modulus.
RSA_4096: Specifies RSA with a 4096-bit modulus.
ECDSA_P256: Specifies ECDSA with curve P256.
ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.

lifetime string

rotationWindowPercentage number

Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.

useDefaultSharedCa boolean

ca_pools Mapping[str, str]

A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).

key_algorithm str

Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

RSA_2048: Specifies RSA with a 2048-bit modulus.
RSA_3072: Specifies RSA with a 3072-bit modulus.
RSA_4096: Specifies RSA with a 4096-bit modulus.
ECDSA_P256: Specifies ECDSA with curve P256.
ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.

lifetime str

rotation_window_percentage int

Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.

use_default_shared_ca bool

caPools Map<String>

A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).

keyAlgorithm String

Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

RSA_2048: Specifies RSA with a 2048-bit modulus.
RSA_3072: Specifies RSA with a 3072-bit modulus.
RSA_4096: Specifies RSA with a 4096-bit modulus.
ECDSA_P256: Specifies ECDSA with curve P256.
ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.

lifetime String

rotationWindowPercentage Number

Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.

useDefaultSharedCa Boolean

WorkloadIdentityPoolInlineTrustConfig, WorkloadIdentityPoolInlineTrustConfigArgs

AdditionalTrustBundles List<WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle>: Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additionalTrustBundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's caPools. Structure is documented below.

AdditionalTrustBundles []WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle: Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additionalTrustBundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's caPools. Structure is documented below.

additionalTrustBundles List<WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle>: Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additionalTrustBundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's caPools. Structure is documented below.

additionalTrustBundles WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle[]: Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additionalTrustBundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's caPools. Structure is documented below.

additional_trust_bundles Sequence[WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle]: Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additionalTrustBundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's caPools. Structure is documented below.

additionalTrustBundles List<Property Map>: Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additionalTrustBundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's caPools. Structure is documented below.

WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle, WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs

TrustAnchors List<WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor>: List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
TrustDomain string: The identifier for this object. Format specified above.
TrustDefaultSharedCa bool: If set to True, the trust bundle will include the private ca managed identity regional root public certificates.
Note trustDefaultSharedCa is only supported for managed identity trust domain resource.

TrustAnchors []WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor: List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
TrustDomain string: The identifier for this object. Format specified above.
TrustDefaultSharedCa bool: If set to True, the trust bundle will include the private ca managed identity regional root public certificates.
Note trustDefaultSharedCa is only supported for managed identity trust domain resource.

trustAnchors List<WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor>: List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
trustDomain String: The identifier for this object. Format specified above.
trustDefaultSharedCa Boolean: If set to True, the trust bundle will include the private ca managed identity regional root public certificates.
Note trustDefaultSharedCa is only supported for managed identity trust domain resource.

trustAnchors WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor[]: List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
trustDomain string: The identifier for this object. Format specified above.
trustDefaultSharedCa boolean: If set to True, the trust bundle will include the private ca managed identity regional root public certificates.
Note trustDefaultSharedCa is only supported for managed identity trust domain resource.

trust_anchors Sequence[WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor]: List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
trust_domain str: The identifier for this object. Format specified above.
trust_default_shared_ca bool: If set to True, the trust bundle will include the private ca managed identity regional root public certificates.
Note trustDefaultSharedCa is only supported for managed identity trust domain resource.

trustAnchors List<Property Map>: List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
trustDomain String: The identifier for this object. Format specified above.
trustDefaultSharedCa Boolean: If set to True, the trust bundle will include the private ca managed identity regional root public certificates.
Note trustDefaultSharedCa is only supported for managed identity trust domain resource.

WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor, WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs

PemCertificate string: PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

PemCertificate string: PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

pemCertificate String: PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

pemCertificate string: PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

pem_certificate str: PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

pemCertificate String: PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

Import

WorkloadIdentityPool can be imported using any of these accepted formats:

projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}
{{project}}/{{workload_identity_pool_id}}
{{workload_identity_pool_id}}

When using the pulumi import command, WorkloadIdentityPool can be imported using one of the formats above. For example:

$ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}
$ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default {{project}}/{{workload_identity_pool_id}}
$ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default {{workload_identity_pool_id}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Viewing docs for Google Cloud v9.21.0
published on Friday, Apr 24, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

gcp.iam.WorkloadIdentityPool

On this page

On this page

Example Usage

Iam Workload Identity Pool Basic

Iam Workload Identity Pool Full Federation Only Mode

Iam Workload Identity Pool Full Trust Domain Mode

Iam Workload Identity Pool Full Trust Domain Mode With Default Shared Ca

Create WorkloadIdentityPool Resource

Constructor syntax

Parameters

WorkloadIdentityPool Resource Properties

Inputs

Outputs

Look up Existing WorkloadIdentityPool Resource

Supporting Types

WorkloadIdentityPoolAttestationRule, WorkloadIdentityPoolAttestationRuleArgs

WorkloadIdentityPoolInlineCertificateIssuanceConfig, WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs

WorkloadIdentityPoolInlineTrustConfig, WorkloadIdentityPoolInlineTrustConfigArgs

WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle, WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs

WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor, WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs

Import

Package Details

On this page

On this page