pulumi-gcp-kotlin/com.pulumi.gcp.iam.kotlin/WorkloadIdentityPoolProvider

WorkloadIdentityPoolProvider

class WorkloadIdentityPoolProvider : KotlinCustomResource

A configuration for an external identity provider. To get more information about WorkloadIdentityPoolProvider, see:

API documentation
How-to Guides

Managing workload identity providers

Example Usage

Iam Workload Identity Pool Provider Aws Basic

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());
        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .aws(WorkloadIdentityPoolProviderAwsArgs.builder()
                .accountId("999999999999")
                .build())
            .build());
    }
}

Iam Workload Identity Pool Provider Aws Full

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());
        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .displayName("Name of provider")
            .description("AWS identity pool provider for automated test")
            .disabled(true)
            .attributeCondition("attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"")
            .attributeMapping(Map.ofEntries(
                Map.entry("google.subject", "assertion.arn"),
                Map.entry("attribute.aws_account", "assertion.account"),
                Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
            ))
            .aws(WorkloadIdentityPoolProviderAwsArgs.builder()
                .accountId("999999999999")
                .build())
            .build());
    }
}

Iam Workload Identity Pool Provider Oidc Basic

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());
        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .attributeMapping(Map.of("google.subject", "assertion.sub"))
            .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
                .issuerUri("https://sts.windows.net/azure-tenant-id")
                .build())
            .build());
    }
}

Iam Workload Identity Pool Provider Oidc Full

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());
        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .displayName("Name of provider")
            .description("OIDC identity pool provider for automated test")
            .disabled(true)
            .attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups")
            .attributeMapping(Map.ofEntries(
                Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
                Map.entry("attribute.tid", "assertion.tid"),
                Map.entry("attribute.managed_identity_name", """
      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
                """)
            ))
            .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
                .allowedAudiences(
                    "https://example.com/gcp-oidc-federation",
                    "example.com/gcp-oidc-federation")
                .issuerUri("https://sts.windows.net/azure-tenant-id")
                .build())
            .build());
    }
}

Iam Workload Identity Pool Provider Oidc Upload Key

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("example-pool")
            .build());
        var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId(pool.workloadIdentityPoolId())
            .workloadIdentityPoolProviderId("example-prvdr")
            .displayName("Name of provider")
            .description("OIDC identity pool provider for automated test")
            .disabled(true)
            .attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups")
            .attributeMapping(Map.ofEntries(
                Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
                Map.entry("attribute.tid", "assertion.tid"),
                Map.entry("attribute.managed_identity_name", """
      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
                """)
            ))
            .oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
                .allowedAudiences(
                    "https://example.com/gcp-oidc-federation",
                    "example.com/gcp-oidc-federation")
                .issuerUri("https://sts.windows.net/azure-tenant-id")
                .jwksJson("{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}")
                .build())
            .build());
    }
}

Import

WorkloadIdentityPoolProvider can be imported using any of these accepted formats

$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}

$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}

$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}

Properties

attributeCondition

val attributeCondition: Output<String>?

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:

attributeMapping

val attributeMapping: Output<Map<String, String>>?

Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:

aws

val aws: Output<WorkloadIdentityPoolProviderAws>?

An Amazon Web Services identity provider. Not compatible with the property oidc. Structure is documented below.

description

val description: Output<String>?

A description for the provider. Cannot exceed 256 characters.

disabled

val disabled: Output<Boolean>?

Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

displayName

val displayName: Output<String>?

A display name for the provider. Cannot exceed 32 characters.

val id: Output<String>

name

val name: Output<String>

The resource name of the provider as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}.

oidc

val oidc: Output<WorkloadIdentityPoolProviderOidc>?

An OpenId Connect 1.0 identity provider. Not compatible with the property aws. Structure is documented below.

project

val project: Output<String>

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

state

val state: Output<String>

The state of the provider.

urn

val urn: Output<String>

workloadIdentityPoolId

val workloadIdentityPoolId: Output<String>

The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters a-z0-9-. The prefix gcp- is reserved for use by Google, and may not be specified.

workloadIdentityPoolProviderId

val workloadIdentityPoolProviderId: Output<String>

The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters a-z0-9-. The prefix gcp- is reserved for use by Google, and may not be specified.