Workload
data class WorkloadIdentityPoolProviderArgs(val attributeCondition: Output<String>? = null, val attributeMapping: Output<Map<String, String>>? = null, val aws: Output<WorkloadIdentityPoolProviderAwsArgs>? = null, val description: Output<String>? = null, val disabled: Output<Boolean>? = null, val displayName: Output<String>? = null, val oidc: Output<WorkloadIdentityPoolProviderOidcArgs>? = null, val project: Output<String>? = null, val saml: Output<WorkloadIdentityPoolProviderSamlArgs>? = null, val workloadIdentityPoolId: Output<String>? = null, val workloadIdentityPoolProviderId: Output<String>? = null) : ConvertibleToJava<WorkloadIdentityPoolProviderArgs>
A configuration for an external identity provider. To get more information about WorkloadIdentityPoolProvider, see:
Example Usage
Iam Workload Identity Pool Provider Aws Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
aws: {
accountId: "999999999999",
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
aws={
"account_id": "999999999999",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
{
AccountId = "999999999999",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
AccountId: pulumi.String("999999999999"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.aws(WorkloadIdentityPoolProviderAwsArgs.builder()
.accountId("999999999999")
.build())
.build());
}
}Content copied to clipboard
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
aws:
accountId: '999999999999'Content copied to clipboard
Iam Workload Identity Pool Provider Aws Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
displayName: "Name of provider",
description: "AWS identity pool provider for automated test",
disabled: true,
attributeCondition: "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
attributeMapping: {
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
aws: {
accountId: "999999999999",
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
display_name="Name of provider",
description="AWS identity pool provider for automated test",
disabled=True,
attribute_condition="attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
attribute_mapping={
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
aws={
"account_id": "999999999999",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
DisplayName = "Name of provider",
Description = "AWS identity pool provider for automated test",
Disabled = true,
AttributeCondition = "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
AttributeMapping =
{
{ "google.subject", "assertion.arn" },
{ "attribute.aws_account", "assertion.account" },
{ "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
},
Aws = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderAwsArgs
{
AccountId = "999999999999",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
DisplayName: pulumi.String("Name of provider"),
Description: pulumi.String("AWS identity pool provider for automated test"),
Disabled: pulumi.Bool(true),
AttributeCondition: pulumi.String("attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\""),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.arn"),
"attribute.aws_account": pulumi.String("assertion.account"),
"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
},
Aws: &iam.WorkloadIdentityPoolProviderAwsArgs{
AccountId: pulumi.String("999999999999"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.displayName("Name of provider")
.description("AWS identity pool provider for automated test")
.disabled(true)
.attributeCondition("attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"")
.attributeMapping(Map.ofEntries(
Map.entry("google.subject", "assertion.arn"),
Map.entry("attribute.aws_account", "assertion.account"),
Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
))
.aws(WorkloadIdentityPoolProviderAwsArgs.builder()
.accountId("999999999999")
.build())
.build());
}
}Content copied to clipboard
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
displayName: Name of provider
description: AWS identity pool provider for automated test
disabled: true
attributeCondition: attribute.aws_role=="arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole"
attributeMapping:
google.subject: assertion.arn
attribute.aws_account: assertion.account
attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
aws:
accountId: '999999999999'Content copied to clipboard
Iam Workload Identity Pool Provider Oidc Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
attributeMapping: {
"google.subject": "assertion.sub",
},
oidc: {
issuerUri: "https://sts.windows.net/azure-tenant-id",
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
attribute_mapping={
"google.subject": "assertion.sub",
},
oidc={
"issuer_uri": "https://sts.windows.net/azure-tenant-id",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
AttributeMapping =
{
{ "google.subject", "assertion.sub" },
},
Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
{
IssuerUri = "https://sts.windows.net/azure-tenant-id",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.sub"),
},
Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.attributeMapping(Map.of("google.subject", "assertion.sub"))
.oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
.issuerUri("https://sts.windows.net/azure-tenant-id")
.build())
.build());
}
}Content copied to clipboard
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
attributeMapping:
google.subject: assertion.sub
oidc:
issuerUri: https://sts.windows.net/azure-tenant-idContent copied to clipboard
Iam Workload Identity Pool Provider Oidc Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
displayName: "Name of provider",
description: "OIDC identity pool provider for automated test",
disabled: true,
attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
attributeMapping: {
"google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
"attribute.tid": "assertion.tid",
"attribute.managed_identity_name": ` {
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
`,
},
oidc: {
allowedAudiences: [
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
],
issuerUri: "https://sts.windows.net/azure-tenant-id",
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
display_name="Name of provider",
description="OIDC identity pool provider for automated test",
disabled=True,
attribute_condition="\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
attribute_mapping={
"google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
"attribute.tid": "assertion.tid",
"attribute.managed_identity_name": """ {
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
""",
},
oidc={
"allowed_audiences": [
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
],
"issuer_uri": "https://sts.windows.net/azure-tenant-id",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
DisplayName = "Name of provider",
Description = "OIDC identity pool provider for automated test",
Disabled = true,
AttributeCondition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
AttributeMapping =
{
{ "google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub" },
{ "attribute.tid", "assertion.tid" },
{ "attribute.managed_identity_name", @" {
""8bb39bdb-1cc5-4447-b7db-a19e920eb111"":""workload1"",
""55d36609-9bcf-48e0-a366-a3cf19027d2a"":""workload2""
}[assertion.oid]
" },
},
Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
{
AllowedAudiences = new[]
{
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
},
IssuerUri = "https://sts.windows.net/azure-tenant-id",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
DisplayName: pulumi.String("Name of provider"),
Description: pulumi.String("OIDC identity pool provider for automated test"),
Disabled: pulumi.Bool(true),
AttributeCondition: pulumi.String("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
"attribute.tid": pulumi.String("assertion.tid"),
"attribute.managed_identity_name": pulumi.String(" {\n \"8bb39bdb-1cc5-4447-b7db-a19e920eb111\":\"workload1\",\n \"55d36609-9bcf-48e0-a366-a3cf19027d2a\":\"workload2\"\n }[assertion.oid]\n"),
},
Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
AllowedAudiences: pulumi.StringArray{
pulumi.String("https://example.com/gcp-oidc-federation"),
pulumi.String("example.com/gcp-oidc-federation"),
},
IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.displayName("Name of provider")
.description("OIDC identity pool provider for automated test")
.disabled(true)
.attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups")
.attributeMapping(Map.ofEntries(
Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
Map.entry("attribute.tid", "assertion.tid"),
Map.entry("attribute.managed_identity_name", """
{
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
""")
))
.oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
.allowedAudiences(
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation")
.issuerUri("https://sts.windows.net/azure-tenant-id")
.build())
.build());
}
}Content copied to clipboard
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
displayName: Name of provider
description: OIDC identity pool provider for automated test
disabled: true
attributeCondition: '"e968c2ef-047c-498d-8d79-16ca1b61e77e" in assertion.groups'
attributeMapping:
google.subject: '"azure::" + assertion.tid + "::" + assertion.sub'
attribute.tid: assertion.tid
attribute.managed_identity_name: |2
{
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
oidc:
allowedAudiences:
- https://example.com/gcp-oidc-federation
- example.com/gcp-oidc-federation
issuerUri: https://sts.windows.net/azure-tenant-idContent copied to clipboard
Iam Workload Identity Pool Provider Saml Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
attributeMapping: {
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
saml: {
idpMetadataXml: std.file({
input: "test-fixtures/metadata.xml",
}).then(invoke => invoke.result),
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
attribute_mapping={
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
saml={
"idp_metadata_xml": std.file(input="test-fixtures/metadata.xml").result,
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
AttributeMapping =
{
{ "google.subject", "assertion.arn" },
{ "attribute.aws_account", "assertion.account" },
{ "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
},
Saml = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderSamlArgs
{
IdpMetadataXml = Std.File.Invoke(new()
{
Input = "test-fixtures/metadata.xml",
}).Apply(invoke => invoke.Result),
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/metadata.xml",
}, nil)
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.arn"),
"attribute.aws_account": pulumi.String("assertion.account"),
"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
},
Saml: &iam.WorkloadIdentityPoolProviderSamlArgs{
IdpMetadataXml: pulumi.String(invokeFile.Result),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderSamlArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.attributeMapping(Map.ofEntries(
Map.entry("google.subject", "assertion.arn"),
Map.entry("attribute.aws_account", "assertion.account"),
Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
))
.saml(WorkloadIdentityPoolProviderSamlArgs.builder()
.idpMetadataXml(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/metadata.xml")
.build()).result())
.build())
.build());
}
}Content copied to clipboard
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
attributeMapping:
google.subject: assertion.arn
attribute.aws_account: assertion.account
attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
saml:
idpMetadataXml:
fn::invoke:
Function: std:file
Arguments:
input: test-fixtures/metadata.xml
Return: resultContent copied to clipboard
Iam Workload Identity Pool Provider Saml Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
displayName: "Name of provider",
description: "SAML 2.0 identity pool provider for automated test",
disabled: true,
attributeMapping: {
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
saml: {
idpMetadataXml: std.file({
input: "test-fixtures/metadata.xml",
}).then(invoke => invoke.result),
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
display_name="Name of provider",
description="SAML 2.0 identity pool provider for automated test",
disabled=True,
attribute_mapping={
"google.subject": "assertion.arn",
"attribute.aws_account": "assertion.account",
"attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
},
saml={
"idp_metadata_xml": std.file(input="test-fixtures/metadata.xml").result,
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
DisplayName = "Name of provider",
Description = "SAML 2.0 identity pool provider for automated test",
Disabled = true,
AttributeMapping =
{
{ "google.subject", "assertion.arn" },
{ "attribute.aws_account", "assertion.account" },
{ "attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"" },
},
Saml = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderSamlArgs
{
IdpMetadataXml = Std.File.Invoke(new()
{
Input = "test-fixtures/metadata.xml",
}).Apply(invoke => invoke.Result),
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/metadata.xml",
}, nil)
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
DisplayName: pulumi.String("Name of provider"),
Description: pulumi.String("SAML 2.0 identity pool provider for automated test"),
Disabled: pulumi.Bool(true),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.arn"),
"attribute.aws_account": pulumi.String("assertion.account"),
"attribute.environment": pulumi.String("assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""),
},
Saml: &iam.WorkloadIdentityPoolProviderSamlArgs{
IdpMetadataXml: pulumi.String(invokeFile.Result),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderSamlArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.displayName("Name of provider")
.description("SAML 2.0 identity pool provider for automated test")
.disabled(true)
.attributeMapping(Map.ofEntries(
Map.entry("google.subject", "assertion.arn"),
Map.entry("attribute.aws_account", "assertion.account"),
Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"")
))
.saml(WorkloadIdentityPoolProviderSamlArgs.builder()
.idpMetadataXml(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/metadata.xml")
.build()).result())
.build())
.build());
}
}Content copied to clipboard
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
displayName: Name of provider
description: SAML 2.0 identity pool provider for automated test
disabled: true
attributeMapping:
google.subject: assertion.arn
attribute.aws_account: assertion.account
attribute.environment: 'assertion.arn.contains(":instance-profile/Production") ? "prod" : "test"'
saml:
idpMetadataXml:
fn::invoke:
Function: std:file
Arguments:
input: test-fixtures/metadata.xml
Return: resultContent copied to clipboard
Iam Workload Identity Pool Provider Oidc Upload Key
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
workloadIdentityPoolId: pool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "example-prvdr",
displayName: "Name of provider",
description: "OIDC identity pool provider for automated test",
disabled: true,
attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
attributeMapping: {
"google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
"attribute.tid": "assertion.tid",
"attribute.managed_identity_name": ` {
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
`,
},
oidc: {
allowedAudiences: [
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
],
issuerUri: "https://sts.windows.net/azure-tenant-id",
jwksJson: "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
example = gcp.iam.WorkloadIdentityPoolProvider("example",
workload_identity_pool_id=pool.workload_identity_pool_id,
workload_identity_pool_provider_id="example-prvdr",
display_name="Name of provider",
description="OIDC identity pool provider for automated test",
disabled=True,
attribute_condition="\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
attribute_mapping={
"google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
"attribute.tid": "assertion.tid",
"attribute.managed_identity_name": """ {
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
""",
},
oidc={
"allowed_audiences": [
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
],
"issuer_uri": "https://sts.windows.net/azure-tenant-id",
"jwks_json": "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkloadIdentityPool("pool", new()
{
WorkloadIdentityPoolId = "example-pool",
});
var example = new Gcp.Iam.WorkloadIdentityPoolProvider("example", new()
{
WorkloadIdentityPoolId = pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId = "example-prvdr",
DisplayName = "Name of provider",
Description = "OIDC identity pool provider for automated test",
Disabled = true,
AttributeCondition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
AttributeMapping =
{
{ "google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub" },
{ "attribute.tid", "assertion.tid" },
{ "attribute.managed_identity_name", @" {
""8bb39bdb-1cc5-4447-b7db-a19e920eb111"":""workload1"",
""55d36609-9bcf-48e0-a366-a3cf19027d2a"":""workload2""
}[assertion.oid]
" },
},
Oidc = new Gcp.Iam.Inputs.WorkloadIdentityPoolProviderOidcArgs
{
AllowedAudiences = new[]
{
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation",
},
IssuerUri = "https://sts.windows.net/azure-tenant-id",
JwksJson = "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkloadIdentityPool(ctx, "pool", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPoolProvider(ctx, "example", &iam.WorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: pool.WorkloadIdentityPoolId,
WorkloadIdentityPoolProviderId: pulumi.String("example-prvdr"),
DisplayName: pulumi.String("Name of provider"),
Description: pulumi.String("OIDC identity pool provider for automated test"),
Disabled: pulumi.Bool(true),
AttributeCondition: pulumi.String("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
"attribute.tid": pulumi.String("assertion.tid"),
"attribute.managed_identity_name": pulumi.String(" {\n \"8bb39bdb-1cc5-4447-b7db-a19e920eb111\":\"workload1\",\n \"55d36609-9bcf-48e0-a366-a3cf19027d2a\":\"workload2\"\n }[assertion.oid]\n"),
},
Oidc: &iam.WorkloadIdentityPoolProviderOidcArgs{
AllowedAudiences: pulumi.StringArray{
pulumi.String("https://example.com/gcp-oidc-federation"),
pulumi.String("example.com/gcp-oidc-federation"),
},
IssuerUri: pulumi.String("https://sts.windows.net/azure-tenant-id"),
JwksJson: pulumi.String("{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider;
import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId(pool.workloadIdentityPoolId())
.workloadIdentityPoolProviderId("example-prvdr")
.displayName("Name of provider")
.description("OIDC identity pool provider for automated test")
.disabled(true)
.attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups")
.attributeMapping(Map.ofEntries(
Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"),
Map.entry("attribute.tid", "assertion.tid"),
Map.entry("attribute.managed_identity_name", """
{
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
""")
))
.oidc(WorkloadIdentityPoolProviderOidcArgs.builder()
.allowedAudiences(
"https://example.com/gcp-oidc-federation",
"example.com/gcp-oidc-federation")
.issuerUri("https://sts.windows.net/azure-tenant-id")
.jwksJson("{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}")
.build())
.build());
}
}Content copied to clipboard
resources:
pool:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
example:
type: gcp:iam:WorkloadIdentityPoolProvider
properties:
workloadIdentityPoolId: ${pool.workloadIdentityPoolId}
workloadIdentityPoolProviderId: example-prvdr
displayName: Name of provider
description: OIDC identity pool provider for automated test
disabled: true
attributeCondition: '"e968c2ef-047c-498d-8d79-16ca1b61e77e" in assertion.groups'
attributeMapping:
google.subject: '"azure::" + assertion.tid + "::" + assertion.sub'
attribute.tid: assertion.tid
attribute.managed_identity_name: |2
{
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
oidc:
allowedAudiences:
- https://example.com/gcp-oidc-federation
- example.com/gcp-oidc-federation
issuerUri: https://sts.windows.net/azure-tenant-id
jwksJson: '{"keys":[{"kty":"RSA","alg":"RS256","kid":"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA","use":"sig","e":"AQAB","n":"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw"}]}'Content copied to clipboard
Import
WorkloadIdentityPoolProvider can be imported using any of these accepted formats:
projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}{{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}When using thepulumi importcommand, WorkloadIdentityPoolProvider can be imported using one of the formats above. For example:
$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}Content copied to clipboard
$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}Content copied to clipboard
$ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}Content copied to clipboard
Constructors
Link copied to clipboard
constructor(attributeCondition: Output<String>? = null, attributeMapping: Output<Map<String, String>>? = null, aws: Output<WorkloadIdentityPoolProviderAwsArgs>? = null, description: Output<String>? = null, disabled: Output<Boolean>? = null, displayName: Output<String>? = null, oidc: Output<WorkloadIdentityPoolProviderOidcArgs>? = null, project: Output<String>? = null, saml: Output<WorkloadIdentityPoolProviderSamlArgs>? = null, workloadIdentityPoolId: Output<String>? = null, workloadIdentityPoolProviderId: Output<String>? = null)
Properties
Link copied to clipboard
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
Link copied to clipboard
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as subject and segment. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:
Link copied to clipboard
An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is documented below.
Link copied to clipboard
A description for the provider. Cannot exceed 256 characters.
Link copied to clipboard
A display name for the provider. Cannot exceed 32 characters.
Link copied to clipboard
An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is documented below.
Link copied to clipboard
An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is documented below.
Link copied to clipboard
The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters a-z0-9-. The prefix gcp- is reserved for use by Google, and may not be specified.
Link copied to clipboard
The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters a-z0-9-. The prefix gcp- is reserved for use by Google, and may not be specified.