gcp.iam.WorkforcePoolProvider
Explore with Pulumi AI
A configuration for an external identity provider.
To get more information about WorkforcePoolProvider, see:
Note: Ask your Google Cloud account team to request access to workforce identity federation for your billing/quota project. The account team notifies you when the project is granted access.
Example Usage
Iam Workforce Pool Provider Saml Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkforcePool("pool", {
workforcePoolId: "example-pool",
parent: "organizations/123456789",
location: "global",
});
const example = new gcp.iam.WorkforcePoolProvider("example", {
workforcePoolId: pool.workforcePoolId,
location: pool.location,
providerId: "example-prvdr",
attributeMapping: {
"google.subject": "assertion.sub",
},
saml: {
idpMetadataXml: "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkforcePool("pool",
workforce_pool_id="example-pool",
parent="organizations/123456789",
location="global")
example = gcp.iam.WorkforcePoolProvider("example",
workforce_pool_id=pool.workforce_pool_id,
location=pool.location,
provider_id="example-prvdr",
attribute_mapping={
"google.subject": "assertion.sub",
},
saml=gcp.iam.WorkforcePoolProviderSamlArgs(
idp_metadata_xml="<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
WorkforcePoolId: pulumi.String("example-pool"),
Parent: pulumi.String("organizations/123456789"),
Location: pulumi.String("global"),
})
if err != nil {
return err
}
_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
WorkforcePoolId: pool.WorkforcePoolId,
Location: pool.Location,
ProviderId: pulumi.String("example-prvdr"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.sub"),
},
Saml: &iam.WorkforcePoolProviderSamlArgs{
IdpMetadataXml: pulumi.String("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkforcePool("pool", new()
{
WorkforcePoolId = "example-pool",
Parent = "organizations/123456789",
Location = "global",
});
var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
{
WorkforcePoolId = pool.WorkforcePoolId,
Location = pool.Location,
ProviderId = "example-prvdr",
AttributeMapping =
{
{ "google.subject", "assertion.sub" },
},
Saml = new Gcp.Iam.Inputs.WorkforcePoolProviderSamlArgs
{
IdpMetadataXml = "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePool;
import com.pulumi.gcp.iam.WorkforcePoolArgs;
import com.pulumi.gcp.iam.WorkforcePoolProvider;
import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderSamlArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
.workforcePoolId("example-pool")
.parent("organizations/123456789")
.location("global")
.build());
var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
.workforcePoolId(pool.workforcePoolId())
.location(pool.location())
.providerId("example-prvdr")
.attributeMapping(Map.of("google.subject", "assertion.sub"))
.saml(WorkforcePoolProviderSamlArgs.builder()
.idpMetadataXml("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>")
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkforcePool
properties:
workforcePoolId: example-pool
parent: organizations/123456789
location: global
example:
type: gcp:iam:WorkforcePoolProvider
properties:
workforcePoolId: ${pool.workforcePoolId}
location: ${pool.location}
providerId: example-prvdr
attributeMapping:
google.subject: assertion.sub
saml:
idpMetadataXml: <?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://test.com"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test.com/sso"/></md:IDPSSODescriptor></md:EntityDescriptor>
Iam Workforce Pool Provider Saml Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkforcePool("pool", {
workforcePoolId: "example-pool",
parent: "organizations/123456789",
location: "global",
});
const example = new gcp.iam.WorkforcePoolProvider("example", {
workforcePoolId: pool.workforcePoolId,
location: pool.location,
providerId: "example-prvdr",
attributeMapping: {
"google.subject": "assertion.sub",
},
saml: {
idpMetadataXml: "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
},
displayName: "Display name",
description: "A sample SAML workforce pool provider.",
disabled: false,
attributeCondition: "true",
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkforcePool("pool",
workforce_pool_id="example-pool",
parent="organizations/123456789",
location="global")
example = gcp.iam.WorkforcePoolProvider("example",
workforce_pool_id=pool.workforce_pool_id,
location=pool.location,
provider_id="example-prvdr",
attribute_mapping={
"google.subject": "assertion.sub",
},
saml=gcp.iam.WorkforcePoolProviderSamlArgs(
idp_metadata_xml="<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
),
display_name="Display name",
description="A sample SAML workforce pool provider.",
disabled=False,
attribute_condition="true")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
WorkforcePoolId: pulumi.String("example-pool"),
Parent: pulumi.String("organizations/123456789"),
Location: pulumi.String("global"),
})
if err != nil {
return err
}
_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
WorkforcePoolId: pool.WorkforcePoolId,
Location: pool.Location,
ProviderId: pulumi.String("example-prvdr"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.sub"),
},
Saml: &iam.WorkforcePoolProviderSamlArgs{
IdpMetadataXml: pulumi.String("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>"),
},
DisplayName: pulumi.String("Display name"),
Description: pulumi.String("A sample SAML workforce pool provider."),
Disabled: pulumi.Bool(false),
AttributeCondition: pulumi.String("true"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkforcePool("pool", new()
{
WorkforcePoolId = "example-pool",
Parent = "organizations/123456789",
Location = "global",
});
var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
{
WorkforcePoolId = pool.WorkforcePoolId,
Location = pool.Location,
ProviderId = "example-prvdr",
AttributeMapping =
{
{ "google.subject", "assertion.sub" },
},
Saml = new Gcp.Iam.Inputs.WorkforcePoolProviderSamlArgs
{
IdpMetadataXml = "<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
},
DisplayName = "Display name",
Description = "A sample SAML workforce pool provider.",
Disabled = false,
AttributeCondition = "true",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePool;
import com.pulumi.gcp.iam.WorkforcePoolArgs;
import com.pulumi.gcp.iam.WorkforcePoolProvider;
import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderSamlArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
.workforcePoolId("example-pool")
.parent("organizations/123456789")
.location("global")
.build());
var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
.workforcePoolId(pool.workforcePoolId())
.location(pool.location())
.providerId("example-prvdr")
.attributeMapping(Map.of("google.subject", "assertion.sub"))
.saml(WorkforcePoolProviderSamlArgs.builder()
.idpMetadataXml("<?xml version=\"1.0\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://test.com\"><md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"> <md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://test.com/sso\"/></md:IDPSSODescriptor></md:EntityDescriptor>")
.build())
.displayName("Display name")
.description("A sample SAML workforce pool provider.")
.disabled(false)
.attributeCondition("true")
.build());
}
}
resources:
pool:
type: gcp:iam:WorkforcePool
properties:
workforcePoolId: example-pool
parent: organizations/123456789
location: global
example:
type: gcp:iam:WorkforcePoolProvider
properties:
workforcePoolId: ${pool.workforcePoolId}
location: ${pool.location}
providerId: example-prvdr
attributeMapping:
google.subject: assertion.sub
saml:
idpMetadataXml: <?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://test.com"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test.com/sso"/></md:IDPSSODescriptor></md:EntityDescriptor>
displayName: Display name
description: A sample SAML workforce pool provider.
disabled: false
attributeCondition: 'true'
Iam Workforce Pool Provider Oidc Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkforcePool("pool", {
workforcePoolId: "example-pool",
parent: "organizations/123456789",
location: "global",
});
const example = new gcp.iam.WorkforcePoolProvider("example", {
workforcePoolId: pool.workforcePoolId,
location: pool.location,
providerId: "example-prvdr",
attributeMapping: {
"google.subject": "assertion.sub",
},
oidc: {
issuerUri: "https://accounts.thirdparty.com",
clientId: "client-id",
clientSecret: {
value: {
plainText: "client-secret",
},
},
webSsoConfig: {
responseType: "CODE",
assertionClaimsBehavior: "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
},
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkforcePool("pool",
workforce_pool_id="example-pool",
parent="organizations/123456789",
location="global")
example = gcp.iam.WorkforcePoolProvider("example",
workforce_pool_id=pool.workforce_pool_id,
location=pool.location,
provider_id="example-prvdr",
attribute_mapping={
"google.subject": "assertion.sub",
},
oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
issuer_uri="https://accounts.thirdparty.com",
client_id="client-id",
client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
plain_text="client-secret",
),
),
web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
response_type="CODE",
assertion_claims_behavior="MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
),
))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
WorkforcePoolId: pulumi.String("example-pool"),
Parent: pulumi.String("organizations/123456789"),
Location: pulumi.String("global"),
})
if err != nil {
return err
}
_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
WorkforcePoolId: pool.WorkforcePoolId,
Location: pool.Location,
ProviderId: pulumi.String("example-prvdr"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.sub"),
},
Oidc: &iam.WorkforcePoolProviderOidcArgs{
IssuerUri: pulumi.String("https://accounts.thirdparty.com"),
ClientId: pulumi.String("client-id"),
ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
PlainText: pulumi.String("client-secret"),
},
},
WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
ResponseType: pulumi.String("CODE"),
AssertionClaimsBehavior: pulumi.String("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkforcePool("pool", new()
{
WorkforcePoolId = "example-pool",
Parent = "organizations/123456789",
Location = "global",
});
var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
{
WorkforcePoolId = pool.WorkforcePoolId,
Location = pool.Location,
ProviderId = "example-prvdr",
AttributeMapping =
{
{ "google.subject", "assertion.sub" },
},
Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
{
IssuerUri = "https://accounts.thirdparty.com",
ClientId = "client-id",
ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
{
Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
{
PlainText = "client-secret",
},
},
WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
{
ResponseType = "CODE",
AssertionClaimsBehavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePool;
import com.pulumi.gcp.iam.WorkforcePoolArgs;
import com.pulumi.gcp.iam.WorkforcePoolProvider;
import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretValueArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcWebSsoConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
.workforcePoolId("example-pool")
.parent("organizations/123456789")
.location("global")
.build());
var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
.workforcePoolId(pool.workforcePoolId())
.location(pool.location())
.providerId("example-prvdr")
.attributeMapping(Map.of("google.subject", "assertion.sub"))
.oidc(WorkforcePoolProviderOidcArgs.builder()
.issuerUri("https://accounts.thirdparty.com")
.clientId("client-id")
.clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
.value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
.plainText("client-secret")
.build())
.build())
.webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
.responseType("CODE")
.assertionClaimsBehavior("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS")
.build())
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkforcePool
properties:
workforcePoolId: example-pool
parent: organizations/123456789
location: global
example:
type: gcp:iam:WorkforcePoolProvider
properties:
workforcePoolId: ${pool.workforcePoolId}
location: ${pool.location}
providerId: example-prvdr
attributeMapping:
google.subject: assertion.sub
oidc:
issuerUri: https://accounts.thirdparty.com
clientId: client-id
clientSecret:
value:
plainText: client-secret
webSsoConfig:
responseType: CODE
assertionClaimsBehavior: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
Iam Workforce Pool Provider Oidc Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkforcePool("pool", {
workforcePoolId: "example-pool",
parent: "organizations/123456789",
location: "global",
});
const example = new gcp.iam.WorkforcePoolProvider("example", {
workforcePoolId: pool.workforcePoolId,
location: pool.location,
providerId: "example-prvdr",
attributeMapping: {
"google.subject": "assertion.sub",
},
oidc: {
issuerUri: "https://accounts.thirdparty.com",
clientId: "client-id",
clientSecret: {
value: {
plainText: "client-secret",
},
},
webSsoConfig: {
responseType: "CODE",
assertionClaimsBehavior: "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
additionalScopes: [
"groups",
"roles",
],
},
},
displayName: "Display name",
description: "A sample OIDC workforce pool provider.",
disabled: false,
attributeCondition: "true",
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkforcePool("pool",
workforce_pool_id="example-pool",
parent="organizations/123456789",
location="global")
example = gcp.iam.WorkforcePoolProvider("example",
workforce_pool_id=pool.workforce_pool_id,
location=pool.location,
provider_id="example-prvdr",
attribute_mapping={
"google.subject": "assertion.sub",
},
oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
issuer_uri="https://accounts.thirdparty.com",
client_id="client-id",
client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
plain_text="client-secret",
),
),
web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
response_type="CODE",
assertion_claims_behavior="MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
additional_scopes=[
"groups",
"roles",
],
),
),
display_name="Display name",
description="A sample OIDC workforce pool provider.",
disabled=False,
attribute_condition="true")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
WorkforcePoolId: pulumi.String("example-pool"),
Parent: pulumi.String("organizations/123456789"),
Location: pulumi.String("global"),
})
if err != nil {
return err
}
_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
WorkforcePoolId: pool.WorkforcePoolId,
Location: pool.Location,
ProviderId: pulumi.String("example-prvdr"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.sub"),
},
Oidc: &iam.WorkforcePoolProviderOidcArgs{
IssuerUri: pulumi.String("https://accounts.thirdparty.com"),
ClientId: pulumi.String("client-id"),
ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
PlainText: pulumi.String("client-secret"),
},
},
WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
ResponseType: pulumi.String("CODE"),
AssertionClaimsBehavior: pulumi.String("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"),
AdditionalScopes: pulumi.StringArray{
pulumi.String("groups"),
pulumi.String("roles"),
},
},
},
DisplayName: pulumi.String("Display name"),
Description: pulumi.String("A sample OIDC workforce pool provider."),
Disabled: pulumi.Bool(false),
AttributeCondition: pulumi.String("true"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkforcePool("pool", new()
{
WorkforcePoolId = "example-pool",
Parent = "organizations/123456789",
Location = "global",
});
var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
{
WorkforcePoolId = pool.WorkforcePoolId,
Location = pool.Location,
ProviderId = "example-prvdr",
AttributeMapping =
{
{ "google.subject", "assertion.sub" },
},
Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
{
IssuerUri = "https://accounts.thirdparty.com",
ClientId = "client-id",
ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
{
Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
{
PlainText = "client-secret",
},
},
WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
{
ResponseType = "CODE",
AssertionClaimsBehavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
AdditionalScopes = new[]
{
"groups",
"roles",
},
},
},
DisplayName = "Display name",
Description = "A sample OIDC workforce pool provider.",
Disabled = false,
AttributeCondition = "true",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePool;
import com.pulumi.gcp.iam.WorkforcePoolArgs;
import com.pulumi.gcp.iam.WorkforcePoolProvider;
import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretValueArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcWebSsoConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
.workforcePoolId("example-pool")
.parent("organizations/123456789")
.location("global")
.build());
var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
.workforcePoolId(pool.workforcePoolId())
.location(pool.location())
.providerId("example-prvdr")
.attributeMapping(Map.of("google.subject", "assertion.sub"))
.oidc(WorkforcePoolProviderOidcArgs.builder()
.issuerUri("https://accounts.thirdparty.com")
.clientId("client-id")
.clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
.value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
.plainText("client-secret")
.build())
.build())
.webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
.responseType("CODE")
.assertionClaimsBehavior("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS")
.additionalScopes(
"groups",
"roles")
.build())
.build())
.displayName("Display name")
.description("A sample OIDC workforce pool provider.")
.disabled(false)
.attributeCondition("true")
.build());
}
}
resources:
pool:
type: gcp:iam:WorkforcePool
properties:
workforcePoolId: example-pool
parent: organizations/123456789
location: global
example:
type: gcp:iam:WorkforcePoolProvider
properties:
workforcePoolId: ${pool.workforcePoolId}
location: ${pool.location}
providerId: example-prvdr
attributeMapping:
google.subject: assertion.sub
oidc:
issuerUri: https://accounts.thirdparty.com
clientId: client-id
clientSecret:
value:
plainText: client-secret
webSsoConfig:
responseType: CODE
assertionClaimsBehavior: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
additionalScopes:
- groups
- roles
displayName: Display name
description: A sample OIDC workforce pool provider.
disabled: false
attributeCondition: 'true'
Iam Workforce Pool Provider Extra Attributes Oauth2 Config Client Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkforcePool("pool", {
workforcePoolId: "example-pool",
parent: "organizations/123456789",
location: "global",
});
const example = new gcp.iam.WorkforcePoolProvider("example", {
workforcePoolId: pool.workforcePoolId,
location: pool.location,
providerId: "example-prvdr",
attributeMapping: {
"google.subject": "assertion.sub",
},
oidc: {
issuerUri: "https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
clientId: "https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
webSsoConfig: {
responseType: "CODE",
assertionClaimsBehavior: "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
},
clientSecret: {
value: {
plainText: "client-secret",
},
},
},
extraAttributesOauth2Client: {
issuerUri: "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
clientId: "client-id",
clientSecret: {
value: {
plainText: "client-secret",
},
},
attributesType: "AZURE_AD_GROUPS_MAIL",
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkforcePool("pool",
workforce_pool_id="example-pool",
parent="organizations/123456789",
location="global")
example = gcp.iam.WorkforcePoolProvider("example",
workforce_pool_id=pool.workforce_pool_id,
location=pool.location,
provider_id="example-prvdr",
attribute_mapping={
"google.subject": "assertion.sub",
},
oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
issuer_uri="https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
client_id="https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
response_type="CODE",
assertion_claims_behavior="MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
),
client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
plain_text="client-secret",
),
),
),
extra_attributes_oauth2_client=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs(
issuer_uri="https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
client_id="client-id",
client_secret=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs(
value=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs(
plain_text="client-secret",
),
),
attributes_type="AZURE_AD_GROUPS_MAIL",
))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
WorkforcePoolId: pulumi.String("example-pool"),
Parent: pulumi.String("organizations/123456789"),
Location: pulumi.String("global"),
})
if err != nil {
return err
}
_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
WorkforcePoolId: pool.WorkforcePoolId,
Location: pool.Location,
ProviderId: pulumi.String("example-prvdr"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.sub"),
},
Oidc: &iam.WorkforcePoolProviderOidcArgs{
IssuerUri: pulumi.String("https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/"),
ClientId: pulumi.String("https://analysis.windows.net/powerbi/connector/GoogleBigQuery"),
WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
ResponseType: pulumi.String("CODE"),
AssertionClaimsBehavior: pulumi.String("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"),
},
ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
PlainText: pulumi.String("client-secret"),
},
},
},
ExtraAttributesOauth2Client: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs{
IssuerUri: pulumi.String("https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0"),
ClientId: pulumi.String("client-id"),
ClientSecret: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs{
Value: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs{
PlainText: pulumi.String("client-secret"),
},
},
AttributesType: pulumi.String("AZURE_AD_GROUPS_MAIL"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkforcePool("pool", new()
{
WorkforcePoolId = "example-pool",
Parent = "organizations/123456789",
Location = "global",
});
var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
{
WorkforcePoolId = pool.WorkforcePoolId,
Location = pool.Location,
ProviderId = "example-prvdr",
AttributeMapping =
{
{ "google.subject", "assertion.sub" },
},
Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
{
IssuerUri = "https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
ClientId = "https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
{
ResponseType = "CODE",
AssertionClaimsBehavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
},
ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
{
Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
{
PlainText = "client-secret",
},
},
},
ExtraAttributesOauth2Client = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientArgs
{
IssuerUri = "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
ClientId = "client-id",
ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs
{
Value = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs
{
PlainText = "client-secret",
},
},
AttributesType = "AZURE_AD_GROUPS_MAIL",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePool;
import com.pulumi.gcp.iam.WorkforcePoolArgs;
import com.pulumi.gcp.iam.WorkforcePoolProvider;
import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcWebSsoConfigArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretValueArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
.workforcePoolId("example-pool")
.parent("organizations/123456789")
.location("global")
.build());
var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
.workforcePoolId(pool.workforcePoolId())
.location(pool.location())
.providerId("example-prvdr")
.attributeMapping(Map.of("google.subject", "assertion.sub"))
.oidc(WorkforcePoolProviderOidcArgs.builder()
.issuerUri("https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/")
.clientId("https://analysis.windows.net/powerbi/connector/GoogleBigQuery")
.webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
.responseType("CODE")
.assertionClaimsBehavior("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS")
.build())
.clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
.value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
.plainText("client-secret")
.build())
.build())
.build())
.extraAttributesOauth2Client(WorkforcePoolProviderExtraAttributesOauth2ClientArgs.builder()
.issuerUri("https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0")
.clientId("client-id")
.clientSecret(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs.builder()
.value(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs.builder()
.plainText("client-secret")
.build())
.build())
.attributesType("AZURE_AD_GROUPS_MAIL")
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkforcePool
properties:
workforcePoolId: example-pool
parent: organizations/123456789
location: global
example:
type: gcp:iam:WorkforcePoolProvider
properties:
workforcePoolId: ${pool.workforcePoolId}
location: ${pool.location}
providerId: example-prvdr
attributeMapping:
google.subject: assertion.sub
oidc:
issuerUri: https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/
clientId: https://analysis.windows.net/powerbi/connector/GoogleBigQuery
webSsoConfig:
responseType: CODE
assertionClaimsBehavior: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
clientSecret:
value:
plainText: client-secret
extraAttributesOauth2Client:
issuerUri: https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0
clientId: client-id
clientSecret:
value:
plainText: client-secret
attributesType: AZURE_AD_GROUPS_MAIL
Iam Workforce Pool Provider Extra Attributes Oauth2 Config Client Full
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const pool = new gcp.iam.WorkforcePool("pool", {
workforcePoolId: "example-pool",
parent: "organizations/123456789",
location: "global",
});
const example = new gcp.iam.WorkforcePoolProvider("example", {
workforcePoolId: pool.workforcePoolId,
location: pool.location,
providerId: "example-prvdr",
attributeMapping: {
"google.subject": "assertion.sub",
},
oidc: {
issuerUri: "https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
clientId: "https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
clientSecret: {
value: {
plainText: "client-secret",
},
},
webSsoConfig: {
responseType: "CODE",
assertionClaimsBehavior: "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
},
},
extraAttributesOauth2Client: {
issuerUri: "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
clientId: "client-id",
clientSecret: {
value: {
plainText: "client-secret",
},
},
attributesType: "AZURE_AD_GROUPS_MAIL",
queryParameters: {
filter: "mail:gcp",
},
},
});
import pulumi
import pulumi_gcp as gcp
pool = gcp.iam.WorkforcePool("pool",
workforce_pool_id="example-pool",
parent="organizations/123456789",
location="global")
example = gcp.iam.WorkforcePoolProvider("example",
workforce_pool_id=pool.workforce_pool_id,
location=pool.location,
provider_id="example-prvdr",
attribute_mapping={
"google.subject": "assertion.sub",
},
oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
issuer_uri="https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
client_id="https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
plain_text="client-secret",
),
),
web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
response_type="CODE",
assertion_claims_behavior="MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
),
),
extra_attributes_oauth2_client=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs(
issuer_uri="https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
client_id="client-id",
client_secret=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs(
value=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs(
plain_text="client-secret",
),
),
attributes_type="AZURE_AD_GROUPS_MAIL",
query_parameters=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs(
filter="mail:gcp",
),
))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pool, err := iam.NewWorkforcePool(ctx, "pool", &iam.WorkforcePoolArgs{
WorkforcePoolId: pulumi.String("example-pool"),
Parent: pulumi.String("organizations/123456789"),
Location: pulumi.String("global"),
})
if err != nil {
return err
}
_, err = iam.NewWorkforcePoolProvider(ctx, "example", &iam.WorkforcePoolProviderArgs{
WorkforcePoolId: pool.WorkforcePoolId,
Location: pool.Location,
ProviderId: pulumi.String("example-prvdr"),
AttributeMapping: pulumi.StringMap{
"google.subject": pulumi.String("assertion.sub"),
},
Oidc: &iam.WorkforcePoolProviderOidcArgs{
IssuerUri: pulumi.String("https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/"),
ClientId: pulumi.String("https://analysis.windows.net/powerbi/connector/GoogleBigQuery"),
ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
PlainText: pulumi.String("client-secret"),
},
},
WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
ResponseType: pulumi.String("CODE"),
AssertionClaimsBehavior: pulumi.String("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"),
},
},
ExtraAttributesOauth2Client: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs{
IssuerUri: pulumi.String("https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0"),
ClientId: pulumi.String("client-id"),
ClientSecret: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs{
Value: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs{
PlainText: pulumi.String("client-secret"),
},
},
AttributesType: pulumi.String("AZURE_AD_GROUPS_MAIL"),
QueryParameters: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs{
Filter: pulumi.String("mail:gcp"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var pool = new Gcp.Iam.WorkforcePool("pool", new()
{
WorkforcePoolId = "example-pool",
Parent = "organizations/123456789",
Location = "global",
});
var example = new Gcp.Iam.WorkforcePoolProvider("example", new()
{
WorkforcePoolId = pool.WorkforcePoolId,
Location = pool.Location,
ProviderId = "example-prvdr",
AttributeMapping =
{
{ "google.subject", "assertion.sub" },
},
Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
{
IssuerUri = "https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
ClientId = "https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
{
Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
{
PlainText = "client-secret",
},
},
WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
{
ResponseType = "CODE",
AssertionClaimsBehavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
},
},
ExtraAttributesOauth2Client = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientArgs
{
IssuerUri = "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
ClientId = "client-id",
ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs
{
Value = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs
{
PlainText = "client-secret",
},
},
AttributesType = "AZURE_AD_GROUPS_MAIL",
QueryParameters = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs
{
Filter = "mail:gcp",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkforcePool;
import com.pulumi.gcp.iam.WorkforcePoolArgs;
import com.pulumi.gcp.iam.WorkforcePoolProvider;
import com.pulumi.gcp.iam.WorkforcePoolProviderArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcClientSecretValueArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderOidcWebSsoConfigArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs;
import com.pulumi.gcp.iam.inputs.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pool = new WorkforcePool("pool", WorkforcePoolArgs.builder()
.workforcePoolId("example-pool")
.parent("organizations/123456789")
.location("global")
.build());
var example = new WorkforcePoolProvider("example", WorkforcePoolProviderArgs.builder()
.workforcePoolId(pool.workforcePoolId())
.location(pool.location())
.providerId("example-prvdr")
.attributeMapping(Map.of("google.subject", "assertion.sub"))
.oidc(WorkforcePoolProviderOidcArgs.builder()
.issuerUri("https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/")
.clientId("https://analysis.windows.net/powerbi/connector/GoogleBigQuery")
.clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
.value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
.plainText("client-secret")
.build())
.build())
.webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
.responseType("CODE")
.assertionClaimsBehavior("MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS")
.build())
.build())
.extraAttributesOauth2Client(WorkforcePoolProviderExtraAttributesOauth2ClientArgs.builder()
.issuerUri("https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0")
.clientId("client-id")
.clientSecret(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs.builder()
.value(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs.builder()
.plainText("client-secret")
.build())
.build())
.attributesType("AZURE_AD_GROUPS_MAIL")
.queryParameters(WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs.builder()
.filter("mail:gcp")
.build())
.build())
.build());
}
}
resources:
pool:
type: gcp:iam:WorkforcePool
properties:
workforcePoolId: example-pool
parent: organizations/123456789
location: global
example:
type: gcp:iam:WorkforcePoolProvider
properties:
workforcePoolId: ${pool.workforcePoolId}
location: ${pool.location}
providerId: example-prvdr
attributeMapping:
google.subject: assertion.sub
oidc:
issuerUri: https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/
clientId: https://analysis.windows.net/powerbi/connector/GoogleBigQuery
clientSecret:
value:
plainText: client-secret
webSsoConfig:
responseType: CODE
assertionClaimsBehavior: MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
extraAttributesOauth2Client:
issuerUri: https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0
clientId: client-id
clientSecret:
value:
plainText: client-secret
attributesType: AZURE_AD_GROUPS_MAIL
queryParameters:
filter: mail:gcp
Create WorkforcePoolProvider Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new WorkforcePoolProvider(name: string, args: WorkforcePoolProviderArgs, opts?: CustomResourceOptions);
@overload
def WorkforcePoolProvider(resource_name: str,
args: WorkforcePoolProviderArgs,
opts: Optional[ResourceOptions] = None)
@overload
def WorkforcePoolProvider(resource_name: str,
opts: Optional[ResourceOptions] = None,
location: Optional[str] = None,
provider_id: Optional[str] = None,
workforce_pool_id: Optional[str] = None,
attribute_condition: Optional[str] = None,
attribute_mapping: Optional[Mapping[str, str]] = None,
description: Optional[str] = None,
disabled: Optional[bool] = None,
display_name: Optional[str] = None,
extra_attributes_oauth2_client: Optional[WorkforcePoolProviderExtraAttributesOauth2ClientArgs] = None,
oidc: Optional[WorkforcePoolProviderOidcArgs] = None,
saml: Optional[WorkforcePoolProviderSamlArgs] = None)
func NewWorkforcePoolProvider(ctx *Context, name string, args WorkforcePoolProviderArgs, opts ...ResourceOption) (*WorkforcePoolProvider, error)
public WorkforcePoolProvider(string name, WorkforcePoolProviderArgs args, CustomResourceOptions? opts = null)
public WorkforcePoolProvider(String name, WorkforcePoolProviderArgs args)
public WorkforcePoolProvider(String name, WorkforcePoolProviderArgs args, CustomResourceOptions options)
type: gcp:iam:WorkforcePoolProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args WorkforcePoolProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args WorkforcePoolProviderArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args WorkforcePoolProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args WorkforcePoolProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args WorkforcePoolProviderArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var workforcePoolProviderResource = new Gcp.Iam.WorkforcePoolProvider("workforcePoolProviderResource", new()
{
Location = "string",
ProviderId = "string",
WorkforcePoolId = "string",
AttributeCondition = "string",
AttributeMapping =
{
{ "string", "string" },
},
Description = "string",
Disabled = false,
DisplayName = "string",
ExtraAttributesOauth2Client = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientArgs
{
AttributesType = "string",
ClientId = "string",
ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs
{
Value = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs
{
PlainText = "string",
Thumbprint = "string",
},
},
IssuerUri = "string",
QueryParameters = new Gcp.Iam.Inputs.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs
{
Filter = "string",
},
},
Oidc = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcArgs
{
ClientId = "string",
IssuerUri = "string",
ClientSecret = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretArgs
{
Value = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcClientSecretValueArgs
{
PlainText = "string",
Thumbprint = "string",
},
},
JwksJson = "string",
WebSsoConfig = new Gcp.Iam.Inputs.WorkforcePoolProviderOidcWebSsoConfigArgs
{
AssertionClaimsBehavior = "string",
ResponseType = "string",
AdditionalScopes = new[]
{
"string",
},
},
},
Saml = new Gcp.Iam.Inputs.WorkforcePoolProviderSamlArgs
{
IdpMetadataXml = "string",
},
});
example, err := iam.NewWorkforcePoolProvider(ctx, "workforcePoolProviderResource", &iam.WorkforcePoolProviderArgs{
Location: pulumi.String("string"),
ProviderId: pulumi.String("string"),
WorkforcePoolId: pulumi.String("string"),
AttributeCondition: pulumi.String("string"),
AttributeMapping: pulumi.StringMap{
"string": pulumi.String("string"),
},
Description: pulumi.String("string"),
Disabled: pulumi.Bool(false),
DisplayName: pulumi.String("string"),
ExtraAttributesOauth2Client: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs{
AttributesType: pulumi.String("string"),
ClientId: pulumi.String("string"),
ClientSecret: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs{
Value: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs{
PlainText: pulumi.String("string"),
Thumbprint: pulumi.String("string"),
},
},
IssuerUri: pulumi.String("string"),
QueryParameters: &iam.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs{
Filter: pulumi.String("string"),
},
},
Oidc: &iam.WorkforcePoolProviderOidcArgs{
ClientId: pulumi.String("string"),
IssuerUri: pulumi.String("string"),
ClientSecret: &iam.WorkforcePoolProviderOidcClientSecretArgs{
Value: &iam.WorkforcePoolProviderOidcClientSecretValueArgs{
PlainText: pulumi.String("string"),
Thumbprint: pulumi.String("string"),
},
},
JwksJson: pulumi.String("string"),
WebSsoConfig: &iam.WorkforcePoolProviderOidcWebSsoConfigArgs{
AssertionClaimsBehavior: pulumi.String("string"),
ResponseType: pulumi.String("string"),
AdditionalScopes: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Saml: &iam.WorkforcePoolProviderSamlArgs{
IdpMetadataXml: pulumi.String("string"),
},
})
var workforcePoolProviderResource = new WorkforcePoolProvider("workforcePoolProviderResource", WorkforcePoolProviderArgs.builder()
.location("string")
.providerId("string")
.workforcePoolId("string")
.attributeCondition("string")
.attributeMapping(Map.of("string", "string"))
.description("string")
.disabled(false)
.displayName("string")
.extraAttributesOauth2Client(WorkforcePoolProviderExtraAttributesOauth2ClientArgs.builder()
.attributesType("string")
.clientId("string")
.clientSecret(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs.builder()
.value(WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs.builder()
.plainText("string")
.thumbprint("string")
.build())
.build())
.issuerUri("string")
.queryParameters(WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs.builder()
.filter("string")
.build())
.build())
.oidc(WorkforcePoolProviderOidcArgs.builder()
.clientId("string")
.issuerUri("string")
.clientSecret(WorkforcePoolProviderOidcClientSecretArgs.builder()
.value(WorkforcePoolProviderOidcClientSecretValueArgs.builder()
.plainText("string")
.thumbprint("string")
.build())
.build())
.jwksJson("string")
.webSsoConfig(WorkforcePoolProviderOidcWebSsoConfigArgs.builder()
.assertionClaimsBehavior("string")
.responseType("string")
.additionalScopes("string")
.build())
.build())
.saml(WorkforcePoolProviderSamlArgs.builder()
.idpMetadataXml("string")
.build())
.build());
workforce_pool_provider_resource = gcp.iam.WorkforcePoolProvider("workforcePoolProviderResource",
location="string",
provider_id="string",
workforce_pool_id="string",
attribute_condition="string",
attribute_mapping={
"string": "string",
},
description="string",
disabled=False,
display_name="string",
extra_attributes_oauth2_client=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs(
attributes_type="string",
client_id="string",
client_secret=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs(
value=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs(
plain_text="string",
thumbprint="string",
),
),
issuer_uri="string",
query_parameters=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs(
filter="string",
),
),
oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
client_id="string",
issuer_uri="string",
client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
plain_text="string",
thumbprint="string",
),
),
jwks_json="string",
web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
assertion_claims_behavior="string",
response_type="string",
additional_scopes=["string"],
),
),
saml=gcp.iam.WorkforcePoolProviderSamlArgs(
idp_metadata_xml="string",
))
const workforcePoolProviderResource = new gcp.iam.WorkforcePoolProvider("workforcePoolProviderResource", {
location: "string",
providerId: "string",
workforcePoolId: "string",
attributeCondition: "string",
attributeMapping: {
string: "string",
},
description: "string",
disabled: false,
displayName: "string",
extraAttributesOauth2Client: {
attributesType: "string",
clientId: "string",
clientSecret: {
value: {
plainText: "string",
thumbprint: "string",
},
},
issuerUri: "string",
queryParameters: {
filter: "string",
},
},
oidc: {
clientId: "string",
issuerUri: "string",
clientSecret: {
value: {
plainText: "string",
thumbprint: "string",
},
},
jwksJson: "string",
webSsoConfig: {
assertionClaimsBehavior: "string",
responseType: "string",
additionalScopes: ["string"],
},
},
saml: {
idpMetadataXml: "string",
},
});
type: gcp:iam:WorkforcePoolProvider
properties:
attributeCondition: string
attributeMapping:
string: string
description: string
disabled: false
displayName: string
extraAttributesOauth2Client:
attributesType: string
clientId: string
clientSecret:
value:
plainText: string
thumbprint: string
issuerUri: string
queryParameters:
filter: string
location: string
oidc:
clientId: string
clientSecret:
value:
plainText: string
thumbprint: string
issuerUri: string
jwksJson: string
webSsoConfig:
additionalScopes:
- string
assertionClaimsBehavior: string
responseType: string
providerId: string
saml:
idpMetadataXml: string
workforcePoolId: string
WorkforcePoolProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The WorkforcePoolProvider resource accepts the following input properties:
- Location string
- The location for the resource.
- Provider
Id string - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - Workforce
Pool stringId - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified. - Attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- Attribute
Mapping Dictionary<string, string> Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- Description string
- A user-specified description of the provider. Cannot exceed 256 characters.
- Disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- Display
Name string - A user-specified display name for the provider. Cannot exceed 32 characters.
- Extra
Attributes WorkforceOauth2Client Pool Provider Extra Attributes Oauth2Client - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- Oidc
Workforce
Pool Provider Oidc - Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- Saml
Workforce
Pool Provider Saml - Represents a SAML identity provider. Structure is documented below.
- Location string
- The location for the resource.
- Provider
Id string - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - Workforce
Pool stringId - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified. - Attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- Attribute
Mapping map[string]string Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- Description string
- A user-specified description of the provider. Cannot exceed 256 characters.
- Disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- Display
Name string - A user-specified display name for the provider. Cannot exceed 32 characters.
- Extra
Attributes WorkforceOauth2Client Pool Provider Extra Attributes Oauth2Client Args - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- Oidc
Workforce
Pool Provider Oidc Args - Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- Saml
Workforce
Pool Provider Saml Args - Represents a SAML identity provider. Structure is documented below.
- location String
- The location for the resource.
- provider
Id String - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - workforce
Pool StringId - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified. - attribute
Condition String - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping Map<String,String> Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- description String
- A user-specified description of the provider. Cannot exceed 256 characters.
- disabled Boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name String - A user-specified display name for the provider. Cannot exceed 32 characters.
- extra
Attributes WorkforceOauth2Client Pool Provider Extra Attributes Oauth2Client - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- oidc
Workforce
Pool Provider Oidc - Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- saml
Workforce
Pool Provider Saml - Represents a SAML identity provider. Structure is documented below.
- location string
- The location for the resource.
- provider
Id string - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - workforce
Pool stringId - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified. - attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping {[key: string]: string} Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- description string
- A user-specified description of the provider. Cannot exceed 256 characters.
- disabled boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name string - A user-specified display name for the provider. Cannot exceed 32 characters.
- extra
Attributes WorkforceOauth2Client Pool Provider Extra Attributes Oauth2Client - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- oidc
Workforce
Pool Provider Oidc - Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- saml
Workforce
Pool Provider Saml - Represents a SAML identity provider. Structure is documented below.
- location str
- The location for the resource.
- provider_
id str - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - workforce_
pool_ strid - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified. - attribute_
condition str - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute_
mapping Mapping[str, str] Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- description str
- A user-specified description of the provider. Cannot exceed 256 characters.
- disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display_
name str - A user-specified display name for the provider. Cannot exceed 32 characters.
- extra_
attributes_ Workforceoauth2_ client Pool Provider Extra Attributes Oauth2Client Args - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- oidc
Workforce
Pool Provider Oidc Args - Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- saml
Workforce
Pool Provider Saml Args - Represents a SAML identity provider. Structure is documented below.
- location String
- The location for the resource.
- provider
Id String - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - workforce
Pool StringId - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified. - attribute
Condition String - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping Map<String> Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- description String
- A user-specified description of the provider. Cannot exceed 256 characters.
- disabled Boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name String - A user-specified display name for the provider. Cannot exceed 32 characters.
- extra
Attributes Property MapOauth2Client - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- oidc Property Map
- Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- saml Property Map
- Represents a SAML identity provider. Structure is documented below.
Outputs
All input properties are implicitly available as output properties. Additionally, the WorkforcePoolProvider resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- State string
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- State string
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- state String
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- state string
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- state str
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- state String
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
Look up Existing WorkforcePoolProvider Resource
Get an existing WorkforcePoolProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: WorkforcePoolProviderState, opts?: CustomResourceOptions): WorkforcePoolProvider
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
attribute_condition: Optional[str] = None,
attribute_mapping: Optional[Mapping[str, str]] = None,
description: Optional[str] = None,
disabled: Optional[bool] = None,
display_name: Optional[str] = None,
extra_attributes_oauth2_client: Optional[WorkforcePoolProviderExtraAttributesOauth2ClientArgs] = None,
location: Optional[str] = None,
name: Optional[str] = None,
oidc: Optional[WorkforcePoolProviderOidcArgs] = None,
provider_id: Optional[str] = None,
saml: Optional[WorkforcePoolProviderSamlArgs] = None,
state: Optional[str] = None,
workforce_pool_id: Optional[str] = None) -> WorkforcePoolProvider
func GetWorkforcePoolProvider(ctx *Context, name string, id IDInput, state *WorkforcePoolProviderState, opts ...ResourceOption) (*WorkforcePoolProvider, error)
public static WorkforcePoolProvider Get(string name, Input<string> id, WorkforcePoolProviderState? state, CustomResourceOptions? opts = null)
public static WorkforcePoolProvider get(String name, Output<String> id, WorkforcePoolProviderState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- Attribute
Mapping Dictionary<string, string> Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- Description string
- A user-specified description of the provider. Cannot exceed 256 characters.
- Disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- Display
Name string - A user-specified display name for the provider. Cannot exceed 32 characters.
- Extra
Attributes WorkforceOauth2Client Pool Provider Extra Attributes Oauth2Client - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- Location string
- The location for the resource.
- Name string
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- Oidc
Workforce
Pool Provider Oidc - Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- Provider
Id string - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - Saml
Workforce
Pool Provider Saml - Represents a SAML identity provider. Structure is documented below.
- State string
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
- Workforce
Pool stringId - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified.
- Attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- Attribute
Mapping map[string]string Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- Description string
- A user-specified description of the provider. Cannot exceed 256 characters.
- Disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- Display
Name string - A user-specified display name for the provider. Cannot exceed 32 characters.
- Extra
Attributes WorkforceOauth2Client Pool Provider Extra Attributes Oauth2Client Args - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- Location string
- The location for the resource.
- Name string
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- Oidc
Workforce
Pool Provider Oidc Args - Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- Provider
Id string - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - Saml
Workforce
Pool Provider Saml Args - Represents a SAML identity provider. Structure is documented below.
- State string
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
- Workforce
Pool stringId - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified.
- attribute
Condition String - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping Map<String,String> Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- description String
- A user-specified description of the provider. Cannot exceed 256 characters.
- disabled Boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name String - A user-specified display name for the provider. Cannot exceed 32 characters.
- extra
Attributes WorkforceOauth2Client Pool Provider Extra Attributes Oauth2Client - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- location String
- The location for the resource.
- name String
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- oidc
Workforce
Pool Provider Oidc - Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- provider
Id String - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - saml
Workforce
Pool Provider Saml - Represents a SAML identity provider. Structure is documented below.
- state String
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
- workforce
Pool StringId - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified.
- attribute
Condition string - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping {[key: string]: string} Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- description string
- A user-specified description of the provider. Cannot exceed 256 characters.
- disabled boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name string - A user-specified display name for the provider. Cannot exceed 32 characters.
- extra
Attributes WorkforceOauth2Client Pool Provider Extra Attributes Oauth2Client - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- location string
- The location for the resource.
- name string
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- oidc
Workforce
Pool Provider Oidc - Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- provider
Id string - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - saml
Workforce
Pool Provider Saml - Represents a SAML identity provider. Structure is documented below.
- state string
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
- workforce
Pool stringId - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified.
- attribute_
condition str - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute_
mapping Mapping[str, str] Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- description str
- A user-specified description of the provider. Cannot exceed 256 characters.
- disabled bool
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display_
name str - A user-specified display name for the provider. Cannot exceed 32 characters.
- extra_
attributes_ Workforceoauth2_ client Pool Provider Extra Attributes Oauth2Client Args - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- location str
- The location for the resource.
- name str
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- oidc
Workforce
Pool Provider Oidc Args - Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- provider_
id str - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - saml
Workforce
Pool Provider Saml Args - Represents a SAML identity provider. Structure is documented below.
- state str
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
- workforce_
pool_ strid - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified.
- attribute
Condition String - A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
- attribute
Mapping Map<String> Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subject
andsegment
. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:google.subject
: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.google.groups
: Groups the authenticating user belongs to. You can grant groups access to resources using an IAMprincipalSet
binding; access applies to all members of the group.google.display_name
: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set,google.subject
will be displayed instead. This attribute cannot be referenced in IAM bindings.google.profile_photo
: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifyingattribute.{custom_attribute}
, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example:google.subject
:principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}
google.groups
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use theassertion
keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes thegoogle.subject
attribute. For example, the following maps the sub claim of the incoming credential to thesubject
attribute on a Google token:
{"google.subject": "assertion.sub"}
An object containing a list of
"key": value
pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }
.- description String
- A user-specified description of the provider. Cannot exceed 256 characters.
- disabled Boolean
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
- display
Name String - A user-specified display name for the provider. Cannot exceed 32 characters.
- extra
Attributes Property MapOauth2Client - The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with OIDC protocol. Structure is documented below.
- location String
- The location for the resource.
- name String
- Output only. The resource name of the provider.
Format:
locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}
- oidc Property Map
- Represents an OpenId Connect 1.0 identity provider. Structure is documented below.
- provider
Id String - The ID for the provider, which becomes the final component of the resource name.
This value must be 4-32 characters, and may contain the characters [a-z0-9-].
The prefix
gcp-
is reserved for use by Google, and may not be specified. - saml Property Map
- Represents a SAML identity provider. Structure is documented below.
- state String
- The current state of the provider.
- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The provider is active and may be used to validate authentication credentials.
- DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using providers.undelete.
- workforce
Pool StringId - The ID to use for the pool, which becomes the final component of the resource name.
The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens.
It must start with a letter, and cannot have a trailing hyphen.
The prefix
gcp-
is reserved for use by Google, and may not be specified.
Supporting Types
WorkforcePoolProviderExtraAttributesOauth2Client, WorkforcePoolProviderExtraAttributesOauth2ClientArgs
- Attributes
Type string - Represents the IdP and type of claims that should be fetched.
- AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
- Client
Id string - The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- Client
Secret WorkforcePool Provider Extra Attributes Oauth2Client Client Secret - The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- Issuer
Uri string - The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
- Query
Parameters WorkforcePool Provider Extra Attributes Oauth2Client Query Parameters - Represents the parameters to control which claims are fetched from an IdP.
- Attributes
Type string - Represents the IdP and type of claims that should be fetched.
- AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
- Client
Id string - The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- Client
Secret WorkforcePool Provider Extra Attributes Oauth2Client Client Secret - The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- Issuer
Uri string - The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
- Query
Parameters WorkforcePool Provider Extra Attributes Oauth2Client Query Parameters - Represents the parameters to control which claims are fetched from an IdP.
- attributes
Type String - Represents the IdP and type of claims that should be fetched.
- AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
- client
Id String - The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- client
Secret WorkforcePool Provider Extra Attributes Oauth2Client Client Secret - The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- issuer
Uri String - The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
- query
Parameters WorkforcePool Provider Extra Attributes Oauth2Client Query Parameters - Represents the parameters to control which claims are fetched from an IdP.
- attributes
Type string - Represents the IdP and type of claims that should be fetched.
- AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
- client
Id string - The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- client
Secret WorkforcePool Provider Extra Attributes Oauth2Client Client Secret - The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- issuer
Uri string - The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
- query
Parameters WorkforcePool Provider Extra Attributes Oauth2Client Query Parameters - Represents the parameters to control which claims are fetched from an IdP.
- attributes_
type str - Represents the IdP and type of claims that should be fetched.
- AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
- client_
id str - The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- client_
secret WorkforcePool Provider Extra Attributes Oauth2Client Client Secret - The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- issuer_
uri str - The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
- query_
parameters WorkforcePool Provider Extra Attributes Oauth2Client Query Parameters - Represents the parameters to control which claims are fetched from an IdP.
- attributes
Type String - Represents the IdP and type of claims that should be fetched.
- AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on 'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
- client
Id String - The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- client
Secret Property Map - The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
- issuer
Uri String - The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
- query
Parameters Property Map - Represents the parameters to control which claims are fetched from an IdP.
WorkforcePoolProviderExtraAttributesOauth2ClientClientSecret, WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs
- Value
Workforce
Pool Provider Extra Attributes Oauth2Client Client Secret Value - The value of the client secret. Structure is documented below.
- Value
Workforce
Pool Provider Extra Attributes Oauth2Client Client Secret Value - The value of the client secret. Structure is documented below.
- value
Workforce
Pool Provider Extra Attributes Oauth2Client Client Secret Value - The value of the client secret. Structure is documented below.
- value
Workforce
Pool Provider Extra Attributes Oauth2Client Client Secret Value - The value of the client secret. Structure is documented below.
- value
Workforce
Pool Provider Extra Attributes Oauth2Client Client Secret Value - The value of the client secret. Structure is documented below.
- value Property Map
- The value of the client secret. Structure is documented below.
WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue, WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs
- Plain
Text string - The plain text of the client secret value.
- Thumbprint string
- (Output) A thumbprint to represent the current client secret value.
- Plain
Text string - The plain text of the client secret value.
- Thumbprint string
- (Output) A thumbprint to represent the current client secret value.
- plain
Text String - The plain text of the client secret value.
- thumbprint String
- (Output) A thumbprint to represent the current client secret value.
- plain
Text string - The plain text of the client secret value.
- thumbprint string
- (Output) A thumbprint to represent the current client secret value.
- plain_
text str - The plain text of the client secret value.
- thumbprint str
- (Output) A thumbprint to represent the current client secret value.
- plain
Text String - The plain text of the client secret value.
- thumbprint String
- (Output) A thumbprint to represent the current client secret value.
WorkforcePoolProviderExtraAttributesOauth2ClientQueryParameters, WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs
- Filter string
- The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
- Filter string
- The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
- filter String
- The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
- filter string
- The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
- filter str
- The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
- filter String
- The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
WorkforcePoolProviderOidc, WorkforcePoolProviderOidcArgs
- Client
Id string - The client ID. Must match the audience claim of the JWT issued by the identity provider.
- Issuer
Uri string - The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
- Client
Secret WorkforcePool Provider Oidc Client Secret - The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
- Jwks
Json string - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
- Web
Sso WorkforceConfig Pool Provider Oidc Web Sso Config - Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.
- Client
Id string - The client ID. Must match the audience claim of the JWT issued by the identity provider.
- Issuer
Uri string - The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
- Client
Secret WorkforcePool Provider Oidc Client Secret - The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
- Jwks
Json string - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
- Web
Sso WorkforceConfig Pool Provider Oidc Web Sso Config - Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.
- client
Id String - The client ID. Must match the audience claim of the JWT issued by the identity provider.
- issuer
Uri String - The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
- client
Secret WorkforcePool Provider Oidc Client Secret - The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
- jwks
Json String - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
- web
Sso WorkforceConfig Pool Provider Oidc Web Sso Config - Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.
- client
Id string - The client ID. Must match the audience claim of the JWT issued by the identity provider.
- issuer
Uri string - The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
- client
Secret WorkforcePool Provider Oidc Client Secret - The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
- jwks
Json string - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
- web
Sso WorkforceConfig Pool Provider Oidc Web Sso Config - Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.
- client_
id str - The client ID. Must match the audience claim of the JWT issued by the identity provider.
- issuer_
uri str - The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
- client_
secret WorkforcePool Provider Oidc Client Secret - The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
- jwks_
json str - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
- web_
sso_ Workforceconfig Pool Provider Oidc Web Sso Config - Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.
- client
Id String - The client ID. Must match the audience claim of the JWT issued by the identity provider.
- issuer
Uri String - The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
- client
Secret Property Map - The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is documented below.
- jwks
Json String - OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the
jwks_uri
from the discovery document fetched from the .well-known path for theissuer_uri
. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields:{ "keys": [ { "kty": "RSA/EC", "alg": "<algorithm>", "use": "sig", "kid": "<key-id>", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
- web
Sso Property MapConfig - Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is documented below.
WorkforcePoolProviderOidcClientSecret, WorkforcePoolProviderOidcClientSecretArgs
- Value
Workforce
Pool Provider Oidc Client Secret Value - The value of the client secret. Structure is documented below.
- Value
Workforce
Pool Provider Oidc Client Secret Value - The value of the client secret. Structure is documented below.
- value
Workforce
Pool Provider Oidc Client Secret Value - The value of the client secret. Structure is documented below.
- value
Workforce
Pool Provider Oidc Client Secret Value - The value of the client secret. Structure is documented below.
- value
Workforce
Pool Provider Oidc Client Secret Value - The value of the client secret. Structure is documented below.
- value Property Map
- The value of the client secret. Structure is documented below.
WorkforcePoolProviderOidcClientSecretValue, WorkforcePoolProviderOidcClientSecretValueArgs
- Plain
Text string - The plain text of the client secret value.
- Thumbprint string
- (Output) A thumbprint to represent the current client secret value.
- Plain
Text string - The plain text of the client secret value.
- Thumbprint string
- (Output) A thumbprint to represent the current client secret value.
- plain
Text String - The plain text of the client secret value.
- thumbprint String
- (Output) A thumbprint to represent the current client secret value.
- plain
Text string - The plain text of the client secret value.
- thumbprint string
- (Output) A thumbprint to represent the current client secret value.
- plain_
text str - The plain text of the client secret value.
- thumbprint str
- (Output) A thumbprint to represent the current client secret value.
- plain
Text String - The plain text of the client secret value.
- thumbprint String
- (Output) A thumbprint to represent the current client secret value.
WorkforcePoolProviderOidcWebSsoConfig, WorkforcePoolProviderOidcWebSsoConfigArgs
- Assertion
Claims stringBehavior - The behavior for how OIDC Claims are included in the
assertion
object used for attribute mapping and attribute condition.- MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
- ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims.
Possible values are:
MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
,ONLY_ID_TOKEN_CLAIMS
.
- Response
Type string - The Response Type to request for in the OIDC Authorization Request for web sign-in.
The
CODE
Response Type is recommended to avoid the Implicit Flow, for security reasons.- CODE: The
response_type=code
selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret. - ID_TOKEN: The
response_type=id_token
selection uses the Implicit Flow for web sign-in. Possible values are:CODE
,ID_TOKEN
.
- CODE: The
- Additional
Scopes List<string> Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the
openid
,profile
andemail
scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.The
extra_attributes_oauth2_client
block supports:
- Assertion
Claims stringBehavior - The behavior for how OIDC Claims are included in the
assertion
object used for attribute mapping and attribute condition.- MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
- ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims.
Possible values are:
MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
,ONLY_ID_TOKEN_CLAIMS
.
- Response
Type string - The Response Type to request for in the OIDC Authorization Request for web sign-in.
The
CODE
Response Type is recommended to avoid the Implicit Flow, for security reasons.- CODE: The
response_type=code
selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret. - ID_TOKEN: The
response_type=id_token
selection uses the Implicit Flow for web sign-in. Possible values are:CODE
,ID_TOKEN
.
- CODE: The
- Additional
Scopes []string Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the
openid
,profile
andemail
scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.The
extra_attributes_oauth2_client
block supports:
- assertion
Claims StringBehavior - The behavior for how OIDC Claims are included in the
assertion
object used for attribute mapping and attribute condition.- MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
- ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims.
Possible values are:
MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
,ONLY_ID_TOKEN_CLAIMS
.
- response
Type String - The Response Type to request for in the OIDC Authorization Request for web sign-in.
The
CODE
Response Type is recommended to avoid the Implicit Flow, for security reasons.- CODE: The
response_type=code
selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret. - ID_TOKEN: The
response_type=id_token
selection uses the Implicit Flow for web sign-in. Possible values are:CODE
,ID_TOKEN
.
- CODE: The
- additional
Scopes List<String> Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the
openid
,profile
andemail
scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.The
extra_attributes_oauth2_client
block supports:
- assertion
Claims stringBehavior - The behavior for how OIDC Claims are included in the
assertion
object used for attribute mapping and attribute condition.- MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
- ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims.
Possible values are:
MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
,ONLY_ID_TOKEN_CLAIMS
.
- response
Type string - The Response Type to request for in the OIDC Authorization Request for web sign-in.
The
CODE
Response Type is recommended to avoid the Implicit Flow, for security reasons.- CODE: The
response_type=code
selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret. - ID_TOKEN: The
response_type=id_token
selection uses the Implicit Flow for web sign-in. Possible values are:CODE
,ID_TOKEN
.
- CODE: The
- additional
Scopes string[] Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the
openid
,profile
andemail
scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.The
extra_attributes_oauth2_client
block supports:
- assertion_
claims_ strbehavior - The behavior for how OIDC Claims are included in the
assertion
object used for attribute mapping and attribute condition.- MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
- ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims.
Possible values are:
MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
,ONLY_ID_TOKEN_CLAIMS
.
- response_
type str - The Response Type to request for in the OIDC Authorization Request for web sign-in.
The
CODE
Response Type is recommended to avoid the Implicit Flow, for security reasons.- CODE: The
response_type=code
selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret. - ID_TOKEN: The
response_type=id_token
selection uses the Implicit Flow for web sign-in. Possible values are:CODE
,ID_TOKEN
.
- CODE: The
- additional_
scopes Sequence[str] Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the
openid
,profile
andemail
scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.The
extra_attributes_oauth2_client
block supports:
- assertion
Claims StringBehavior - The behavior for how OIDC Claims are included in the
assertion
object used for attribute mapping and attribute condition.- MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow.
- ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims.
Possible values are:
MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS
,ONLY_ID_TOKEN_CLAIMS
.
- response
Type String - The Response Type to request for in the OIDC Authorization Request for web sign-in.
The
CODE
Response Type is recommended to avoid the Implicit Flow, for security reasons.- CODE: The
response_type=code
selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret. - ID_TOKEN: The
response_type=id_token
selection uses the Implicit Flow for web sign-in. Possible values are:CODE
,ID_TOKEN
.
- CODE: The
- additional
Scopes List<String> Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the
openid
,profile
andemail
scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.The
extra_attributes_oauth2_client
block supports:
WorkforcePoolProviderSaml, WorkforcePoolProviderSamlArgs
- Idp
Metadata stringXml - SAML Identity provider configuration metadata xml doc.
The xml document should comply with SAML 2.0 specification.
The max size of the acceptable xml document will be bounded to 128k characters.
The metadata xml document should satisfy the following constraints:
- Must contain an Identity Provider Entity ID.
- Must contain at least one non-expired signing key certificate.
- For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
- Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
- Idp
Metadata stringXml - SAML Identity provider configuration metadata xml doc.
The xml document should comply with SAML 2.0 specification.
The max size of the acceptable xml document will be bounded to 128k characters.
The metadata xml document should satisfy the following constraints:
- Must contain an Identity Provider Entity ID.
- Must contain at least one non-expired signing key certificate.
- For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
- Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
- idp
Metadata StringXml - SAML Identity provider configuration metadata xml doc.
The xml document should comply with SAML 2.0 specification.
The max size of the acceptable xml document will be bounded to 128k characters.
The metadata xml document should satisfy the following constraints:
- Must contain an Identity Provider Entity ID.
- Must contain at least one non-expired signing key certificate.
- For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
- Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
- idp
Metadata stringXml - SAML Identity provider configuration metadata xml doc.
The xml document should comply with SAML 2.0 specification.
The max size of the acceptable xml document will be bounded to 128k characters.
The metadata xml document should satisfy the following constraints:
- Must contain an Identity Provider Entity ID.
- Must contain at least one non-expired signing key certificate.
- For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
- Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
- idp_
metadata_ strxml - SAML Identity provider configuration metadata xml doc.
The xml document should comply with SAML 2.0 specification.
The max size of the acceptable xml document will be bounded to 128k characters.
The metadata xml document should satisfy the following constraints:
- Must contain an Identity Provider Entity ID.
- Must contain at least one non-expired signing key certificate.
- For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
- Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
- idp
Metadata StringXml - SAML Identity provider configuration metadata xml doc.
The xml document should comply with SAML 2.0 specification.
The max size of the acceptable xml document will be bounded to 128k characters.
The metadata xml document should satisfy the following constraints:
- Must contain an Identity Provider Entity ID.
- Must contain at least one non-expired signing key certificate.
- For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future.
- Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
Import
WorkforcePoolProvider can be imported using any of these accepted formats:
locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}
{{location}}/{{workforce_pool_id}}/{{provider_id}}
When using the pulumi import
command, WorkforcePoolProvider can be imported using one of the formats above. For example:
$ pulumi import gcp:iam/workforcePoolProvider:WorkforcePoolProvider default locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}
$ pulumi import gcp:iam/workforcePoolProvider:WorkforcePoolProvider default {{location}}/{{workforce_pool_id}}/{{provider_id}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-beta
Terraform Provider.