Package com.pulumi.gcp.iam
Class WorkloadIdentityPoolProvider
- java.lang.Object
-
- com.pulumi.resources.Resource
-
- com.pulumi.resources.CustomResource
-
- com.pulumi.gcp.iam.WorkloadIdentityPoolProvider
-
public class WorkloadIdentityPoolProvider extends com.pulumi.resources.CustomResourceA configuration for an external identity provider. To get more information about WorkloadIdentityPoolProvider, see: * [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers) * How-to Guides * [Managing workload identity providers](https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#managing_workload_identity_providers) ## Example Usage ### Iam Workload Identity Pool Provider Aws Basic ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.iam.WorkloadIdentityPool; import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs; import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider; import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs; import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder() .workloadIdentityPoolId("example-pool") .build()); var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder() .workloadIdentityPoolId(pool.workloadIdentityPoolId()) .workloadIdentityPoolProviderId("example-prvdr") .aws(WorkloadIdentityPoolProviderAwsArgs.builder() .accountId("999999999999") .build()) .build()); } } ``` ### Iam Workload Identity Pool Provider Aws Full ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.iam.WorkloadIdentityPool; import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs; import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider; import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs; import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderAwsArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder() .workloadIdentityPoolId("example-pool") .build()); var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder() .workloadIdentityPoolId(pool.workloadIdentityPoolId()) .workloadIdentityPoolProviderId("example-prvdr") .displayName("Name of provider") .description("AWS identity pool provider for automated test") .disabled(true) .attributeCondition("attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"") .attributeMapping(Map.ofEntries( Map.entry("google.subject", "assertion.arn"), Map.entry("attribute.aws_account", "assertion.account"), Map.entry("attribute.environment", "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"") )) .aws(WorkloadIdentityPoolProviderAwsArgs.builder() .accountId("999999999999") .build()) .build()); } } ``` ### Iam Workload Identity Pool Provider Oidc Basic ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.iam.WorkloadIdentityPool; import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs; import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider; import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs; import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder() .workloadIdentityPoolId("example-pool") .build()); var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder() .workloadIdentityPoolId(pool.workloadIdentityPoolId()) .workloadIdentityPoolProviderId("example-prvdr") .attributeMapping(Map.of("google.subject", "assertion.sub")) .oidc(WorkloadIdentityPoolProviderOidcArgs.builder() .issuerUri("https://sts.windows.net/azure-tenant-id") .build()) .build()); } } ``` ### Iam Workload Identity Pool Provider Oidc Full ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.iam.WorkloadIdentityPool; import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs; import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider; import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs; import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder() .workloadIdentityPoolId("example-pool") .build()); var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder() .workloadIdentityPoolId(pool.workloadIdentityPoolId()) .workloadIdentityPoolProviderId("example-prvdr") .displayName("Name of provider") .description("OIDC identity pool provider for automated test") .disabled(true) .attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups") .attributeMapping(Map.ofEntries( Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"), Map.entry("attribute.tid", "assertion.tid"), Map.entry("attribute.managed_identity_name", """ { "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1", "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2" }[assertion.oid] """) )) .oidc(WorkloadIdentityPoolProviderOidcArgs.builder() .allowedAudiences( "https://example.com/gcp-oidc-federation", "example.com/gcp-oidc-federation") .issuerUri("https://sts.windows.net/azure-tenant-id") .build()) .build()); } } ``` ### Iam Workload Identity Pool Provider Oidc Upload Key ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.iam.WorkloadIdentityPool; import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs; import com.pulumi.gcp.iam.WorkloadIdentityPoolProvider; import com.pulumi.gcp.iam.WorkloadIdentityPoolProviderArgs; import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolProviderOidcArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var pool = new WorkloadIdentityPool("pool", WorkloadIdentityPoolArgs.builder() .workloadIdentityPoolId("example-pool") .build()); var example = new WorkloadIdentityPoolProvider("example", WorkloadIdentityPoolProviderArgs.builder() .workloadIdentityPoolId(pool.workloadIdentityPoolId()) .workloadIdentityPoolProviderId("example-prvdr") .displayName("Name of provider") .description("OIDC identity pool provider for automated test") .disabled(true) .attributeCondition("\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups") .attributeMapping(Map.ofEntries( Map.entry("google.subject", "\"azure::\" + assertion.tid + \"::\" + assertion.sub"), Map.entry("attribute.tid", "assertion.tid"), Map.entry("attribute.managed_identity_name", """ { "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1", "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2" }[assertion.oid] """) )) .oidc(WorkloadIdentityPoolProviderOidcArgs.builder() .allowedAudiences( "https://example.com/gcp-oidc-federation", "example.com/gcp-oidc-federation") .issuerUri("https://sts.windows.net/azure-tenant-id") .jwksJson("{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}") .build()) .build()); } } ``` ## Import WorkloadIdentityPoolProvider can be imported using any of these accepted formats* `projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}` * `{{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}` * `{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}` In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import WorkloadIdentityPoolProvider using one of the formats above. For exampletf import { id = "projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}" to = google_iam_workload_identity_pool_provider.default } ```sh $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), WorkloadIdentityPoolProvider can be imported using one of the formats above. For example ``` ```sh $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}} ``` ```sh $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}} ``` ```sh $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}} ```
-
-
Constructor Summary
Constructors Constructor Description WorkloadIdentityPoolProvider(java.lang.String name)WorkloadIdentityPoolProvider(java.lang.String name, WorkloadIdentityPoolProviderArgs args)WorkloadIdentityPoolProvider(java.lang.String name, WorkloadIdentityPoolProviderArgs args, com.pulumi.resources.CustomResourceOptions options)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description com.pulumi.core.Output<java.util.Optional<java.lang.String>>attributeCondition()com.pulumi.core.Output<java.util.Optional<java.util.Map<java.lang.String,java.lang.String>>>attributeMapping()com.pulumi.core.Output<java.util.Optional<WorkloadIdentityPoolProviderAws>>aws()com.pulumi.core.Output<java.util.Optional<java.lang.String>>description()com.pulumi.core.Output<java.util.Optional<java.lang.Boolean>>disabled()com.pulumi.core.Output<java.util.Optional<java.lang.String>>displayName()static WorkloadIdentityPoolProviderget(java.lang.String name, com.pulumi.core.Output<java.lang.String> id, WorkloadIdentityPoolProviderState state, com.pulumi.resources.CustomResourceOptions options)Get an existing Host resource's state with the given name, ID, and optional extra properties used to qualify the lookup.com.pulumi.core.Output<java.lang.String>name()com.pulumi.core.Output<java.util.Optional<WorkloadIdentityPoolProviderOidc>>oidc()com.pulumi.core.Output<java.lang.String>project()com.pulumi.core.Output<java.lang.String>state()com.pulumi.core.Output<java.lang.String>workloadIdentityPoolId()com.pulumi.core.Output<java.lang.String>workloadIdentityPoolProviderId()
-
-
-
Constructor Detail
-
WorkloadIdentityPoolProvider
public WorkloadIdentityPoolProvider(java.lang.String name)
- Parameters:
name- The _unique_ name of the resulting resource.
-
WorkloadIdentityPoolProvider
public WorkloadIdentityPoolProvider(java.lang.String name, WorkloadIdentityPoolProviderArgs args)- Parameters:
name- The _unique_ name of the resulting resource.args- The arguments to use to populate this resource's properties.
-
WorkloadIdentityPoolProvider
public WorkloadIdentityPoolProvider(java.lang.String name, WorkloadIdentityPoolProviderArgs args, @Nullable com.pulumi.resources.CustomResourceOptions options)- Parameters:
name- The _unique_ name of the resulting resource.args- The arguments to use to populate this resource's properties.options- A bag of options that control this resource's behavior.
-
-
Method Detail
-
attributeCondition
public com.pulumi.core.Output<java.util.Optional<java.lang.String>> attributeCondition()
- Returns:
- [A Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
-
attributeMapping
public com.pulumi.core.Output<java.util.Optional<java.util.Map<java.lang.String,java.lang.String>>> attributeMapping()
- Returns:
- Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as `subject` and `segment`. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters. * `google.groups`: Groups the external identity belongs to. You can grant groups access to resources using an IAM `principalSet` binding; access applies to all members of the group. You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where `{custom_attribute}` is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example: * `google.subject`: `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common Expression Language](https://opensource.google/projects/cel) function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the `assertion` keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply: - If no attribute mapping is defined, the following default mapping applies: ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { } } ``` - If any custom attribute mappings are defined, they must include a mapping to the `google.subject` attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the `google.subject` attribute. For example, the following maps the `sub` claim of the incoming credential to the `subject` attribute on a Google token. ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { } } ```
-
aws
public com.pulumi.core.Output<java.util.Optional<WorkloadIdentityPoolProviderAws>> aws()
- Returns:
- An Amazon Web Services identity provider. Not compatible with the property oidc. Structure is documented below.
-
description
public com.pulumi.core.Output<java.util.Optional<java.lang.String>> description()
- Returns:
- A description for the provider. Cannot exceed 256 characters.
-
disabled
public com.pulumi.core.Output<java.util.Optional<java.lang.Boolean>> disabled()
- Returns:
- Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
-
displayName
public com.pulumi.core.Output<java.util.Optional<java.lang.String>> displayName()
- Returns:
- A display name for the provider. Cannot exceed 32 characters.
-
name
public com.pulumi.core.Output<java.lang.String> name()
- Returns:
- The resource name of the provider as `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}`.
-
oidc
public com.pulumi.core.Output<java.util.Optional<WorkloadIdentityPoolProviderOidc>> oidc()
- Returns:
- An OpenId Connect 1.0 identity provider. Not compatible with the property aws. Structure is documented below.
-
project
public com.pulumi.core.Output<java.lang.String> project()
- Returns:
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
-
state
public com.pulumi.core.Output<java.lang.String> state()
- Returns:
- The state of the provider. * STATE_UNSPECIFIED: State unspecified. * ACTIVE: The provider is active, and may be used to validate authentication credentials. * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.
-
workloadIdentityPoolId
public com.pulumi.core.Output<java.lang.String> workloadIdentityPoolId()
- Returns:
- The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.
-
workloadIdentityPoolProviderId
public com.pulumi.core.Output<java.lang.String> workloadIdentityPoolProviderId()
- Returns:
- The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. ***
-
get
public static WorkloadIdentityPoolProvider get(java.lang.String name, com.pulumi.core.Output<java.lang.String> id, @Nullable WorkloadIdentityPoolProviderState state, @Nullable com.pulumi.resources.CustomResourceOptions options)
Get an existing Host resource's state with the given name, ID, and optional extra properties used to qualify the lookup.- Parameters:
name- The _unique_ name of the resulting resource.id- The _unique_ provider ID of the resource to lookup.state-options- Optional settings to control the behavior of the CustomResource.
-
-