gcp.iam.WorkloadIdentityPool
Explore with Pulumi AI
Represents a collection of external workload identities. You can define IAM policies to grant these identities access to Google Cloud resources.
To get more information about WorkloadIdentityPool, see:
- API documentation
- How-to Guides
Example Usage
Iam Workload Identity Pool Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.iam.WorkloadIdentityPool("example", {workloadIdentityPoolId: "example-pool"});
import pulumi
import pulumi_gcp as gcp
example = gcp.iam.WorkloadIdentityPool("example", workload_identity_pool_id="example-pool")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.NewWorkloadIdentityPool(ctx, "example", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Iam.WorkloadIdentityPool("example", new()
{
WorkloadIdentityPoolId = "example-pool",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new WorkloadIdentityPool("example", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.build());
}
}
resources:
example:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
Iam Workload Identity Pool Full Federation Only Mode
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const example = new gcp.iam.WorkloadIdentityPool("example", {
workloadIdentityPoolId: "example-pool",
displayName: "Name of the pool",
description: "Identity pool operates in FEDERATION_ONLY mode",
disabled: true,
mode: "FEDERATION_ONLY",
});
import pulumi
import pulumi_gcp as gcp
example = gcp.iam.WorkloadIdentityPool("example",
workload_identity_pool_id="example-pool",
display_name="Name of the pool",
description="Identity pool operates in FEDERATION_ONLY mode",
disabled=True,
mode="FEDERATION_ONLY")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.NewWorkloadIdentityPool(ctx, "example", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
DisplayName: pulumi.String("Name of the pool"),
Description: pulumi.String("Identity pool operates in FEDERATION_ONLY mode"),
Disabled: pulumi.Bool(true),
Mode: pulumi.String("FEDERATION_ONLY"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Iam.WorkloadIdentityPool("example", new()
{
WorkloadIdentityPoolId = "example-pool",
DisplayName = "Name of the pool",
Description = "Identity pool operates in FEDERATION_ONLY mode",
Disabled = true,
Mode = "FEDERATION_ONLY",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new WorkloadIdentityPool("example", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.displayName("Name of the pool")
.description("Identity pool operates in FEDERATION_ONLY mode")
.disabled(true)
.mode("FEDERATION_ONLY")
.build());
}
}
resources:
example:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
displayName: Name of the pool
description: Identity pool operates in FEDERATION_ONLY mode
disabled: true
mode: FEDERATION_ONLY
Iam Workload Identity Pool Full Trust Domain Mode
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as std from "@pulumi/std";
const example = new gcp.iam.WorkloadIdentityPool("example", {
workloadIdentityPoolId: "example-pool",
displayName: "Name of the pool",
description: "Identity pool operates in TRUST_DOMAIN mode",
disabled: true,
mode: "TRUST_DOMAIN",
inlineCertificateIssuanceConfig: {
caPools: {
"us-central1": "projects/project-bar/locations/us-central1/caPools/ca-pool-bar",
"asia-east2": "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo",
},
lifetime: "86400s",
rotationWindowPercentage: 50,
keyAlgorithm: "ECDSA_P256",
},
inlineTrustConfig: {
additionalTrustBundles: [
{
trustDomain: "example.com",
trustAnchors: [
{
pemCertificate: std.file({
input: "test-fixtures/trust_anchor_1.pem",
}).then(invoke => invoke.result),
},
{
pemCertificate: std.file({
input: "test-fixtures/trust_anchor_2.pem",
}).then(invoke => invoke.result),
},
],
},
{
trustDomain: "example.net",
trustAnchors: [
{
pemCertificate: std.file({
input: "test-fixtures/trust_anchor_3.pem",
}).then(invoke => invoke.result),
},
{
pemCertificate: std.file({
input: "test-fixtures/trust_anchor_4.pem",
}).then(invoke => invoke.result),
},
],
},
],
},
});
import pulumi
import pulumi_gcp as gcp
import pulumi_std as std
example = gcp.iam.WorkloadIdentityPool("example",
workload_identity_pool_id="example-pool",
display_name="Name of the pool",
description="Identity pool operates in TRUST_DOMAIN mode",
disabled=True,
mode="TRUST_DOMAIN",
inline_certificate_issuance_config={
"ca_pools": {
"us-central1": "projects/project-bar/locations/us-central1/caPools/ca-pool-bar",
"asia-east2": "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo",
},
"lifetime": "86400s",
"rotation_window_percentage": 50,
"key_algorithm": "ECDSA_P256",
},
inline_trust_config={
"additional_trust_bundles": [
{
"trust_domain": "example.com",
"trust_anchors": [
{
"pem_certificate": std.file(input="test-fixtures/trust_anchor_1.pem").result,
},
{
"pem_certificate": std.file(input="test-fixtures/trust_anchor_2.pem").result,
},
],
},
{
"trust_domain": "example.net",
"trust_anchors": [
{
"pem_certificate": std.file(input="test-fixtures/trust_anchor_3.pem").result,
},
{
"pem_certificate": std.file(input="test-fixtures/trust_anchor_4.pem").result,
},
],
},
],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/trust_anchor_1.pem",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/trust_anchor_2.pem",
}, nil)
if err != nil {
return err
}
invokeFile2, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/trust_anchor_3.pem",
}, nil)
if err != nil {
return err
}
invokeFile3, err := std.File(ctx, &std.FileArgs{
Input: "test-fixtures/trust_anchor_4.pem",
}, nil)
if err != nil {
return err
}
_, err = iam.NewWorkloadIdentityPool(ctx, "example", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("example-pool"),
DisplayName: pulumi.String("Name of the pool"),
Description: pulumi.String("Identity pool operates in TRUST_DOMAIN mode"),
Disabled: pulumi.Bool(true),
Mode: pulumi.String("TRUST_DOMAIN"),
InlineCertificateIssuanceConfig: &iam.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs{
CaPools: pulumi.StringMap{
"us-central1": pulumi.String("projects/project-bar/locations/us-central1/caPools/ca-pool-bar"),
"asia-east2": pulumi.String("projects/project-foo/locations/asia-east2/caPools/ca-pool-foo"),
},
Lifetime: pulumi.String("86400s"),
RotationWindowPercentage: pulumi.Int(50),
KeyAlgorithm: pulumi.String("ECDSA_P256"),
},
InlineTrustConfig: &iam.WorkloadIdentityPoolInlineTrustConfigArgs{
AdditionalTrustBundles: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArray{
&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs{
TrustDomain: pulumi.String("example.com"),
TrustAnchors: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArray{
&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
PemCertificate: pulumi.String(invokeFile.Result),
},
&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
PemCertificate: pulumi.String(invokeFile1.Result),
},
},
},
&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs{
TrustDomain: pulumi.String("example.net"),
TrustAnchors: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArray{
&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
PemCertificate: pulumi.String(invokeFile2.Result),
},
&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
PemCertificate: pulumi.String(invokeFile3.Result),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var example = new Gcp.Iam.WorkloadIdentityPool("example", new()
{
WorkloadIdentityPoolId = "example-pool",
DisplayName = "Name of the pool",
Description = "Identity pool operates in TRUST_DOMAIN mode",
Disabled = true,
Mode = "TRUST_DOMAIN",
InlineCertificateIssuanceConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs
{
CaPools =
{
{ "us-central1", "projects/project-bar/locations/us-central1/caPools/ca-pool-bar" },
{ "asia-east2", "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo" },
},
Lifetime = "86400s",
RotationWindowPercentage = 50,
KeyAlgorithm = "ECDSA_P256",
},
InlineTrustConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigArgs
{
AdditionalTrustBundles = new[]
{
new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs
{
TrustDomain = "example.com",
TrustAnchors = new[]
{
new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/trust_anchor_1.pem",
}).Apply(invoke => invoke.Result),
},
new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/trust_anchor_2.pem",
}).Apply(invoke => invoke.Result),
},
},
},
new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs
{
TrustDomain = "example.net",
TrustAnchors = new[]
{
new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/trust_anchor_3.pem",
}).Apply(invoke => invoke.Result),
},
new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
{
PemCertificate = Std.File.Invoke(new()
{
Input = "test-fixtures/trust_anchor_4.pem",
}).Apply(invoke => invoke.Result),
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.WorkloadIdentityPool;
import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs;
import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolInlineTrustConfigArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new WorkloadIdentityPool("example", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("example-pool")
.displayName("Name of the pool")
.description("Identity pool operates in TRUST_DOMAIN mode")
.disabled(true)
.mode("TRUST_DOMAIN")
.inlineCertificateIssuanceConfig(WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs.builder()
.caPools(Map.ofEntries(
Map.entry("us-central1", "projects/project-bar/locations/us-central1/caPools/ca-pool-bar"),
Map.entry("asia-east2", "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo")
))
.lifetime("86400s")
.rotationWindowPercentage(50)
.keyAlgorithm("ECDSA_P256")
.build())
.inlineTrustConfig(WorkloadIdentityPoolInlineTrustConfigArgs.builder()
.additionalTrustBundles(
WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs.builder()
.trustDomain("example.com")
.trustAnchors(
WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/trust_anchor_1.pem")
.build()).result())
.build(),
WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/trust_anchor_2.pem")
.build()).result())
.build())
.build(),
WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs.builder()
.trustDomain("example.net")
.trustAnchors(
WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/trust_anchor_3.pem")
.build()).result())
.build(),
WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
.pemCertificate(StdFunctions.file(FileArgs.builder()
.input("test-fixtures/trust_anchor_4.pem")
.build()).result())
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: gcp:iam:WorkloadIdentityPool
properties:
workloadIdentityPoolId: example-pool
displayName: Name of the pool
description: Identity pool operates in TRUST_DOMAIN mode
disabled: true
mode: TRUST_DOMAIN
inlineCertificateIssuanceConfig:
caPools:
us-central1: projects/project-bar/locations/us-central1/caPools/ca-pool-bar
asia-east2: projects/project-foo/locations/asia-east2/caPools/ca-pool-foo
lifetime: 86400s
rotationWindowPercentage: 50
keyAlgorithm: ECDSA_P256
inlineTrustConfig:
additionalTrustBundles:
- trustDomain: example.com
trustAnchors:
- pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/trust_anchor_1.pem
return: result
- pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/trust_anchor_2.pem
return: result
- trustDomain: example.net
trustAnchors:
- pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/trust_anchor_3.pem
return: result
- pemCertificate:
fn::invoke:
function: std:file
arguments:
input: test-fixtures/trust_anchor_4.pem
return: result
Create WorkloadIdentityPool Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new WorkloadIdentityPool(name: string, args: WorkloadIdentityPoolArgs, opts?: CustomResourceOptions);
@overload
def WorkloadIdentityPool(resource_name: str,
args: WorkloadIdentityPoolArgs,
opts: Optional[ResourceOptions] = None)
@overload
def WorkloadIdentityPool(resource_name: str,
opts: Optional[ResourceOptions] = None,
workload_identity_pool_id: Optional[str] = None,
description: Optional[str] = None,
disabled: Optional[bool] = None,
display_name: Optional[str] = None,
inline_certificate_issuance_config: Optional[WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs] = None,
inline_trust_config: Optional[WorkloadIdentityPoolInlineTrustConfigArgs] = None,
mode: Optional[str] = None,
project: Optional[str] = None)
func NewWorkloadIdentityPool(ctx *Context, name string, args WorkloadIdentityPoolArgs, opts ...ResourceOption) (*WorkloadIdentityPool, error)
public WorkloadIdentityPool(string name, WorkloadIdentityPoolArgs args, CustomResourceOptions? opts = null)
public WorkloadIdentityPool(String name, WorkloadIdentityPoolArgs args)
public WorkloadIdentityPool(String name, WorkloadIdentityPoolArgs args, CustomResourceOptions options)
type: gcp:iam:WorkloadIdentityPool
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args WorkloadIdentityPoolArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args WorkloadIdentityPoolArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args WorkloadIdentityPoolArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args WorkloadIdentityPoolArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args WorkloadIdentityPoolArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var workloadIdentityPoolResource = new Gcp.Iam.WorkloadIdentityPool("workloadIdentityPoolResource", new()
{
WorkloadIdentityPoolId = "string",
Description = "string",
Disabled = false,
DisplayName = "string",
InlineCertificateIssuanceConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs
{
CaPools =
{
{ "string", "string" },
},
KeyAlgorithm = "string",
Lifetime = "string",
RotationWindowPercentage = 0,
},
InlineTrustConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigArgs
{
AdditionalTrustBundles = new[]
{
new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs
{
TrustAnchors = new[]
{
new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
{
PemCertificate = "string",
},
},
TrustDomain = "string",
},
},
},
Mode = "string",
Project = "string",
});
example, err := iam.NewWorkloadIdentityPool(ctx, "workloadIdentityPoolResource", &iam.WorkloadIdentityPoolArgs{
WorkloadIdentityPoolId: pulumi.String("string"),
Description: pulumi.String("string"),
Disabled: pulumi.Bool(false),
DisplayName: pulumi.String("string"),
InlineCertificateIssuanceConfig: &iam.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs{
CaPools: pulumi.StringMap{
"string": pulumi.String("string"),
},
KeyAlgorithm: pulumi.String("string"),
Lifetime: pulumi.String("string"),
RotationWindowPercentage: pulumi.Int(0),
},
InlineTrustConfig: &iam.WorkloadIdentityPoolInlineTrustConfigArgs{
AdditionalTrustBundles: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArray{
&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs{
TrustAnchors: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArray{
&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
PemCertificate: pulumi.String("string"),
},
},
TrustDomain: pulumi.String("string"),
},
},
},
Mode: pulumi.String("string"),
Project: pulumi.String("string"),
})
var workloadIdentityPoolResource = new WorkloadIdentityPool("workloadIdentityPoolResource", WorkloadIdentityPoolArgs.builder()
.workloadIdentityPoolId("string")
.description("string")
.disabled(false)
.displayName("string")
.inlineCertificateIssuanceConfig(WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs.builder()
.caPools(Map.of("string", "string"))
.keyAlgorithm("string")
.lifetime("string")
.rotationWindowPercentage(0)
.build())
.inlineTrustConfig(WorkloadIdentityPoolInlineTrustConfigArgs.builder()
.additionalTrustBundles(WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs.builder()
.trustAnchors(WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
.pemCertificate("string")
.build())
.trustDomain("string")
.build())
.build())
.mode("string")
.project("string")
.build());
workload_identity_pool_resource = gcp.iam.WorkloadIdentityPool("workloadIdentityPoolResource",
workload_identity_pool_id="string",
description="string",
disabled=False,
display_name="string",
inline_certificate_issuance_config={
"ca_pools": {
"string": "string",
},
"key_algorithm": "string",
"lifetime": "string",
"rotation_window_percentage": 0,
},
inline_trust_config={
"additional_trust_bundles": [{
"trust_anchors": [{
"pem_certificate": "string",
}],
"trust_domain": "string",
}],
},
mode="string",
project="string")
const workloadIdentityPoolResource = new gcp.iam.WorkloadIdentityPool("workloadIdentityPoolResource", {
workloadIdentityPoolId: "string",
description: "string",
disabled: false,
displayName: "string",
inlineCertificateIssuanceConfig: {
caPools: {
string: "string",
},
keyAlgorithm: "string",
lifetime: "string",
rotationWindowPercentage: 0,
},
inlineTrustConfig: {
additionalTrustBundles: [{
trustAnchors: [{
pemCertificate: "string",
}],
trustDomain: "string",
}],
},
mode: "string",
project: "string",
});
type: gcp:iam:WorkloadIdentityPool
properties:
description: string
disabled: false
displayName: string
inlineCertificateIssuanceConfig:
caPools:
string: string
keyAlgorithm: string
lifetime: string
rotationWindowPercentage: 0
inlineTrustConfig:
additionalTrustBundles:
- trustAnchors:
- pemCertificate: string
trustDomain: string
mode: string
project: string
workloadIdentityPoolId: string
WorkloadIdentityPool Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The WorkloadIdentityPool resource accepts the following input properties:
- Workload
Identity stringPool Id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - Description string
- A description of the pool. Cannot exceed 256 characters.
- Disabled bool
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- Display
Name string - A display name for the pool. Cannot exceed 32 characters.
- Inline
Certificate WorkloadIssuance Config Identity Pool Inline Certificate Issuance Config - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- Inline
Trust WorkloadConfig Identity Pool Inline Trust Config - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- Mode string
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Workload
Identity stringPool Id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - Description string
- A description of the pool. Cannot exceed 256 characters.
- Disabled bool
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- Display
Name string - A display name for the pool. Cannot exceed 32 characters.
- Inline
Certificate WorkloadIssuance Config Identity Pool Inline Certificate Issuance Config Args - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- Inline
Trust WorkloadConfig Identity Pool Inline Trust Config Args - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- Mode string
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- workload
Identity StringPool Id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - description String
- A description of the pool. Cannot exceed 256 characters.
- disabled Boolean
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- display
Name String - A display name for the pool. Cannot exceed 32 characters.
- inline
Certificate WorkloadIssuance Config Identity Pool Inline Certificate Issuance Config - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- inline
Trust WorkloadConfig Identity Pool Inline Trust Config - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- mode String
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- workload
Identity stringPool Id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - description string
- A description of the pool. Cannot exceed 256 characters.
- disabled boolean
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- display
Name string - A display name for the pool. Cannot exceed 32 characters.
- inline
Certificate WorkloadIssuance Config Identity Pool Inline Certificate Issuance Config - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- inline
Trust WorkloadConfig Identity Pool Inline Trust Config - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- mode string
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- workload_
identity_ strpool_ id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - description str
- A description of the pool. Cannot exceed 256 characters.
- disabled bool
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- display_
name str - A display name for the pool. Cannot exceed 32 characters.
- inline_
certificate_ Workloadissuance_ config Identity Pool Inline Certificate Issuance Config Args - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- inline_
trust_ Workloadconfig Identity Pool Inline Trust Config Args - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- mode str
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- project str
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- workload
Identity StringPool Id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified. - description String
- A description of the pool. Cannot exceed 256 characters.
- disabled Boolean
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- display
Name String - A display name for the pool. Cannot exceed 32 characters.
- inline
Certificate Property MapIssuance Config - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- inline
Trust Property MapConfig - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- mode String
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
Outputs
All input properties are implicitly available as output properties. Additionally, the WorkloadIdentityPool resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - State string
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - State string
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - state String
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - state string
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - state str
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - state String
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
Look up Existing WorkloadIdentityPool Resource
Get an existing WorkloadIdentityPool resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: WorkloadIdentityPoolState, opts?: CustomResourceOptions): WorkloadIdentityPool
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
description: Optional[str] = None,
disabled: Optional[bool] = None,
display_name: Optional[str] = None,
inline_certificate_issuance_config: Optional[WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs] = None,
inline_trust_config: Optional[WorkloadIdentityPoolInlineTrustConfigArgs] = None,
mode: Optional[str] = None,
name: Optional[str] = None,
project: Optional[str] = None,
state: Optional[str] = None,
workload_identity_pool_id: Optional[str] = None) -> WorkloadIdentityPool
func GetWorkloadIdentityPool(ctx *Context, name string, id IDInput, state *WorkloadIdentityPoolState, opts ...ResourceOption) (*WorkloadIdentityPool, error)
public static WorkloadIdentityPool Get(string name, Input<string> id, WorkloadIdentityPoolState? state, CustomResourceOptions? opts = null)
public static WorkloadIdentityPool get(String name, Output<String> id, WorkloadIdentityPoolState state, CustomResourceOptions options)
resources: _: type: gcp:iam:WorkloadIdentityPool get: id: ${id}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Description string
- A description of the pool. Cannot exceed 256 characters.
- Disabled bool
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- Display
Name string - A display name for the pool. Cannot exceed 32 characters.
- Inline
Certificate WorkloadIssuance Config Identity Pool Inline Certificate Issuance Config - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- Inline
Trust WorkloadConfig Identity Pool Inline Trust Config - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- Mode string
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- Name string
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- State string
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
- Workload
Identity stringPool Id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified.
- Description string
- A description of the pool. Cannot exceed 256 characters.
- Disabled bool
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- Display
Name string - A display name for the pool. Cannot exceed 32 characters.
- Inline
Certificate WorkloadIssuance Config Identity Pool Inline Certificate Issuance Config Args - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- Inline
Trust WorkloadConfig Identity Pool Inline Trust Config Args - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- Mode string
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- Name string
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- State string
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
- Workload
Identity stringPool Id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified.
- description String
- A description of the pool. Cannot exceed 256 characters.
- disabled Boolean
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- display
Name String - A display name for the pool. Cannot exceed 32 characters.
- inline
Certificate WorkloadIssuance Config Identity Pool Inline Certificate Issuance Config - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- inline
Trust WorkloadConfig Identity Pool Inline Trust Config - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- mode String
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- name String
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- state String
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
- workload
Identity StringPool Id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified.
- description string
- A description of the pool. Cannot exceed 256 characters.
- disabled boolean
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- display
Name string - A display name for the pool. Cannot exceed 32 characters.
- inline
Certificate WorkloadIssuance Config Identity Pool Inline Certificate Issuance Config - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- inline
Trust WorkloadConfig Identity Pool Inline Trust Config - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- mode string
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- name string
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- state string
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
- workload
Identity stringPool Id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified.
- description str
- A description of the pool. Cannot exceed 256 characters.
- disabled bool
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- display_
name str - A display name for the pool. Cannot exceed 32 characters.
- inline_
certificate_ Workloadissuance_ config Identity Pool Inline Certificate Issuance Config Args - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- inline_
trust_ Workloadconfig Identity Pool Inline Trust Config Args - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- mode str
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- name str
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - project str
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- state str
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
- workload_
identity_ strpool_ id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified.
- description String
- A description of the pool. Cannot exceed 256 characters.
- disabled Boolean
- Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- display
Name String - A display name for the pool. Cannot exceed 32 characters.
- inline
Certificate Property MapIssuance Config - Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
- inline
Trust Property MapConfig - Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
- mode String
The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in
FEDERATION_ONLY
mode.Note This field cannot be changed after the Workload Identity Pool is created. While
pulumi preview
may show an update if you change this field's value,pulumi up
will fail with an API error (such asError 400: Attempted to update an immutable field.
). To specify a differentmode
, please create a new Workload Identity Pool resource.FEDERATION_ONLY
: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in aFEDERATION_ONLY
mode pool, and you may not create any resources within the pool besides providers.TRUST_DOMAIN
: Pools can be used to assign identities to Google Cloud workloads. All identities within aTRUST_DOMAIN
mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format:ns/<namespace>/sa/<workload_identifier>
.gcp.iam.WorkloadIdentityPoolProvider
s cannot be created withinTRUST_DOMAIN
mode pools. Possible values are:FEDERATION_ONLY
,TRUST_DOMAIN
.
- name String
- The resource name of the pool as
projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}
. - project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- state String
- The state of the pool.
STATE_UNSPECIFIED
: State unspecified.ACTIVE
: The pool is active, and may be used in Google Cloud policies.DELETED
: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool usingUndeleteWorkloadIdentityPool
. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
- workload
Identity StringPool Id - The ID to use for the pool, which becomes the final component of the resource name. This
value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
gcp-
is reserved for use by Google, and may not be specified.
Supporting Types
WorkloadIdentityPoolInlineCertificateIssuanceConfig, WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs
- Ca
Pools Dictionary<string, string> - A required mapping of a cloud region to the CA pool resource located in that region used
for certificate issuance, adhering to these constraints:
- Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
- Value format: A valid CA pool resource path format like:
projects/{project}/locations/{location}/caPools/{ca_pool}
- Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
- Key
Algorithm string - Key algorithm to use when generating the key pair. This key pair will be used to create
the certificate. If unspecified, this will default to
ECDSA_P256
.RSA_2048
: Specifies RSA with a 2048-bit modulus.RSA_3072
: Specifies RSA with a 3072-bit modulus.RSA_4096
: Specifies RSA with a 4096-bit modulus.ECDSA_P256
: Specifies ECDSA with curve P256.ECDSA_P384
: Specifies ECDSA with curve P384. Possible values are:RSA_2048
,RSA_3072
,RSA_4096
,ECDSA_P256
,ECDSA_P384
.
- Lifetime string
- Lifetime of the workload certificates issued by the CA pool in seconds. Must be between
86400s
(24 hours) to2592000s
(30 days), ends in the suffix "s
" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to86400s
(24 hours). - Rotation
Window intPercentage - Rotation window percentage indicating when certificate rotation should be initiated based
on remaining lifetime. Must be between
50
-80
. If unspecified, this will be defaulted to50
.
- Ca
Pools map[string]string - A required mapping of a cloud region to the CA pool resource located in that region used
for certificate issuance, adhering to these constraints:
- Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
- Value format: A valid CA pool resource path format like:
projects/{project}/locations/{location}/caPools/{ca_pool}
- Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
- Key
Algorithm string - Key algorithm to use when generating the key pair. This key pair will be used to create
the certificate. If unspecified, this will default to
ECDSA_P256
.RSA_2048
: Specifies RSA with a 2048-bit modulus.RSA_3072
: Specifies RSA with a 3072-bit modulus.RSA_4096
: Specifies RSA with a 4096-bit modulus.ECDSA_P256
: Specifies ECDSA with curve P256.ECDSA_P384
: Specifies ECDSA with curve P384. Possible values are:RSA_2048
,RSA_3072
,RSA_4096
,ECDSA_P256
,ECDSA_P384
.
- Lifetime string
- Lifetime of the workload certificates issued by the CA pool in seconds. Must be between
86400s
(24 hours) to2592000s
(30 days), ends in the suffix "s
" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to86400s
(24 hours). - Rotation
Window intPercentage - Rotation window percentage indicating when certificate rotation should be initiated based
on remaining lifetime. Must be between
50
-80
. If unspecified, this will be defaulted to50
.
- ca
Pools Map<String,String> - A required mapping of a cloud region to the CA pool resource located in that region used
for certificate issuance, adhering to these constraints:
- Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
- Value format: A valid CA pool resource path format like:
projects/{project}/locations/{location}/caPools/{ca_pool}
- Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
- key
Algorithm String - Key algorithm to use when generating the key pair. This key pair will be used to create
the certificate. If unspecified, this will default to
ECDSA_P256
.RSA_2048
: Specifies RSA with a 2048-bit modulus.RSA_3072
: Specifies RSA with a 3072-bit modulus.RSA_4096
: Specifies RSA with a 4096-bit modulus.ECDSA_P256
: Specifies ECDSA with curve P256.ECDSA_P384
: Specifies ECDSA with curve P384. Possible values are:RSA_2048
,RSA_3072
,RSA_4096
,ECDSA_P256
,ECDSA_P384
.
- lifetime String
- Lifetime of the workload certificates issued by the CA pool in seconds. Must be between
86400s
(24 hours) to2592000s
(30 days), ends in the suffix "s
" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to86400s
(24 hours). - rotation
Window IntegerPercentage - Rotation window percentage indicating when certificate rotation should be initiated based
on remaining lifetime. Must be between
50
-80
. If unspecified, this will be defaulted to50
.
- ca
Pools {[key: string]: string} - A required mapping of a cloud region to the CA pool resource located in that region used
for certificate issuance, adhering to these constraints:
- Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
- Value format: A valid CA pool resource path format like:
projects/{project}/locations/{location}/caPools/{ca_pool}
- Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
- key
Algorithm string - Key algorithm to use when generating the key pair. This key pair will be used to create
the certificate. If unspecified, this will default to
ECDSA_P256
.RSA_2048
: Specifies RSA with a 2048-bit modulus.RSA_3072
: Specifies RSA with a 3072-bit modulus.RSA_4096
: Specifies RSA with a 4096-bit modulus.ECDSA_P256
: Specifies ECDSA with curve P256.ECDSA_P384
: Specifies ECDSA with curve P384. Possible values are:RSA_2048
,RSA_3072
,RSA_4096
,ECDSA_P256
,ECDSA_P384
.
- lifetime string
- Lifetime of the workload certificates issued by the CA pool in seconds. Must be between
86400s
(24 hours) to2592000s
(30 days), ends in the suffix "s
" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to86400s
(24 hours). - rotation
Window numberPercentage - Rotation window percentage indicating when certificate rotation should be initiated based
on remaining lifetime. Must be between
50
-80
. If unspecified, this will be defaulted to50
.
- ca_
pools Mapping[str, str] - A required mapping of a cloud region to the CA pool resource located in that region used
for certificate issuance, adhering to these constraints:
- Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
- Value format: A valid CA pool resource path format like:
projects/{project}/locations/{location}/caPools/{ca_pool}
- Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
- key_
algorithm str - Key algorithm to use when generating the key pair. This key pair will be used to create
the certificate. If unspecified, this will default to
ECDSA_P256
.RSA_2048
: Specifies RSA with a 2048-bit modulus.RSA_3072
: Specifies RSA with a 3072-bit modulus.RSA_4096
: Specifies RSA with a 4096-bit modulus.ECDSA_P256
: Specifies ECDSA with curve P256.ECDSA_P384
: Specifies ECDSA with curve P384. Possible values are:RSA_2048
,RSA_3072
,RSA_4096
,ECDSA_P256
,ECDSA_P384
.
- lifetime str
- Lifetime of the workload certificates issued by the CA pool in seconds. Must be between
86400s
(24 hours) to2592000s
(30 days), ends in the suffix "s
" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to86400s
(24 hours). - rotation_
window_ intpercentage - Rotation window percentage indicating when certificate rotation should be initiated based
on remaining lifetime. Must be between
50
-80
. If unspecified, this will be defaulted to50
.
- ca
Pools Map<String> - A required mapping of a cloud region to the CA pool resource located in that region used
for certificate issuance, adhering to these constraints:
- Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
- Value format: A valid CA pool resource path format like:
projects/{project}/locations/{location}/caPools/{ca_pool}
- Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
- key
Algorithm String - Key algorithm to use when generating the key pair. This key pair will be used to create
the certificate. If unspecified, this will default to
ECDSA_P256
.RSA_2048
: Specifies RSA with a 2048-bit modulus.RSA_3072
: Specifies RSA with a 3072-bit modulus.RSA_4096
: Specifies RSA with a 4096-bit modulus.ECDSA_P256
: Specifies ECDSA with curve P256.ECDSA_P384
: Specifies ECDSA with curve P384. Possible values are:RSA_2048
,RSA_3072
,RSA_4096
,ECDSA_P256
,ECDSA_P384
.
- lifetime String
- Lifetime of the workload certificates issued by the CA pool in seconds. Must be between
86400s
(24 hours) to2592000s
(30 days), ends in the suffix "s
" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to86400s
(24 hours). - rotation
Window NumberPercentage - Rotation window percentage indicating when certificate rotation should be initiated based
on remaining lifetime. Must be between
50
-80
. If unspecified, this will be defaulted to50
.
WorkloadIdentityPoolInlineTrustConfig, WorkloadIdentityPoolInlineTrustConfigArgs
- Additional
Trust List<WorkloadBundles Identity Pool Inline Trust Config Additional Trust Bundle> - Maps specific trust domains (e.g., "example.com") to their corresponding
TrustStore
objects, which contain the trusted root certificates for that domain. There can be a maximum of10
trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, thisWorkloadIdentityPool
's trust domain contains any trust anchors in theadditional_trust_bundles
map, those trust anchors will be appended to the Trust Bundle automatically derived from yourInlineCertificateIssuanceConfig
'sca_pools
. Structure is documented below.
- Additional
Trust []WorkloadBundles Identity Pool Inline Trust Config Additional Trust Bundle - Maps specific trust domains (e.g., "example.com") to their corresponding
TrustStore
objects, which contain the trusted root certificates for that domain. There can be a maximum of10
trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, thisWorkloadIdentityPool
's trust domain contains any trust anchors in theadditional_trust_bundles
map, those trust anchors will be appended to the Trust Bundle automatically derived from yourInlineCertificateIssuanceConfig
'sca_pools
. Structure is documented below.
- additional
Trust List<WorkloadBundles Identity Pool Inline Trust Config Additional Trust Bundle> - Maps specific trust domains (e.g., "example.com") to their corresponding
TrustStore
objects, which contain the trusted root certificates for that domain. There can be a maximum of10
trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, thisWorkloadIdentityPool
's trust domain contains any trust anchors in theadditional_trust_bundles
map, those trust anchors will be appended to the Trust Bundle automatically derived from yourInlineCertificateIssuanceConfig
'sca_pools
. Structure is documented below.
- additional
Trust WorkloadBundles Identity Pool Inline Trust Config Additional Trust Bundle[] - Maps specific trust domains (e.g., "example.com") to their corresponding
TrustStore
objects, which contain the trusted root certificates for that domain. There can be a maximum of10
trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, thisWorkloadIdentityPool
's trust domain contains any trust anchors in theadditional_trust_bundles
map, those trust anchors will be appended to the Trust Bundle automatically derived from yourInlineCertificateIssuanceConfig
'sca_pools
. Structure is documented below.
- additional_
trust_ Sequence[Workloadbundles Identity Pool Inline Trust Config Additional Trust Bundle] - Maps specific trust domains (e.g., "example.com") to their corresponding
TrustStore
objects, which contain the trusted root certificates for that domain. There can be a maximum of10
trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, thisWorkloadIdentityPool
's trust domain contains any trust anchors in theadditional_trust_bundles
map, those trust anchors will be appended to the Trust Bundle automatically derived from yourInlineCertificateIssuanceConfig
'sca_pools
. Structure is documented below.
- additional
Trust List<Property Map>Bundles - Maps specific trust domains (e.g., "example.com") to their corresponding
TrustStore
objects, which contain the trusted root certificates for that domain. There can be a maximum of10
trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, thisWorkloadIdentityPool
's trust domain contains any trust anchors in theadditional_trust_bundles
map, those trust anchors will be appended to the Trust Bundle automatically derived from yourInlineCertificateIssuanceConfig
'sca_pools
. Structure is documented below.
WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle, WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs
- Trust
Anchors List<WorkloadIdentity Pool Inline Trust Config Additional Trust Bundle Trust Anchor> - List of Trust Anchors to be used while performing validation against a given
TrustStore
. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below. - Trust
Domain string - The identifier for this object. Format specified above.
- Trust
Anchors []WorkloadIdentity Pool Inline Trust Config Additional Trust Bundle Trust Anchor - List of Trust Anchors to be used while performing validation against a given
TrustStore
. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below. - Trust
Domain string - The identifier for this object. Format specified above.
- trust
Anchors List<WorkloadIdentity Pool Inline Trust Config Additional Trust Bundle Trust Anchor> - List of Trust Anchors to be used while performing validation against a given
TrustStore
. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below. - trust
Domain String - The identifier for this object. Format specified above.
- trust
Anchors WorkloadIdentity Pool Inline Trust Config Additional Trust Bundle Trust Anchor[] - List of Trust Anchors to be used while performing validation against a given
TrustStore
. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below. - trust
Domain string - The identifier for this object. Format specified above.
- trust_
anchors Sequence[WorkloadIdentity Pool Inline Trust Config Additional Trust Bundle Trust Anchor] - List of Trust Anchors to be used while performing validation against a given
TrustStore
. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below. - trust_
domain str - The identifier for this object. Format specified above.
- trust
Anchors List<Property Map> - List of Trust Anchors to be used while performing validation against a given
TrustStore
. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below. - trust
Domain String - The identifier for this object. Format specified above.
WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor, WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
- Pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- Pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate String - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem_
certificate str - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate String - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
Import
WorkloadIdentityPool can be imported using any of these accepted formats:
projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}
{{project}}/{{workload_identity_pool_id}}
{{workload_identity_pool_id}}
When using the pulumi import
command, WorkloadIdentityPool can be imported using one of the formats above. For example:
$ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}
$ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default {{project}}/{{workload_identity_pool_id}}
$ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default {{workload_identity_pool_id}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-beta
Terraform Provider.