1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. iam
  5. WorkloadIdentityPool
Google Cloud v8.33.0 published on Wednesday, Jun 4, 2025 by Pulumi

gcp.iam.WorkloadIdentityPool

Explore with Pulumi AI

gcp logo
Google Cloud v8.33.0 published on Wednesday, Jun 4, 2025 by Pulumi

    Represents a collection of external workload identities. You can define IAM policies to grant these identities access to Google Cloud resources.

    To get more information about WorkloadIdentityPool, see:

    Example Usage

    Iam Workload Identity Pool Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const example = new gcp.iam.WorkloadIdentityPool("example", {workloadIdentityPoolId: "example-pool"});
    
    import pulumi
    import pulumi_gcp as gcp
    
    example = gcp.iam.WorkloadIdentityPool("example", workload_identity_pool_id="example-pool")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := iam.NewWorkloadIdentityPool(ctx, "example", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Gcp.Iam.WorkloadIdentityPool("example", new()
        {
            WorkloadIdentityPoolId = "example-pool",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new WorkloadIdentityPool("example", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .build());
    
        }
    }
    
    resources:
      example:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
    

    Iam Workload Identity Pool Full Federation Only Mode

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const example = new gcp.iam.WorkloadIdentityPool("example", {
        workloadIdentityPoolId: "example-pool",
        displayName: "Name of the pool",
        description: "Identity pool operates in FEDERATION_ONLY mode",
        disabled: true,
        mode: "FEDERATION_ONLY",
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    example = gcp.iam.WorkloadIdentityPool("example",
        workload_identity_pool_id="example-pool",
        display_name="Name of the pool",
        description="Identity pool operates in FEDERATION_ONLY mode",
        disabled=True,
        mode="FEDERATION_ONLY")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := iam.NewWorkloadIdentityPool(ctx, "example", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    			DisplayName:            pulumi.String("Name of the pool"),
    			Description:            pulumi.String("Identity pool operates in FEDERATION_ONLY mode"),
    			Disabled:               pulumi.Bool(true),
    			Mode:                   pulumi.String("FEDERATION_ONLY"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Gcp.Iam.WorkloadIdentityPool("example", new()
        {
            WorkloadIdentityPoolId = "example-pool",
            DisplayName = "Name of the pool",
            Description = "Identity pool operates in FEDERATION_ONLY mode",
            Disabled = true,
            Mode = "FEDERATION_ONLY",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new WorkloadIdentityPool("example", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .displayName("Name of the pool")
                .description("Identity pool operates in FEDERATION_ONLY mode")
                .disabled(true)
                .mode("FEDERATION_ONLY")
                .build());
    
        }
    }
    
    resources:
      example:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
          displayName: Name of the pool
          description: Identity pool operates in FEDERATION_ONLY mode
          disabled: true
          mode: FEDERATION_ONLY
    

    Iam Workload Identity Pool Full Trust Domain Mode

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as std from "@pulumi/std";
    
    const example = new gcp.iam.WorkloadIdentityPool("example", {
        workloadIdentityPoolId: "example-pool",
        displayName: "Name of the pool",
        description: "Identity pool operates in TRUST_DOMAIN mode",
        disabled: true,
        mode: "TRUST_DOMAIN",
        inlineCertificateIssuanceConfig: {
            caPools: {
                "us-central1": "projects/project-bar/locations/us-central1/caPools/ca-pool-bar",
                "asia-east2": "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo",
            },
            lifetime: "86400s",
            rotationWindowPercentage: 50,
            keyAlgorithm: "ECDSA_P256",
        },
        inlineTrustConfig: {
            additionalTrustBundles: [
                {
                    trustDomain: "example.com",
                    trustAnchors: [
                        {
                            pemCertificate: std.file({
                                input: "test-fixtures/trust_anchor_1.pem",
                            }).then(invoke => invoke.result),
                        },
                        {
                            pemCertificate: std.file({
                                input: "test-fixtures/trust_anchor_2.pem",
                            }).then(invoke => invoke.result),
                        },
                    ],
                },
                {
                    trustDomain: "example.net",
                    trustAnchors: [
                        {
                            pemCertificate: std.file({
                                input: "test-fixtures/trust_anchor_3.pem",
                            }).then(invoke => invoke.result),
                        },
                        {
                            pemCertificate: std.file({
                                input: "test-fixtures/trust_anchor_4.pem",
                            }).then(invoke => invoke.result),
                        },
                    ],
                },
            ],
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_std as std
    
    example = gcp.iam.WorkloadIdentityPool("example",
        workload_identity_pool_id="example-pool",
        display_name="Name of the pool",
        description="Identity pool operates in TRUST_DOMAIN mode",
        disabled=True,
        mode="TRUST_DOMAIN",
        inline_certificate_issuance_config={
            "ca_pools": {
                "us-central1": "projects/project-bar/locations/us-central1/caPools/ca-pool-bar",
                "asia-east2": "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo",
            },
            "lifetime": "86400s",
            "rotation_window_percentage": 50,
            "key_algorithm": "ECDSA_P256",
        },
        inline_trust_config={
            "additional_trust_bundles": [
                {
                    "trust_domain": "example.com",
                    "trust_anchors": [
                        {
                            "pem_certificate": std.file(input="test-fixtures/trust_anchor_1.pem").result,
                        },
                        {
                            "pem_certificate": std.file(input="test-fixtures/trust_anchor_2.pem").result,
                        },
                    ],
                },
                {
                    "trust_domain": "example.net",
                    "trust_anchors": [
                        {
                            "pem_certificate": std.file(input="test-fixtures/trust_anchor_3.pem").result,
                        },
                        {
                            "pem_certificate": std.file(input="test-fixtures/trust_anchor_4.pem").result,
                        },
                    ],
                },
            ],
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "test-fixtures/trust_anchor_1.pem",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		invokeFile1, err := std.File(ctx, &std.FileArgs{
    			Input: "test-fixtures/trust_anchor_2.pem",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		invokeFile2, err := std.File(ctx, &std.FileArgs{
    			Input: "test-fixtures/trust_anchor_3.pem",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		invokeFile3, err := std.File(ctx, &std.FileArgs{
    			Input: "test-fixtures/trust_anchor_4.pem",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewWorkloadIdentityPool(ctx, "example", &iam.WorkloadIdentityPoolArgs{
    			WorkloadIdentityPoolId: pulumi.String("example-pool"),
    			DisplayName:            pulumi.String("Name of the pool"),
    			Description:            pulumi.String("Identity pool operates in TRUST_DOMAIN mode"),
    			Disabled:               pulumi.Bool(true),
    			Mode:                   pulumi.String("TRUST_DOMAIN"),
    			InlineCertificateIssuanceConfig: &iam.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs{
    				CaPools: pulumi.StringMap{
    					"us-central1": pulumi.String("projects/project-bar/locations/us-central1/caPools/ca-pool-bar"),
    					"asia-east2":  pulumi.String("projects/project-foo/locations/asia-east2/caPools/ca-pool-foo"),
    				},
    				Lifetime:                 pulumi.String("86400s"),
    				RotationWindowPercentage: pulumi.Int(50),
    				KeyAlgorithm:             pulumi.String("ECDSA_P256"),
    			},
    			InlineTrustConfig: &iam.WorkloadIdentityPoolInlineTrustConfigArgs{
    				AdditionalTrustBundles: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArray{
    					&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs{
    						TrustDomain: pulumi.String("example.com"),
    						TrustAnchors: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArray{
    							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
    								PemCertificate: pulumi.String(invokeFile.Result),
    							},
    							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
    								PemCertificate: pulumi.String(invokeFile1.Result),
    							},
    						},
    					},
    					&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs{
    						TrustDomain: pulumi.String("example.net"),
    						TrustAnchors: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArray{
    							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
    								PemCertificate: pulumi.String(invokeFile2.Result),
    							},
    							&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
    								PemCertificate: pulumi.String(invokeFile3.Result),
    							},
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Gcp.Iam.WorkloadIdentityPool("example", new()
        {
            WorkloadIdentityPoolId = "example-pool",
            DisplayName = "Name of the pool",
            Description = "Identity pool operates in TRUST_DOMAIN mode",
            Disabled = true,
            Mode = "TRUST_DOMAIN",
            InlineCertificateIssuanceConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs
            {
                CaPools = 
                {
                    { "us-central1", "projects/project-bar/locations/us-central1/caPools/ca-pool-bar" },
                    { "asia-east2", "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo" },
                },
                Lifetime = "86400s",
                RotationWindowPercentage = 50,
                KeyAlgorithm = "ECDSA_P256",
            },
            InlineTrustConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigArgs
            {
                AdditionalTrustBundles = new[]
                {
                    new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs
                    {
                        TrustDomain = "example.com",
                        TrustAnchors = new[]
                        {
                            new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                            {
                                PemCertificate = Std.File.Invoke(new()
                                {
                                    Input = "test-fixtures/trust_anchor_1.pem",
                                }).Apply(invoke => invoke.Result),
                            },
                            new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                            {
                                PemCertificate = Std.File.Invoke(new()
                                {
                                    Input = "test-fixtures/trust_anchor_2.pem",
                                }).Apply(invoke => invoke.Result),
                            },
                        },
                    },
                    new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs
                    {
                        TrustDomain = "example.net",
                        TrustAnchors = new[]
                        {
                            new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                            {
                                PemCertificate = Std.File.Invoke(new()
                                {
                                    Input = "test-fixtures/trust_anchor_3.pem",
                                }).Apply(invoke => invoke.Result),
                            },
                            new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                            {
                                PemCertificate = Std.File.Invoke(new()
                                {
                                    Input = "test-fixtures/trust_anchor_4.pem",
                                }).Apply(invoke => invoke.Result),
                            },
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.iam.WorkloadIdentityPool;
    import com.pulumi.gcp.iam.WorkloadIdentityPoolArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs;
    import com.pulumi.gcp.iam.inputs.WorkloadIdentityPoolInlineTrustConfigArgs;
    import com.pulumi.std.StdFunctions;
    import com.pulumi.std.inputs.FileArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new WorkloadIdentityPool("example", WorkloadIdentityPoolArgs.builder()
                .workloadIdentityPoolId("example-pool")
                .displayName("Name of the pool")
                .description("Identity pool operates in TRUST_DOMAIN mode")
                .disabled(true)
                .mode("TRUST_DOMAIN")
                .inlineCertificateIssuanceConfig(WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs.builder()
                    .caPools(Map.ofEntries(
                        Map.entry("us-central1", "projects/project-bar/locations/us-central1/caPools/ca-pool-bar"),
                        Map.entry("asia-east2", "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo")
                    ))
                    .lifetime("86400s")
                    .rotationWindowPercentage(50)
                    .keyAlgorithm("ECDSA_P256")
                    .build())
                .inlineTrustConfig(WorkloadIdentityPoolInlineTrustConfigArgs.builder()
                    .additionalTrustBundles(                
                        WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs.builder()
                            .trustDomain("example.com")
                            .trustAnchors(                        
                                WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                    .pemCertificate(StdFunctions.file(FileArgs.builder()
                                        .input("test-fixtures/trust_anchor_1.pem")
                                        .build()).result())
                                    .build(),
                                WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                    .pemCertificate(StdFunctions.file(FileArgs.builder()
                                        .input("test-fixtures/trust_anchor_2.pem")
                                        .build()).result())
                                    .build())
                            .build(),
                        WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs.builder()
                            .trustDomain("example.net")
                            .trustAnchors(                        
                                WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                    .pemCertificate(StdFunctions.file(FileArgs.builder()
                                        .input("test-fixtures/trust_anchor_3.pem")
                                        .build()).result())
                                    .build(),
                                WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                                    .pemCertificate(StdFunctions.file(FileArgs.builder()
                                        .input("test-fixtures/trust_anchor_4.pem")
                                        .build()).result())
                                    .build())
                            .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: gcp:iam:WorkloadIdentityPool
        properties:
          workloadIdentityPoolId: example-pool
          displayName: Name of the pool
          description: Identity pool operates in TRUST_DOMAIN mode
          disabled: true
          mode: TRUST_DOMAIN
          inlineCertificateIssuanceConfig:
            caPools:
              us-central1: projects/project-bar/locations/us-central1/caPools/ca-pool-bar
              asia-east2: projects/project-foo/locations/asia-east2/caPools/ca-pool-foo
            lifetime: 86400s
            rotationWindowPercentage: 50
            keyAlgorithm: ECDSA_P256
          inlineTrustConfig:
            additionalTrustBundles:
              - trustDomain: example.com
                trustAnchors:
                  - pemCertificate:
                      fn::invoke:
                        function: std:file
                        arguments:
                          input: test-fixtures/trust_anchor_1.pem
                        return: result
                  - pemCertificate:
                      fn::invoke:
                        function: std:file
                        arguments:
                          input: test-fixtures/trust_anchor_2.pem
                        return: result
              - trustDomain: example.net
                trustAnchors:
                  - pemCertificate:
                      fn::invoke:
                        function: std:file
                        arguments:
                          input: test-fixtures/trust_anchor_3.pem
                        return: result
                  - pemCertificate:
                      fn::invoke:
                        function: std:file
                        arguments:
                          input: test-fixtures/trust_anchor_4.pem
                        return: result
    

    Create WorkloadIdentityPool Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new WorkloadIdentityPool(name: string, args: WorkloadIdentityPoolArgs, opts?: CustomResourceOptions);
    @overload
    def WorkloadIdentityPool(resource_name: str,
                             args: WorkloadIdentityPoolArgs,
                             opts: Optional[ResourceOptions] = None)
    
    @overload
    def WorkloadIdentityPool(resource_name: str,
                             opts: Optional[ResourceOptions] = None,
                             workload_identity_pool_id: Optional[str] = None,
                             description: Optional[str] = None,
                             disabled: Optional[bool] = None,
                             display_name: Optional[str] = None,
                             inline_certificate_issuance_config: Optional[WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs] = None,
                             inline_trust_config: Optional[WorkloadIdentityPoolInlineTrustConfigArgs] = None,
                             mode: Optional[str] = None,
                             project: Optional[str] = None)
    func NewWorkloadIdentityPool(ctx *Context, name string, args WorkloadIdentityPoolArgs, opts ...ResourceOption) (*WorkloadIdentityPool, error)
    public WorkloadIdentityPool(string name, WorkloadIdentityPoolArgs args, CustomResourceOptions? opts = null)
    public WorkloadIdentityPool(String name, WorkloadIdentityPoolArgs args)
    public WorkloadIdentityPool(String name, WorkloadIdentityPoolArgs args, CustomResourceOptions options)
    
    type: gcp:iam:WorkloadIdentityPool
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args WorkloadIdentityPoolArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args WorkloadIdentityPoolArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args WorkloadIdentityPoolArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args WorkloadIdentityPoolArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args WorkloadIdentityPoolArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var workloadIdentityPoolResource = new Gcp.Iam.WorkloadIdentityPool("workloadIdentityPoolResource", new()
    {
        WorkloadIdentityPoolId = "string",
        Description = "string",
        Disabled = false,
        DisplayName = "string",
        InlineCertificateIssuanceConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs
        {
            CaPools = 
            {
                { "string", "string" },
            },
            KeyAlgorithm = "string",
            Lifetime = "string",
            RotationWindowPercentage = 0,
        },
        InlineTrustConfig = new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigArgs
        {
            AdditionalTrustBundles = new[]
            {
                new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs
                {
                    TrustAnchors = new[]
                    {
                        new Gcp.Iam.Inputs.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs
                        {
                            PemCertificate = "string",
                        },
                    },
                    TrustDomain = "string",
                },
            },
        },
        Mode = "string",
        Project = "string",
    });
    
    example, err := iam.NewWorkloadIdentityPool(ctx, "workloadIdentityPoolResource", &iam.WorkloadIdentityPoolArgs{
    	WorkloadIdentityPoolId: pulumi.String("string"),
    	Description:            pulumi.String("string"),
    	Disabled:               pulumi.Bool(false),
    	DisplayName:            pulumi.String("string"),
    	InlineCertificateIssuanceConfig: &iam.WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs{
    		CaPools: pulumi.StringMap{
    			"string": pulumi.String("string"),
    		},
    		KeyAlgorithm:             pulumi.String("string"),
    		Lifetime:                 pulumi.String("string"),
    		RotationWindowPercentage: pulumi.Int(0),
    	},
    	InlineTrustConfig: &iam.WorkloadIdentityPoolInlineTrustConfigArgs{
    		AdditionalTrustBundles: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArray{
    			&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs{
    				TrustAnchors: iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArray{
    					&iam.WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs{
    						PemCertificate: pulumi.String("string"),
    					},
    				},
    				TrustDomain: pulumi.String("string"),
    			},
    		},
    	},
    	Mode:    pulumi.String("string"),
    	Project: pulumi.String("string"),
    })
    
    var workloadIdentityPoolResource = new WorkloadIdentityPool("workloadIdentityPoolResource", WorkloadIdentityPoolArgs.builder()
        .workloadIdentityPoolId("string")
        .description("string")
        .disabled(false)
        .displayName("string")
        .inlineCertificateIssuanceConfig(WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs.builder()
            .caPools(Map.of("string", "string"))
            .keyAlgorithm("string")
            .lifetime("string")
            .rotationWindowPercentage(0)
            .build())
        .inlineTrustConfig(WorkloadIdentityPoolInlineTrustConfigArgs.builder()
            .additionalTrustBundles(WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs.builder()
                .trustAnchors(WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs.builder()
                    .pemCertificate("string")
                    .build())
                .trustDomain("string")
                .build())
            .build())
        .mode("string")
        .project("string")
        .build());
    
    workload_identity_pool_resource = gcp.iam.WorkloadIdentityPool("workloadIdentityPoolResource",
        workload_identity_pool_id="string",
        description="string",
        disabled=False,
        display_name="string",
        inline_certificate_issuance_config={
            "ca_pools": {
                "string": "string",
            },
            "key_algorithm": "string",
            "lifetime": "string",
            "rotation_window_percentage": 0,
        },
        inline_trust_config={
            "additional_trust_bundles": [{
                "trust_anchors": [{
                    "pem_certificate": "string",
                }],
                "trust_domain": "string",
            }],
        },
        mode="string",
        project="string")
    
    const workloadIdentityPoolResource = new gcp.iam.WorkloadIdentityPool("workloadIdentityPoolResource", {
        workloadIdentityPoolId: "string",
        description: "string",
        disabled: false,
        displayName: "string",
        inlineCertificateIssuanceConfig: {
            caPools: {
                string: "string",
            },
            keyAlgorithm: "string",
            lifetime: "string",
            rotationWindowPercentage: 0,
        },
        inlineTrustConfig: {
            additionalTrustBundles: [{
                trustAnchors: [{
                    pemCertificate: "string",
                }],
                trustDomain: "string",
            }],
        },
        mode: "string",
        project: "string",
    });
    
    type: gcp:iam:WorkloadIdentityPool
    properties:
        description: string
        disabled: false
        displayName: string
        inlineCertificateIssuanceConfig:
            caPools:
                string: string
            keyAlgorithm: string
            lifetime: string
            rotationWindowPercentage: 0
        inlineTrustConfig:
            additionalTrustBundles:
                - trustAnchors:
                    - pemCertificate: string
                  trustDomain: string
        mode: string
        project: string
        workloadIdentityPoolId: string
    

    WorkloadIdentityPool Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The WorkloadIdentityPool resource accepts the following input properties:

    WorkloadIdentityPoolId string
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    Description string
    A description of the pool. Cannot exceed 256 characters.
    Disabled bool
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    DisplayName string
    A display name for the pool. Cannot exceed 32 characters.
    InlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    InlineTrustConfig WorkloadIdentityPoolInlineTrustConfig
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    Mode string

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    WorkloadIdentityPoolId string
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    Description string
    A description of the pool. Cannot exceed 256 characters.
    Disabled bool
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    DisplayName string
    A display name for the pool. Cannot exceed 32 characters.
    InlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    InlineTrustConfig WorkloadIdentityPoolInlineTrustConfigArgs
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    Mode string

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    workloadIdentityPoolId String
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    description String
    A description of the pool. Cannot exceed 256 characters.
    disabled Boolean
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    displayName String
    A display name for the pool. Cannot exceed 32 characters.
    inlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    inlineTrustConfig WorkloadIdentityPoolInlineTrustConfig
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    mode String

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    workloadIdentityPoolId string
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    description string
    A description of the pool. Cannot exceed 256 characters.
    disabled boolean
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    displayName string
    A display name for the pool. Cannot exceed 32 characters.
    inlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    inlineTrustConfig WorkloadIdentityPoolInlineTrustConfig
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    mode string

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    workload_identity_pool_id str
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    description str
    A description of the pool. Cannot exceed 256 characters.
    disabled bool
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    display_name str
    A display name for the pool. Cannot exceed 32 characters.
    inline_certificate_issuance_config WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    inline_trust_config WorkloadIdentityPoolInlineTrustConfigArgs
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    mode str

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    workloadIdentityPoolId String
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    description String
    A description of the pool. Cannot exceed 256 characters.
    disabled Boolean
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    displayName String
    A display name for the pool. Cannot exceed 32 characters.
    inlineCertificateIssuanceConfig Property Map
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    inlineTrustConfig Property Map
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    mode String

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the WorkloadIdentityPool resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    State string
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    State string
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    state String
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    state string
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    state str
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    state String
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

    Look up Existing WorkloadIdentityPool Resource

    Get an existing WorkloadIdentityPool resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: WorkloadIdentityPoolState, opts?: CustomResourceOptions): WorkloadIdentityPool
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            description: Optional[str] = None,
            disabled: Optional[bool] = None,
            display_name: Optional[str] = None,
            inline_certificate_issuance_config: Optional[WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs] = None,
            inline_trust_config: Optional[WorkloadIdentityPoolInlineTrustConfigArgs] = None,
            mode: Optional[str] = None,
            name: Optional[str] = None,
            project: Optional[str] = None,
            state: Optional[str] = None,
            workload_identity_pool_id: Optional[str] = None) -> WorkloadIdentityPool
    func GetWorkloadIdentityPool(ctx *Context, name string, id IDInput, state *WorkloadIdentityPoolState, opts ...ResourceOption) (*WorkloadIdentityPool, error)
    public static WorkloadIdentityPool Get(string name, Input<string> id, WorkloadIdentityPoolState? state, CustomResourceOptions? opts = null)
    public static WorkloadIdentityPool get(String name, Output<String> id, WorkloadIdentityPoolState state, CustomResourceOptions options)
    resources:  _:    type: gcp:iam:WorkloadIdentityPool    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Description string
    A description of the pool. Cannot exceed 256 characters.
    Disabled bool
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    DisplayName string
    A display name for the pool. Cannot exceed 32 characters.
    InlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    InlineTrustConfig WorkloadIdentityPoolInlineTrustConfig
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    Mode string

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    Name string
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    State string
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
    WorkloadIdentityPoolId string
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    Description string
    A description of the pool. Cannot exceed 256 characters.
    Disabled bool
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    DisplayName string
    A display name for the pool. Cannot exceed 32 characters.
    InlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    InlineTrustConfig WorkloadIdentityPoolInlineTrustConfigArgs
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    Mode string

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    Name string
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    State string
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
    WorkloadIdentityPoolId string
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    description String
    A description of the pool. Cannot exceed 256 characters.
    disabled Boolean
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    displayName String
    A display name for the pool. Cannot exceed 32 characters.
    inlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    inlineTrustConfig WorkloadIdentityPoolInlineTrustConfig
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    mode String

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    name String
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    state String
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
    workloadIdentityPoolId String
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    description string
    A description of the pool. Cannot exceed 256 characters.
    disabled boolean
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    displayName string
    A display name for the pool. Cannot exceed 32 characters.
    inlineCertificateIssuanceConfig WorkloadIdentityPoolInlineCertificateIssuanceConfig
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    inlineTrustConfig WorkloadIdentityPoolInlineTrustConfig
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    mode string

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    name string
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    state string
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
    workloadIdentityPoolId string
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    description str
    A description of the pool. Cannot exceed 256 characters.
    disabled bool
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    display_name str
    A display name for the pool. Cannot exceed 32 characters.
    inline_certificate_issuance_config WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    inline_trust_config WorkloadIdentityPoolInlineTrustConfigArgs
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    mode str

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    name str
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    state str
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
    workload_identity_pool_id str
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    description String
    A description of the pool. Cannot exceed 256 characters.
    disabled Boolean
    Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
    displayName String
    A display name for the pool. Cannot exceed 32 characters.
    inlineCertificateIssuanceConfig Property Map
    Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is documented below.
    inlineTrustConfig Property Map
    Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is documented below.
    mode String

    The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in FEDERATION_ONLY mode.

    Note This field cannot be changed after the Workload Identity Pool is created. While pulumi preview may show an update if you change this field's value, pulumi up will fail with an API error (such as Error 400: Attempted to update an immutable field.). To specify a different mode, please create a new Workload Identity Pool resource.

    • FEDERATION_ONLY: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a FEDERATION_ONLY mode pool, and you may not create any resources within the pool besides providers.
    • TRUST_DOMAIN: Pools can be used to assign identities to Google Cloud workloads. All identities within a TRUST_DOMAIN mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns/<namespace>/sa/<workload_identifier>. gcp.iam.WorkloadIdentityPoolProviders cannot be created within TRUST_DOMAIN mode pools. Possible values are: FEDERATION_ONLY, TRUST_DOMAIN.
    name String
    The resource name of the pool as projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    state String
    The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
    workloadIdentityPoolId String
    The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.


    Supporting Types

    WorkloadIdentityPoolInlineCertificateIssuanceConfig, WorkloadIdentityPoolInlineCertificateIssuanceConfigArgs

    CaPools Dictionary<string, string>
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    KeyAlgorithm string
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

    • RSA_2048: Specifies RSA with a 2048-bit modulus.
    • RSA_3072: Specifies RSA with a 3072-bit modulus.
    • RSA_4096: Specifies RSA with a 4096-bit modulus.
    • ECDSA_P256: Specifies ECDSA with curve P256.
    • ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.
    Lifetime string
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between 86400s (24 hours) to 2592000s (30 days), ends in the suffix "s" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to 86400s (24 hours).
    RotationWindowPercentage int
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.
    CaPools map[string]string
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    KeyAlgorithm string
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

    • RSA_2048: Specifies RSA with a 2048-bit modulus.
    • RSA_3072: Specifies RSA with a 3072-bit modulus.
    • RSA_4096: Specifies RSA with a 4096-bit modulus.
    • ECDSA_P256: Specifies ECDSA with curve P256.
    • ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.
    Lifetime string
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between 86400s (24 hours) to 2592000s (30 days), ends in the suffix "s" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to 86400s (24 hours).
    RotationWindowPercentage int
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.
    caPools Map<String,String>
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    keyAlgorithm String
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

    • RSA_2048: Specifies RSA with a 2048-bit modulus.
    • RSA_3072: Specifies RSA with a 3072-bit modulus.
    • RSA_4096: Specifies RSA with a 4096-bit modulus.
    • ECDSA_P256: Specifies ECDSA with curve P256.
    • ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.
    lifetime String
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between 86400s (24 hours) to 2592000s (30 days), ends in the suffix "s" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to 86400s (24 hours).
    rotationWindowPercentage Integer
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.
    caPools {[key: string]: string}
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    keyAlgorithm string
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

    • RSA_2048: Specifies RSA with a 2048-bit modulus.
    • RSA_3072: Specifies RSA with a 3072-bit modulus.
    • RSA_4096: Specifies RSA with a 4096-bit modulus.
    • ECDSA_P256: Specifies ECDSA with curve P256.
    • ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.
    lifetime string
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between 86400s (24 hours) to 2592000s (30 days), ends in the suffix "s" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to 86400s (24 hours).
    rotationWindowPercentage number
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.
    ca_pools Mapping[str, str]
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    key_algorithm str
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

    • RSA_2048: Specifies RSA with a 2048-bit modulus.
    • RSA_3072: Specifies RSA with a 3072-bit modulus.
    • RSA_4096: Specifies RSA with a 4096-bit modulus.
    • ECDSA_P256: Specifies ECDSA with curve P256.
    • ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.
    lifetime str
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between 86400s (24 hours) to 2592000s (30 days), ends in the suffix "s" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to 86400s (24 hours).
    rotation_window_percentage int
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.
    caPools Map<String>
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: projects/{project}/locations/{location}/caPools/{ca_pool}
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    keyAlgorithm String
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to ECDSA_P256.

    • RSA_2048: Specifies RSA with a 2048-bit modulus.
    • RSA_3072: Specifies RSA with a 3072-bit modulus.
    • RSA_4096: Specifies RSA with a 4096-bit modulus.
    • ECDSA_P256: Specifies ECDSA with curve P256.
    • ECDSA_P384: Specifies ECDSA with curve P384. Possible values are: RSA_2048, RSA_3072, RSA_4096, ECDSA_P256, ECDSA_P384.
    lifetime String
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between 86400s (24 hours) to 2592000s (30 days), ends in the suffix "s" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to 86400s (24 hours).
    rotationWindowPercentage Number
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between 50 - 80. If unspecified, this will be defaulted to 50.

    WorkloadIdentityPoolInlineTrustConfig, WorkloadIdentityPoolInlineTrustConfigArgs

    AdditionalTrustBundles List<WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle>
    Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additional_trust_bundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's ca_pools. Structure is documented below.
    AdditionalTrustBundles []WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle
    Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additional_trust_bundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's ca_pools. Structure is documented below.
    additionalTrustBundles List<WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle>
    Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additional_trust_bundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's ca_pools. Structure is documented below.
    additionalTrustBundles WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle[]
    Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additional_trust_bundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's ca_pools. Structure is documented below.
    additional_trust_bundles Sequence[WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle]
    Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additional_trust_bundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's ca_pools. Structure is documented below.
    additionalTrustBundles List<Property Map>
    Maps specific trust domains (e.g., "example.com") to their corresponding TrustStore objects, which contain the trusted root certificates for that domain. There can be a maximum of 10 trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this WorkloadIdentityPool's trust domain contains any trust anchors in the additional_trust_bundles map, those trust anchors will be appended to the Trust Bundle automatically derived from your InlineCertificateIssuanceConfig's ca_pools. Structure is documented below.

    WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle, WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleArgs

    TrustAnchors List<WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor>
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    TrustDomain string
    The identifier for this object. Format specified above.
    TrustAnchors []WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    TrustDomain string
    The identifier for this object. Format specified above.
    trustAnchors List<WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor>
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    trustDomain String
    The identifier for this object. Format specified above.
    trustAnchors WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor[]
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    trustDomain string
    The identifier for this object. Format specified above.
    trust_anchors Sequence[WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor]
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    trust_domain str
    The identifier for this object. Format specified above.
    trustAnchors List<Property Map>
    List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is documented below.
    trustDomain String
    The identifier for this object. Format specified above.

    WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor, WorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchorArgs

    PemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    PemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate String
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pem_certificate str
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate String
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

    Import

    WorkloadIdentityPool can be imported using any of these accepted formats:

    • projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}

    • {{project}}/{{workload_identity_pool_id}}

    • {{workload_identity_pool_id}}

    When using the pulumi import command, WorkloadIdentityPool can be imported using one of the formats above. For example:

    $ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}
    
    $ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default {{project}}/{{workload_identity_pool_id}}
    
    $ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default {{workload_identity_pool_id}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud v8.33.0 published on Wednesday, Jun 4, 2025 by Pulumi