Skip to main content

Gcp/iam

@swamp/gcp/iamv2026.06.08.2· 29d agoMODELS
01README

Google Cloud iam infrastructure models

02Release Notes
  • Updated: policies, workforcepools, workforcepools_providers, workforcepools_providers_keys, workforcepools_providers_scimtenants, workforcepools_providers_scimtenants_tokens, roles, oauthclients, oauthclients_credentials, workloadidentitypools, workloadidentitypools_namespaces, workloadidentitypools_namespaces_managedidentities, workloadidentitypools_providers, workloadidentitypools_providers_keys, serviceaccounts, serviceaccounts_keys
03Models16
oauthclients.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
allowedGrantTypes?arrayRequired. The list of OAuth grant types is allowed for the OauthClient.
allowedRedirectUris?arrayRequired. The list of redirect uris that is allowed to redirect back when authorization process is completed.
allowedScopes?arrayRequired. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account.
clientType?enumImmutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource.
description?stringOptional. A user-specified description of the OauthClient. Cannot exceed 256 characters.
disabled?booleanOptional. Whether the OauthClient is disabled. You cannot use a disabled OAuth client.
displayName?stringOptional. A user-specified display name of the OauthClient. Cannot exceed 32 characters.
name?stringImmutable. Identifier. The resource name of the OauthClient. Format:`projects/{project}/locations/{location}/oauthClients/{oauth_client}`.
oauthClientId?stringRequired. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
fn create(waitForReady?: boolean)
Create a oauthClients
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
fn get(identifier: string)
Get a oauthClients
ArgumentTypeDescription
identifierstringThe name of the oauthClients
fn update(waitForReady?: boolean)
Update oauthClients attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
fn delete(identifier: string)
Delete the oauthClients
ArgumentTypeDescription
identifierstringThe name of the oauthClients
fn sync()
Sync oauthClients state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List oauthClients resources
ArgumentTypeDescription
pageSize?numberOptional. The maximum number of OauthClients to return. If unspecified, at most 50 OauthClients will be returned. The maximum value is 100; values above 100 are truncated to 100.
showDeleted?booleanOptional. Whether to return soft-deleted OauthClients.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn undelete()
undelete
oauthclients_credentials.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
disabled?booleanOptional. Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential.
displayName?stringOptional. A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters.
name?stringImmutable. Identifier. The resource name of the OauthClientCredential. Format: `projects/{project}/locations/{location}/oauthClients/{oauth_client}/credentials/{credential}`
oauthClientCredentialId?stringRequired. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
fn create()
Create a credentials
fn get(identifier: string)
Get a credentials
ArgumentTypeDescription
identifierstringThe name of the credentials
fn update()
Update credentials attributes
fn delete(identifier: string)
Delete the credentials
ArgumentTypeDescription
identifierstringThe name of the credentials
fn sync()
Sync credentials state from GCP
fn list(maxPages?: number)
List credentials resources
ArgumentTypeDescription
maxPages?numberMaximum number of pages to fetch (default: 10)
policies.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
annotations?recordA key-value map to store arbitrary metadata for the `Policy`. Keys can be up to 63 characters. Values can be up to 255 characters.
createTime?stringOutput only. The time when the `Policy` was created.
deleteTime?stringOutput only. The time when the `Policy` was deleted. Empty if the policy is not deleted.
displayName?stringA user-specified description of the `Policy`. This value can be up to 63 characters.
etag?stringAn opaque tag that identifies the current version of the `Policy`. IAM uses this value to help manage concurrent updates, so they do not cause one update to be overwritten by another. If this field is present in a CreatePolicyRequest, the value is ignored.
kind?stringOutput only. The kind of the `Policy`. Always contains the value `DenyPolicy`.
name?stringImmutable. The resource name of the `Policy`, which must be unique. Format: `policies/{attachment_point}/denypolicies/{policy_id}` The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character, `/`, must be written as `%2F`. For example, `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-deny-policy`. For organizations and folders, use the numeric ID in the full resource name. For projects, requests can use the alphanumeric or the numeric ID. Responses always contain the numeric ID.
rules?arrayOptional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
uid?stringImmutable. The globally unique ID of the `Policy`. Assigned automatically when the `Policy` is created.
updateTime?stringOutput only. The time when the `Policy` was last updated.
fn get(identifier: string)
Get a policies
ArgumentTypeDescription
identifierstringThe name of the policies
fn update()
Update policies attributes
fn delete(identifier: string)
Delete the policies
ArgumentTypeDescription
identifierstringThe name of the policies
fn sync()
Sync policies state from GCP
fn create_policy(annotations?: any, createTime?: any, deleteTime?: any, displayName?: any, etag?: any, kind?: any, name?: any, rules?: any, uid?: any, updateTime?: any)
create policy
ArgumentTypeDescription
annotations?any
createTime?any
deleteTime?any
displayName?any
etag?any
kind?any
name?any
rules?any
uid?any
updateTime?any
fn list_policies()
list policies
roles.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
role?objectThe current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.
roleId?stringThe role ID to use for this role. A role ID may contain alphanumeric characters, underscores (`_`), and periods (`.`). It must contain a minimum of 3 characters and a maximum of 64 characters.
deleted?booleanThe current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole.
description?stringOptional. A human-readable description for the role.
etag?stringUsed to perform a consistent read-modify-write.
includedPermissions?arrayThe names of the permissions this role grants when bound in an IAM policy.
name?stringThe name of the role. When `Role` is used in `CreateRole`, the role name must not be set. When `Role` is used in output and other input such as `UpdateRole`, the role name is the complete path. For example, `roles/logging.viewer` for predefined roles, `organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level custom roles.
stage?enumThe current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role.
title?stringOptional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes.
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
fn create()
Create a roles
fn get(identifier: string)
Get a roles
ArgumentTypeDescription
identifierstringThe name of the roles
fn update()
Update roles attributes
fn delete(identifier: string)
Delete the roles
ArgumentTypeDescription
identifierstringThe name of the roles
fn sync()
Sync roles state from GCP
fn list(pageSize?: number, showDeleted?: boolean, view?: string, maxPages?: number)
List roles resources
ArgumentTypeDescription
pageSize?numberOptional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000.
showDeleted?booleanInclude Roles that have been deleted.
view?stringOptional view for the returned Role objects. When `FULL` is specified, the `includedPermissions` field is returned, which includes a list of all permissions in the role. The default value is `BASIC`, which does not return the `includedPermissions` field.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn undelete(etag?: any)
undelete
ArgumentTypeDescription
etag?any
serviceaccounts.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
accountId?stringRequired. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
serviceAccount?objectOptional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes.
description?stringOptional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes.
disabled?booleanOutput only. Whether the service account is disabled.
displayName?stringOptional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes.
email?stringOutput only. The email address of the service account.
name?stringThe resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error.
oauth2ClientId?stringOutput only. The OAuth 2.0 client ID for the service account.
projectId?stringOutput only. The ID of the project that owns the service account.
uniqueId?stringOutput only. The unique, stable numeric ID for the service account. Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account.
updateMask?string
fn create()
Create a serviceAccounts
fn get(identifier: string)
Get a serviceAccounts
ArgumentTypeDescription
identifierstringThe name of the serviceAccounts
fn update()
Update serviceAccounts attributes
fn delete(identifier: string)
Delete the serviceAccounts
ArgumentTypeDescription
identifierstringThe name of the serviceAccounts
fn sync()
Sync serviceAccounts state from GCP
fn list(pageSize?: number, maxPages?: number)
List serviceAccounts resources
ArgumentTypeDescription
pageSize?numberOptional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the ListServiceAccountsResponse.next_page_token in a subsequent request. The default is 20, and the maximum is 100.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn disable()
disable
fn enable()
enable
fn get_iam_policy()
get iam policy
fn set_iam_policy(policy?: any, updateMask?: any)
set iam policy
ArgumentTypeDescription
policy?any
updateMask?any
fn sign_blob(bytesToSign?: any)
sign blob
ArgumentTypeDescription
bytesToSign?any
fn sign_jwt(payload?: any)
sign jwt
ArgumentTypeDescription
payload?any
fn test_iam_permissions(permissions?: any)
test iam permissions
ArgumentTypeDescription
permissions?any
fn undelete()
undelete
serviceaccounts_keys.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
keyAlgorithm?enumWhich type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.
privateKeyType?enumThe output format of the private key. The default value is `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File format.
namestringRequired. The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error.
fn create()
Create a keys
fn get(identifier: string)
Get a keys
ArgumentTypeDescription
identifierstringThe name of the keys
fn delete(identifier: string)
Delete the keys
ArgumentTypeDescription
identifierstringThe name of the keys
fn sync()
Sync keys state from GCP
fn list(keyTypes?: string, maxPages?: number)
List keys resources
ArgumentTypeDescription
keyTypes?stringFilters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn disable(extendedStatusMessage?: any, serviceAccountKeyDisableReason?: any)
disable
ArgumentTypeDescription
extendedStatusMessage?any
serviceAccountKeyDisableReason?any
fn enable()
enable
fn upload(publicKeyData?: any)
upload
ArgumentTypeDescription
publicKeyData?any
workforcepools.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
accessRestrictions?objectOptional. Domain name of the service. Example: console.cloud.google
description?stringOptional. A description of the pool. Cannot exceed 256 characters.
disabled?booleanOptional. Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
displayName?stringOptional. A display name for the pool. Cannot exceed 32 characters.
name?stringIdentifier. The resource name of the pool. Format: `locations/{location}/workforcePools/{workforce_pool_id}`
parent?stringImmutable. The resource name of the parent. Format: `organizations/{org-id}`.
sessionDuration?stringOptional. Duration that the Google Cloud access tokens, console sign-in sessions, and `gcloud` sign-in sessions from this pool are valid. Must be greater than 15 minutes (900s) and less than 12 hours (43200s). If `session_duration` is not configured, minted credentials have a default duration of one hour (3600s). For SAML providers, the lifetime of the token is the minimum of the `session_duration` and the `SessionNotOnOrAfter` claim in the SAML assertion.
locationstringOptional. The location of the pool to create. Format: `locations/{location}`.
workforcePoolId?stringOptional. The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified.
fn create(waitForReady?: boolean)
Create a workforcePools
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
fn get(identifier: string)
Get a workforcePools
ArgumentTypeDescription
identifierstringThe name of the workforcePools
fn update(waitForReady?: boolean)
Update workforcePools attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
fn delete(identifier: string)
Delete the workforcePools
ArgumentTypeDescription
identifierstringThe name of the workforcePools
fn sync()
Sync workforcePools state from GCP
fn list(pageSize?: number, parent?: string, showDeleted?: boolean, maxPages?: number)
List workforcePools resources
ArgumentTypeDescription
pageSize?numberThe maximum number of pools to return. The default value is 50. The maximum value is 100.
parent?stringRequired. The parent resource to list pools for. Format: `organizations/{org-id}`.
showDeleted?booleanWhether to return soft-deleted pools.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn get_iam_policy(options?: any)
get iam policy
ArgumentTypeDescription
options?any
fn set_iam_policy(policy?: any, updateMask?: any)
set iam policy
ArgumentTypeDescription
policy?any
updateMask?any
fn test_iam_permissions(permissions?: any)
test iam permissions
ArgumentTypeDescription
permissions?any
fn undelete()
undelete
workforcepools_providers.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
attributeCondition?stringOptional. A [Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * `assertion`: JSON representing the authentication credential issued by the provider. * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. `google.profile_photo`, `google.display_name` and `google.posix_username` are not supported. * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credentials will be accepted. The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: ` \"'admins' in google.groups\" `
attributeMapping?recordRequired. Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as `subject` and `segment`. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes. * `google.groups`: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM `principalSet` binding; access applies to all members of the group. * `google.display_name`: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, `google.subject` will be displayed instead. This attribute cannot be referenced in IAM bindings. * `google.profile_photo`: The URL that specifies the authenticated user\'s thumbnail photo. This is an optional field. When set, the image will be visible as the user\'s profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. * `google.posix_username`: The Linux username used by OS Login. This is an optional field and the mapped POSIX username cannot exceed 32 characters. The key must match the regex `^a-zA-Z0-9._{0,31}$`. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters `[a-z0-9_]`. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example: * `google.subject`: `principal://iam.googleapis.com/locations/global/workforcePools/{pool}/subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/group/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common Expression Language] (https://opensource.google/projects/cel) function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the `assertion` keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 16 KB. For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute. For example, the following maps the `sub` claim of the incoming credential to the `subject` attribute on a Google token: ` {"google.subject": "assertion.sub"} `
description?stringOptional. A description of the provider. Cannot exceed 256 characters.
detailedAuditLogging?booleanOptional. If true, populates additional debug information in Cloud Audit Logs for this provider. Logged attribute mappings and values can be found in `sts.googleapis.com` data access logs. Default value is false.
disabled?booleanOptional. Disables the workforce pool provider. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
displayName?stringOptional. A display name for the provider. Cannot exceed 32 characters.
extendedAttributesOauth2Client?objectRequired. Represents the IdP and type of claims that should be fetched.
extraAttributesOauth2Client?objectRequired. Represents the IdP and type of claims that should be fetched.
name?stringIdentifier. The resource name of the provider. Format: `locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}`
oidc?objectRequired. The client ID. Must match the audience claim of the JWT issued by the identity provider.
saml?objectRequired. SAML Identity provider configuration metadata xml doc. The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 25 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
scimUsage?enumOptional. Gemini Enterprise only. Specifies whether the workforce identity pool provider uses SCIM-managed groups instead of the `google.groups` attribute mapping for authorization checks. The `scim_usage` and `extended_attributes_oauth2_client` fields are mutually exclusive. A request that enables both fields on the same workforce identity pool provider will produce an error.
workforcePoolProviderId?stringRequired. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters `[a-z0-9-]`. The prefix `gcp-` is reserved for use by Google, and may not be specified.
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
fn create(waitForReady?: boolean)
Create a providers
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
fn get(identifier: string)
Get a providers
ArgumentTypeDescription
identifierstringThe name of the providers
fn update(waitForReady?: boolean)
Update providers attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
fn delete(identifier: string)
Delete the providers
ArgumentTypeDescription
identifierstringThe name of the providers
fn sync()
Sync providers state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List providers resources
ArgumentTypeDescription
pageSize?numberThe maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100.
showDeleted?booleanWhether to return soft-deleted providers.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn undelete()
undelete
workforcepools_providers_keys.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
keyData?objectOutput only. The format of the key.
name?stringIdentifier. The resource name of the key. Format: `locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}/keys/{key_id}`
use?enumRequired. The purpose of the key.
workforcePoolProviderKeyId?stringRequired. The ID to use for the key, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters `[a-z0-9-]`.
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
fn create(waitForReady?: boolean)
Create a keys
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
fn get(identifier: string)
Get a keys
ArgumentTypeDescription
identifierstringThe name of the keys
fn delete(identifier: string)
Delete the keys
ArgumentTypeDescription
identifierstringThe name of the keys
fn sync()
Sync keys state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List keys resources
ArgumentTypeDescription
pageSize?numberThe maximum number of keys to return. If unspecified, all keys are returned. The maximum value is 10; values above 10 are truncated to 10.
showDeleted?booleanWhether to return soft-deleted keys.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn undelete()
undelete
workforcepools_providers_scimtenants.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
claimMapping?recordRequired. Immutable. Gemini Enterprise only. Maps SCIM attributes to Google attributes. This mapping is used to associate the attributes synced via SCIM with the Google Cloud attributes used in IAM policies for Workforce Identity Federation. SCIM-managed user and group attributes are mapped to `google.subject` and `google.group` respectively. Each key must be a string specifying the Google Cloud IAM attribute to map to. The supported keys are as follows: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes. * `google.group`: Group the authenticating user belongs to. You can grant group access to resources using an IAM `principalSet` binding; access applies to all members of the group. Each value must be a [Common Expression Language] (https://opensource.google/projects/cel) expression that maps SCIM user or group attribute to the normalized attribute specified by the corresponding map key. Example: To map the SCIM user\'s `externalId` to `google.subject` and the SCIM group\'s `externalId` to `google.group`: ` { "google.subject": "user.externalId", "google.group": "group.externalId" } `
description?stringOptional. Gemini Enterprise only. The description of the SCIM tenant. Cannot exceed 256 characters.
displayName?stringOptional. Gemini Enterprise only. The display name of the SCIM tenant. Cannot exceed 32 characters.
name?stringIdentifier. Gemini Enterprise only. The resource name of the SCIM Tenant. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {workforce_pool_provider}/scimTenants/{scim_tenant}`
workforcePoolProviderScimTenantId?stringRequired. Gemini Enterprise only. The ID to use for the SCIM tenant, which becomes the final component of the resource name. This value should be 4-32 characters, containing the characters `[a-z0-9-]`.
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
fn create(waitForReady?: boolean)
Create a scimTenants
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
fn get(identifier: string)
Get a scimTenants
ArgumentTypeDescription
identifierstringThe name of the scimTenants
fn update(waitForReady?: boolean)
Update scimTenants attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
fn delete(identifier: string)
Delete the scimTenants
ArgumentTypeDescription
identifierstringThe name of the scimTenants
fn sync()
Sync scimTenants state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List scimTenants resources
ArgumentTypeDescription
pageSize?numberOptional. Gemini Enterprise only. The maximum number of SCIM tenants to return. If unspecified, at most 50 SCIM tenants will be returned. The maximum value is 100; values above 100 are truncated to 100.
showDeleted?booleanOptional. Gemini Enterprise only. Whether to return soft-deleted SCIM tenants.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn undelete()
undelete
workforcepools_providers_scimtenants_tokens.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
displayName?stringOptional. Gemini Enterprise only. The display name of the SCIM token. Cannot exceed 32 characters.
name?stringIdentifier. Gemini Enterprise only. The resource name of the SCIM Token. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {workforce_pool_provider}/scimTenants/{scim_tenant}/tokens/{token}`
workforcePoolProviderScimTokenId?stringRequired. Gemini Enterprise only. The ID to use for the SCIM token, which becomes the final component of the resource name. This value should be 4-32 characters and follow the pattern: `([a-z]([a-z0-9\\\\-]{2,30}[a-z0-9]))`
parent?stringThe parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456)
fn create(waitForReady?: boolean)
Create a tokens
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
fn get(identifier: string)
Get a tokens
ArgumentTypeDescription
identifierstringThe name of the tokens
fn update(waitForReady?: boolean)
Update tokens attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
fn delete(identifier: string)
Delete the tokens
ArgumentTypeDescription
identifierstringThe name of the tokens
fn sync()
Sync tokens state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List tokens resources
ArgumentTypeDescription
pageSize?numberOptional. Gemini Enterprise only. The maximum number of SCIM tokens to return. If unspecified, at most 2 SCIM tokens will be returned.
showDeleted?booleanOptional. Gemini Enterprise only. Whether to return soft-deleted SCIM tokens.
maxPages?numberMaximum number of pages to fetch (default: 10)
workloadidentitypools.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
description?stringOptional. A description of the pool. Cannot exceed 256 characters.
disabled?booleanOptional. Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
displayName?stringOptional. A display name for the pool. Cannot exceed 32 characters.
inlineCertificateIssuanceConfig?objectOptional. A required mapping of a Google Cloud region to the CA pool resource located in that region. The CA pool is used for certificate issuance, adhering to the following constraints: * Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value. * Value format: A valid CA pool resource path format like: \"projects/{project}/locations/{location}/caPools/{ca_pool}\" * Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
inlineTrustConfig?objectPEM certificate of the PKI used for validation. Must only contain one ca certificate.
mode?enumImmutable. The mode the pool is operating in.
name?stringIdentifier. The resource name of the pool.
workloadIdentityPoolId?stringRequired. The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
fn create(waitForReady?: boolean)
Create a workloadIdentityPools
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
fn get(identifier: string)
Get a workloadIdentityPools
ArgumentTypeDescription
identifierstringThe name of the workloadIdentityPools
fn update(waitForReady?: boolean)
Update workloadIdentityPools attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
fn delete(identifier: string)
Delete the workloadIdentityPools
ArgumentTypeDescription
identifierstringThe name of the workloadIdentityPools
fn sync()
Sync workloadIdentityPools state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List workloadIdentityPools resources
ArgumentTypeDescription
pageSize?numberThe maximum number of pools to return. If unspecified, at most 50 pools are returned. The maximum value is 1000; values above are 1000 truncated to 1000.
showDeleted?booleanWhether to return soft-deleted pools.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn add_attestation_rule(attestationRule?: any)
add attestation rule
ArgumentTypeDescription
attestationRule?any
fn get_iam_policy(options?: any)
get iam policy
ArgumentTypeDescription
options?any
fn list_attestation_rules()
list attestation rules
fn set_attestation_rules(attestationRules?: any)
set attestation rules
ArgumentTypeDescription
attestationRules?any
fn set_iam_policy(policy?: any, updateMask?: any)
set iam policy
ArgumentTypeDescription
policy?any
updateMask?any
fn test_iam_permissions(permissions?: any)
test iam permissions
ArgumentTypeDescription
permissions?any
fn undelete()
undelete
workloadidentitypools_namespaces.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
description?stringOptional. A description of the namespace. Cannot exceed 256 characters.
disabled?booleanOptional. Whether the namespace is disabled. If disabled, credentials may no longer be issued for identities within this namespace, however existing credentials will still be accepted until they expire.
name?stringIdentifier. The resource name of the namespace.
ownerService?objectRequired. The service agent principal subject, e.g. "serviceAccount:service-1234@gcp-sa-gkehub.iam.gserviceaccount.com".
workloadIdentityPoolNamespaceId?stringRequired. The ID to use for the namespace. This value must: * contain at most 63 characters * contain only lowercase alphanumeric characters or `-` * start with an alphanumeric character * end with an alphanumeric character The prefix "gcp-" will be reserved for future uses.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
fn create(waitForReady?: boolean)
Create a namespaces
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
fn get(identifier: string)
Get a namespaces
ArgumentTypeDescription
identifierstringThe name of the namespaces
fn update(waitForReady?: boolean)
Update namespaces attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
fn delete(identifier: string)
Delete the namespaces
ArgumentTypeDescription
identifierstringThe name of the namespaces
fn sync()
Sync namespaces state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List namespaces resources
ArgumentTypeDescription
pageSize?numberThe maximum number of namespaces to return. If unspecified, at most 50 namespaces are returned. The maximum value is 1000; values above are 1000 truncated to 1000.
showDeleted?booleanWhether to return soft-deleted namespaces.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn undelete()
undelete
workloadidentitypools_namespaces_managedidentities.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
description?stringOptional. A description of the managed identity. Cannot exceed 256 characters.
disabled?booleanOptional. Whether the managed identity is disabled. If disabled, credentials may no longer be issued for the identity, however existing credentials will still be accepted until they expire.
name?stringIdentifier. The resource name of the managed identity.
workloadIdentityPoolManagedIdentityId?stringRequired. The ID to use for the managed identity. This value must: * contain at most 63 characters * contain only lowercase alphanumeric characters or `-` * start with an alphanumeric character * end with an alphanumeric character The prefix "gcp-" will be reserved for future uses.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
fn create(waitForReady?: boolean)
Create a managedIdentities
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
fn get(identifier: string)
Get a managedIdentities
ArgumentTypeDescription
identifierstringThe name of the managedIdentities
fn update(waitForReady?: boolean)
Update managedIdentities attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
fn delete(identifier: string)
Delete the managedIdentities
ArgumentTypeDescription
identifierstringThe name of the managedIdentities
fn sync()
Sync managedIdentities state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List managedIdentities resources
ArgumentTypeDescription
pageSize?numberThe maximum number of managed identities to return. If unspecified, at most 50 managed identities are returned. The maximum value is 1000; values above are 1000 truncated to 1000.
showDeleted?booleanWhether to return soft-deleted managed identities.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn add_attestation_rule(attestationRule?: any)
add attestation rule
ArgumentTypeDescription
attestationRule?any
fn list_attestation_rules()
list attestation rules
fn set_attestation_rules(attestationRules?: any)
set attestation rules
ArgumentTypeDescription
attestationRules?any
fn undelete()
undelete
workloadidentitypools_providers.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
attributeCondition?stringOptional. [A Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * `assertion`: JSON representing the authentication credential issued by the provider. * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: ` \"'admins' in google.groups\" `
attributeMapping?recordOptional. Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as `subject` and `segment`. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 bytes. * `google.groups`: Groups the external identity belongs to. You can grant groups access to resources using an IAM `principalSet` binding; access applies to all members of the group. You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where `{custom_attribute}` is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example: * `google.subject`: `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common Expression Language] (https://opensource.google/projects/cel) function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the `assertion` keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, if no attribute mapping is defined, the following default mapping applies: ` { "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains(\'assumed-role\')" "? assertion.arn.extract(\'{account_arn}assumed-role/\')" " + \'assumed-role/\'" " + assertion.arn.extract(\'assumed-role/{role_name}/\')" ": assertion.arn", } ` If any custom attribute mappings are defined, they must include a mapping to the `google.subject` attribute. For OIDC providers, you must supply a custom mapping, which must include the `google.subject` attribute. For example, the following maps the `sub` claim of the incoming credential to the `subject` attribute on a Google token: ` {"google.subject": "assertion.sub"} `
aws?objectRequired. The AWS account ID.
description?stringOptional. A description for the provider. Cannot exceed 256 characters.
disabled?booleanOptional. Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
displayName?stringOptional. A display name for the provider. Cannot exceed 32 characters.
name?stringIdentifier. The resource name of the provider.
oidc?objectOptional. Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ `
saml?objectRequired. SAML identity provider (IdP) configuration metadata XML doc. The XML document must comply with the [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The maximum size of an acceptable XML document is 128K characters. The SAML metadata XML document must satisfy the following constraints: * Must contain an IdP Entity ID. * Must contain at least one non-expired signing certificate. * For each signing certificate, the expiration must be: * From no more than 7 days in the future. * To no more than 25 years in the future. * Up to three IdP signing keys are allowed. When updating the provider's metadata XML, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
x509?objectPEM certificate of the PKI used for validation. Must only contain one ca certificate.
workloadIdentityPoolProviderId?stringRequired. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
fn create(waitForReady?: boolean)
Create a providers
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
fn get(identifier: string)
Get a providers
ArgumentTypeDescription
identifierstringThe name of the providers
fn update(waitForReady?: boolean)
Update providers attributes
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after update (default: true)
fn delete(identifier: string)
Delete the providers
ArgumentTypeDescription
identifierstringThe name of the providers
fn sync()
Sync providers state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List providers resources
ArgumentTypeDescription
pageSize?numberThe maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100.
showDeleted?booleanWhether to return soft-deleted providers.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn undelete()
undelete
workloadidentitypools_providers_keys.tsv2026.06.08.1

Global Arguments

ArgumentTypeDescription
accessToken?stringGCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault.
credentialsJson?stringGCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault.
project?stringGCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables.
keyData?objectOutput only. The format of the key.
name?stringIdentifier. The resource name of the key.
use?enumRequired. The purpose of the key.
workloadIdentityPoolProviderKeyId?stringRequired. The ID to use for the key, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-].
location?stringThe location for this resource (e.g., 'us', 'us-central1', 'europe-west1')
fn create(waitForReady?: boolean)
Create a keys
ArgumentTypeDescription
waitForReady?booleanWait for the resource to reach a ready state after creation (default: true)
fn get(identifier: string)
Get a keys
ArgumentTypeDescription
identifierstringThe name of the keys
fn delete(identifier: string)
Delete the keys
ArgumentTypeDescription
identifierstringThe name of the keys
fn sync()
Sync keys state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List keys resources
ArgumentTypeDescription
pageSize?numberThe maximum number of keys to return. If unspecified, all keys are returned. The maximum value is 10; values above 10 are truncated to 10.
showDeleted?booleanWhether to return soft deleted resources as well.
maxPages?numberMaximum number of pages to fetch (default: 10)
fn undelete()
undelete
04Previous Versions15
2026.06.07.1Jun 7, 2026
  • Updated: policies, workforcepools, workforcepools_providers, workforcepools_providers_keys, workforcepools_providers_scimtenants, workforcepools_providers_scimtenants_tokens, roles, oauthclients, oauthclients_credentials, workloadidentitypools, workloadidentitypools_namespaces, workloadidentitypools_namespaces_managedidentities, workloadidentitypools_providers, workloadidentitypools_providers_keys, serviceaccounts, serviceaccounts_keys
2026.06.06.2Jun 6, 2026
  • Updated: serviceaccounts
2026.06.05.1Jun 5, 2026
  • Added: workforcepools, workforcepools_providers, workforcepools_providers_keys, workforcepools_providers_scimtenants, workforcepools_providers_scimtenants_tokens, oauthclients, oauthclients_credentials, workloadidentitypools, workloadidentitypools_namespaces, workloadidentitypools_namespaces_managedidentities, workloadidentitypools_providers, workloadidentitypools_providers_keys, serviceaccounts, serviceaccounts_keys

Added 14 models

2026.05.26.1May 26, 2026
  • Added: roles

Added 1 models

2026.05.25.1May 25, 2026
  • Updated: policies

Removed 1 models

2026.05.24.1May 24, 2026
  • Updated: roles, policies
2026.05.21.3May 21, 2026
  • Updated: policies, roles
2026.05.21.2May 21, 2026

Added 1 models

2026.05.19.2May 19, 2026
2026.05.19.1May 19, 2026
2026.04.23.1Apr 23, 2026
2026.04.03.3Apr 3, 2026
  • Updated: policies
2026.04.03.1Apr 3, 2026
  • Updated: policies
2026.04.02.2Apr 2, 2026
2026.03.27.1Mar 27, 2026
  • Added: policies
05Stats
A
100 / 100
Downloads
42
Archive size
216.7 KB
Verified by Swamp
  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types (deprecated)1/1earned
  • Dependencies pass trust audit2/2earned
  • Has description1/1earned
  • Platform support declared (or universal)2/2earned
  • License declared1/1earned
  • Verified public repository2/2earned
06Platforms
07Labels