Gcp/iam
@swamp/gcp/iamv2026.06.08.2
01README
Google Cloud iam infrastructure models
02Release Notes
- Updated: policies, workforcepools, workforcepools_providers, workforcepools_providers_keys, workforcepools_providers_scimtenants, workforcepools_providers_scimtenants_tokens, roles, oauthclients, oauthclients_credentials, workloadidentitypools, workloadidentitypools_namespaces, workloadidentitypools_namespaces_managedidentities, workloadidentitypools_providers, workloadidentitypools_providers_keys, serviceaccounts, serviceaccounts_keys
03Models
oauthclients.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| allowedGrantTypes? | array | Required. The list of OAuth grant types is allowed for the OauthClient. |
| allowedRedirectUris? | array | Required. The list of redirect uris that is allowed to redirect back when authorization process is completed. |
| allowedScopes? | array | Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account. |
| clientType? | enum | Immutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource. |
| description? | string | Optional. A user-specified description of the OauthClient. Cannot exceed 256 characters. |
| disabled? | boolean | Optional. Whether the OauthClient is disabled. You cannot use a disabled OAuth client. |
| displayName? | string | Optional. A user-specified display name of the OauthClient. Cannot exceed 32 characters. |
| name? | string | Immutable. Identifier. The resource name of the OauthClient. Format:`projects/{project}/locations/{location}/oauthClients/{oauth_client}`. |
| oauthClientId? | string | Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. |
| location? | string | The location for this resource (e.g., 'us', 'us-central1', 'europe-west1') |
fn create(waitForReady?: boolean)
Create a oauthClients
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after creation (default: true) |
fn get(identifier: string)
Get a oauthClients
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the oauthClients |
fn update(waitForReady?: boolean)
Update oauthClients attributes
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after update (default: true) |
fn delete(identifier: string)
Delete the oauthClients
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the oauthClients |
fn sync()
Sync oauthClients state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List oauthClients resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | Optional. The maximum number of OauthClients to return. If unspecified, at most 50 OauthClients will be returned. The maximum value is 100; values above 100 are truncated to 100. |
| showDeleted? | boolean | Optional. Whether to return soft-deleted OauthClients. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn undelete()
undelete
oauthclients_credentials.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| disabled? | boolean | Optional. Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential. |
| displayName? | string | Optional. A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. |
| name? | string | Immutable. Identifier. The resource name of the OauthClientCredential. Format: `projects/{project}/locations/{location}/oauthClients/{oauth_client}/credentials/{credential}` |
| oauthClientCredentialId? | string | Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. |
| location? | string | The location for this resource (e.g., 'us', 'us-central1', 'europe-west1') |
fn create()
Create a credentials
fn get(identifier: string)
Get a credentials
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the credentials |
fn update()
Update credentials attributes
fn delete(identifier: string)
Delete the credentials
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the credentials |
fn sync()
Sync credentials state from GCP
fn list(maxPages?: number)
List credentials resources
| Argument | Type | Description |
|---|---|---|
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
policies.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| annotations? | record | A key-value map to store arbitrary metadata for the `Policy`. Keys can be up to 63 characters. Values can be up to 255 characters. |
| createTime? | string | Output only. The time when the `Policy` was created. |
| deleteTime? | string | Output only. The time when the `Policy` was deleted. Empty if the policy is not deleted. |
| displayName? | string | A user-specified description of the `Policy`. This value can be up to 63 characters. |
| etag? | string | An opaque tag that identifies the current version of the `Policy`. IAM uses this value to help manage concurrent updates, so they do not cause one update to be overwritten by another. If this field is present in a CreatePolicyRequest, the value is ignored. |
| kind? | string | Output only. The kind of the `Policy`. Always contains the value `DenyPolicy`. |
| name? | string | Immutable. The resource name of the `Policy`, which must be unique. Format: `policies/{attachment_point}/denypolicies/{policy_id}` The attachment point is identified by its URL-encoded full resource name, which means that the forward-slash character, `/`, must be written as `%2F`. For example, `policies/cloudresourcemanager.googleapis.com%2Fprojects%2Fmy-project/denypolicies/my-deny-policy`. For organizations and folders, use the numeric ID in the full resource name. For projects, requests can use the alphanumeric or the numeric ID. Responses always contain the numeric ID. |
| rules? | array | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. |
| uid? | string | Immutable. The globally unique ID of the `Policy`. Assigned automatically when the `Policy` is created. |
| updateTime? | string | Output only. The time when the `Policy` was last updated. |
fn get(identifier: string)
Get a policies
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the policies |
fn update()
Update policies attributes
fn delete(identifier: string)
Delete the policies
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the policies |
fn sync()
Sync policies state from GCP
fn create_policy(annotations?: any, createTime?: any, deleteTime?: any, displayName?: any, etag?: any, kind?: any, name?: any, rules?: any, uid?: any, updateTime?: any)
create policy
| Argument | Type | Description |
|---|---|---|
| annotations? | any | |
| createTime? | any | |
| deleteTime? | any | |
| displayName? | any | |
| etag? | any | |
| kind? | any | |
| name? | any | |
| rules? | any | |
| uid? | any | |
| updateTime? | any |
fn list_policies()
list policies
roles.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| role? | object | The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole. |
| roleId? | string | The role ID to use for this role. A role ID may contain alphanumeric characters, underscores (`_`), and periods (`.`). It must contain a minimum of 3 characters and a maximum of 64 characters. |
| deleted? | boolean | The current deleted state of the role. This field is read only. It will be ignored in calls to CreateRole and UpdateRole. |
| description? | string | Optional. A human-readable description for the role. |
| etag? | string | Used to perform a consistent read-modify-write. |
| includedPermissions? | array | The names of the permissions this role grants when bound in an IAM policy. |
| name? | string | The name of the role. When `Role` is used in `CreateRole`, the role name must not be set. When `Role` is used in output and other input such as `UpdateRole`, the role name is the complete path. For example, `roles/logging.viewer` for predefined roles, `organizations/{ORGANIZATION_ID}/roles/myRole` for organization-level custom roles, and `projects/{PROJECT_ID}/roles/myRole` for project-level custom roles. |
| stage? | enum | The current launch stage of the role. If the `ALPHA` launch stage has been selected for a role, the `stage` field will not be included in the returned definition for the role. |
| title? | string | Optional. A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes. |
| parent? | string | The parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456) |
fn create()
Create a roles
fn get(identifier: string)
Get a roles
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the roles |
fn update()
Update roles attributes
fn delete(identifier: string)
Delete the roles
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the roles |
fn sync()
Sync roles state from GCP
fn list(pageSize?: number, showDeleted?: boolean, view?: string, maxPages?: number)
List roles resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | Optional limit on the number of roles to include in the response. The default is 300, and the maximum is 1,000. |
| showDeleted? | boolean | Include Roles that have been deleted. |
| view? | string | Optional view for the returned Role objects. When `FULL` is specified, the `includedPermissions` field is returned, which includes a list of all permissions in the role. The default value is `BASIC`, which does not return the `includedPermissions` field. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn undelete(etag?: any)
undelete
| Argument | Type | Description |
|---|---|---|
| etag? | any |
serviceaccounts.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| accountId? | string | Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. |
| serviceAccount? | object | Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes. |
| description? | string | Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes. |
| disabled? | boolean | Output only. Whether the service account is disabled. |
| displayName? | string | Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes. |
| email? | string | Output only. The email address of the service account. |
| name? | string | The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. |
| oauth2ClientId? | string | Output only. The OAuth 2.0 client ID for the service account. |
| projectId? | string | Output only. The ID of the project that owns the service account. |
| uniqueId? | string | Output only. The unique, stable numeric ID for the service account. Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account. |
| updateMask? | string |
fn create()
Create a serviceAccounts
fn get(identifier: string)
Get a serviceAccounts
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the serviceAccounts |
fn update()
Update serviceAccounts attributes
fn delete(identifier: string)
Delete the serviceAccounts
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the serviceAccounts |
fn sync()
Sync serviceAccounts state from GCP
fn list(pageSize?: number, maxPages?: number)
List serviceAccounts resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | Optional limit on the number of service accounts to include in the response. Further accounts can subsequently be obtained by including the ListServiceAccountsResponse.next_page_token in a subsequent request. The default is 20, and the maximum is 100. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn disable()
disable
fn enable()
enable
fn get_iam_policy()
get iam policy
fn set_iam_policy(policy?: any, updateMask?: any)
set iam policy
| Argument | Type | Description |
|---|---|---|
| policy? | any | |
| updateMask? | any |
fn sign_blob(bytesToSign?: any)
sign blob
| Argument | Type | Description |
|---|---|---|
| bytesToSign? | any |
fn sign_jwt(payload?: any)
sign jwt
| Argument | Type | Description |
|---|---|---|
| payload? | any |
fn test_iam_permissions(permissions?: any)
test iam permissions
| Argument | Type | Description |
|---|---|---|
| permissions? | any |
fn undelete()
undelete
serviceaccounts_keys.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| keyAlgorithm? | enum | Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future. |
| privateKeyType? | enum | The output format of the private key. The default value is `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File format. |
| name | string | Required. The resource name of the service account. Use one of the following formats: * `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` * `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: * `projects/-/serviceAccounts/{EMAIL_ADDRESS}` * `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. |
fn create()
Create a keys
fn get(identifier: string)
Get a keys
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the keys |
fn delete(identifier: string)
Delete the keys
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the keys |
fn sync()
Sync keys state from GCP
fn list(keyTypes?: string, maxPages?: number)
List keys resources
| Argument | Type | Description |
|---|---|---|
| keyTypes? | string | Filters the types of keys the user wants to include in the list response. Duplicate key types are not allowed. If no key type is provided, all keys are returned. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn disable(extendedStatusMessage?: any, serviceAccountKeyDisableReason?: any)
disable
| Argument | Type | Description |
|---|---|---|
| extendedStatusMessage? | any | |
| serviceAccountKeyDisableReason? | any |
fn enable()
enable
fn upload(publicKeyData?: any)
upload
| Argument | Type | Description |
|---|---|---|
| publicKeyData? | any |
workforcepools.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| accessRestrictions? | object | Optional. Domain name of the service. Example: console.cloud.google |
| description? | string | Optional. A description of the pool. Cannot exceed 256 characters. |
| disabled? | boolean | Optional. Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. |
| displayName? | string | Optional. A display name for the pool. Cannot exceed 32 characters. |
| name? | string | Identifier. The resource name of the pool. Format: `locations/{location}/workforcePools/{workforce_pool_id}` |
| parent? | string | Immutable. The resource name of the parent. Format: `organizations/{org-id}`. |
| sessionDuration? | string | Optional. Duration that the Google Cloud access tokens, console sign-in sessions, and `gcloud` sign-in sessions from this pool are valid. Must be greater than 15 minutes (900s) and less than 12 hours (43200s). If `session_duration` is not configured, minted credentials have a default duration of one hour (3600s). For SAML providers, the lifetime of the token is the minimum of the `session_duration` and the `SessionNotOnOrAfter` claim in the SAML assertion. |
| location | string | Optional. The location of the pool to create. Format: `locations/{location}`. |
| workforcePoolId? | string | Optional. The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. |
fn create(waitForReady?: boolean)
Create a workforcePools
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after creation (default: true) |
fn get(identifier: string)
Get a workforcePools
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the workforcePools |
fn update(waitForReady?: boolean)
Update workforcePools attributes
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after update (default: true) |
fn delete(identifier: string)
Delete the workforcePools
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the workforcePools |
fn sync()
Sync workforcePools state from GCP
fn list(pageSize?: number, parent?: string, showDeleted?: boolean, maxPages?: number)
List workforcePools resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | The maximum number of pools to return. The default value is 50. The maximum value is 100. |
| parent? | string | Required. The parent resource to list pools for. Format: `organizations/{org-id}`. |
| showDeleted? | boolean | Whether to return soft-deleted pools. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn get_iam_policy(options?: any)
get iam policy
| Argument | Type | Description |
|---|---|---|
| options? | any |
fn set_iam_policy(policy?: any, updateMask?: any)
set iam policy
| Argument | Type | Description |
|---|---|---|
| policy? | any | |
| updateMask? | any |
fn test_iam_permissions(permissions?: any)
test iam permissions
| Argument | Type | Description |
|---|---|---|
| permissions? | any |
fn undelete()
undelete
workforcepools_providers.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| attributeCondition? | string | Optional. A [Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * `assertion`: JSON representing the authentication credential issued by the provider. * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. `google.profile_photo`, `google.display_name` and `google.posix_username` are not supported. * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credentials will be accepted. The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: ` \"'admins' in google.groups\" ` |
| attributeMapping? | record | Required. Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as `subject` and `segment`. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes. * `google.groups`: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM `principalSet` binding; access applies to all members of the group. * `google.display_name`: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, `google.subject` will be displayed instead. This attribute cannot be referenced in IAM bindings. * `google.profile_photo`: The URL that specifies the authenticated user\'s thumbnail photo. This is an optional field. When set, the image will be visible as the user\'s profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. * `google.posix_username`: The Linux username used by OS Login. This is an optional field and the mapped POSIX username cannot exceed 32 characters. The key must match the regex `^a-zA-Z0-9._{0,31}$`. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters `[a-z0-9_]`. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example: * `google.subject`: `principal://iam.googleapis.com/locations/global/workforcePools/{pool}/subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/group/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common Expression Language] (https://opensource.google/projects/cel) function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the `assertion` keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 16 KB. For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute. For example, the following maps the `sub` claim of the incoming credential to the `subject` attribute on a Google token: ` {"google.subject": "assertion.sub"} ` |
| description? | string | Optional. A description of the provider. Cannot exceed 256 characters. |
| detailedAuditLogging? | boolean | Optional. If true, populates additional debug information in Cloud Audit Logs for this provider. Logged attribute mappings and values can be found in `sts.googleapis.com` data access logs. Default value is false. |
| disabled? | boolean | Optional. Disables the workforce pool provider. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access. |
| displayName? | string | Optional. A display name for the provider. Cannot exceed 32 characters. |
| extendedAttributesOauth2Client? | object | Required. Represents the IdP and type of claims that should be fetched. |
| extraAttributesOauth2Client? | object | Required. Represents the IdP and type of claims that should be fetched. |
| name? | string | Identifier. The resource name of the provider. Format: `locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}` |
| oidc? | object | Required. The client ID. Must match the audience claim of the JWT issued by the identity provider. |
| saml? | object | Required. SAML Identity provider configuration metadata xml doc. The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 25 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata. |
| scimUsage? | enum | Optional. Gemini Enterprise only. Specifies whether the workforce identity pool provider uses SCIM-managed groups instead of the `google.groups` attribute mapping for authorization checks. The `scim_usage` and `extended_attributes_oauth2_client` fields are mutually exclusive. A request that enables both fields on the same workforce identity pool provider will produce an error. |
| workforcePoolProviderId? | string | Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters `[a-z0-9-]`. The prefix `gcp-` is reserved for use by Google, and may not be specified. |
| parent? | string | The parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456) |
fn create(waitForReady?: boolean)
Create a providers
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after creation (default: true) |
fn get(identifier: string)
Get a providers
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the providers |
fn update(waitForReady?: boolean)
Update providers attributes
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after update (default: true) |
fn delete(identifier: string)
Delete the providers
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the providers |
fn sync()
Sync providers state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List providers resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | The maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100. |
| showDeleted? | boolean | Whether to return soft-deleted providers. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn undelete()
undelete
workforcepools_providers_keys.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| keyData? | object | Output only. The format of the key. |
| name? | string | Identifier. The resource name of the key. Format: `locations/{location}/workforcePools/{workforce_pool_id}/providers/{provider_id}/keys/{key_id}` |
| use? | enum | Required. The purpose of the key. |
| workforcePoolProviderKeyId? | string | Required. The ID to use for the key, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters `[a-z0-9-]`. |
| parent? | string | The parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456) |
fn create(waitForReady?: boolean)
Create a keys
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after creation (default: true) |
fn get(identifier: string)
Get a keys
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the keys |
fn delete(identifier: string)
Delete the keys
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the keys |
fn sync()
Sync keys state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List keys resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | The maximum number of keys to return. If unspecified, all keys are returned. The maximum value is 10; values above 10 are truncated to 10. |
| showDeleted? | boolean | Whether to return soft-deleted keys. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn undelete()
undelete
workforcepools_providers_scimtenants.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| claimMapping? | record | Required. Immutable. Gemini Enterprise only. Maps SCIM attributes to Google attributes. This mapping is used to associate the attributes synced via SCIM with the Google Cloud attributes used in IAM policies for Workforce Identity Federation. SCIM-managed user and group attributes are mapped to `google.subject` and `google.group` respectively. Each key must be a string specifying the Google Cloud IAM attribute to map to. The supported keys are as follows: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes. * `google.group`: Group the authenticating user belongs to. You can grant group access to resources using an IAM `principalSet` binding; access applies to all members of the group. Each value must be a [Common Expression Language] (https://opensource.google/projects/cel) expression that maps SCIM user or group attribute to the normalized attribute specified by the corresponding map key. Example: To map the SCIM user\'s `externalId` to `google.subject` and the SCIM group\'s `externalId` to `google.group`: ` { "google.subject": "user.externalId", "google.group": "group.externalId" } ` |
| description? | string | Optional. Gemini Enterprise only. The description of the SCIM tenant. Cannot exceed 256 characters. |
| displayName? | string | Optional. Gemini Enterprise only. The display name of the SCIM tenant. Cannot exceed 32 characters. |
| name? | string | Identifier. Gemini Enterprise only. The resource name of the SCIM Tenant. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {workforce_pool_provider}/scimTenants/{scim_tenant}` |
| workforcePoolProviderScimTenantId? | string | Required. Gemini Enterprise only. The ID to use for the SCIM tenant, which becomes the final component of the resource name. This value should be 4-32 characters, containing the characters `[a-z0-9-]`. |
| parent? | string | The parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456) |
fn create(waitForReady?: boolean)
Create a scimTenants
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after creation (default: true) |
fn get(identifier: string)
Get a scimTenants
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the scimTenants |
fn update(waitForReady?: boolean)
Update scimTenants attributes
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after update (default: true) |
fn delete(identifier: string)
Delete the scimTenants
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the scimTenants |
fn sync()
Sync scimTenants state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List scimTenants resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | Optional. Gemini Enterprise only. The maximum number of SCIM tenants to return. If unspecified, at most 50 SCIM tenants will be returned. The maximum value is 100; values above 100 are truncated to 100. |
| showDeleted? | boolean | Optional. Gemini Enterprise only. Whether to return soft-deleted SCIM tenants. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn undelete()
undelete
workforcepools_providers_scimtenants_tokens.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| displayName? | string | Optional. Gemini Enterprise only. The display name of the SCIM token. Cannot exceed 32 characters. |
| name? | string | Identifier. Gemini Enterprise only. The resource name of the SCIM Token. Format: `locations/{location}/workforcePools/{workforce_pool}/providers/ {workforce_pool_provider}/scimTenants/{scim_tenant}/tokens/{token}` |
| workforcePoolProviderScimTokenId? | string | Required. Gemini Enterprise only. The ID to use for the SCIM token, which becomes the final component of the resource name. This value should be 4-32 characters and follow the pattern: `([a-z]([a-z0-9\\\\-]{2,30}[a-z0-9]))` |
| parent? | string | The parent resource name (e.g., projects/my-project/locations/us-central1, organizations/123, folders/456) |
fn create(waitForReady?: boolean)
Create a tokens
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after creation (default: true) |
fn get(identifier: string)
Get a tokens
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the tokens |
fn update(waitForReady?: boolean)
Update tokens attributes
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after update (default: true) |
fn delete(identifier: string)
Delete the tokens
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the tokens |
fn sync()
Sync tokens state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List tokens resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | Optional. Gemini Enterprise only. The maximum number of SCIM tokens to return. If unspecified, at most 2 SCIM tokens will be returned. |
| showDeleted? | boolean | Optional. Gemini Enterprise only. Whether to return soft-deleted SCIM tokens. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
workloadidentitypools.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| description? | string | Optional. A description of the pool. Cannot exceed 256 characters. |
| disabled? | boolean | Optional. Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. |
| displayName? | string | Optional. A display name for the pool. Cannot exceed 32 characters. |
| inlineCertificateIssuanceConfig? | object | Optional. A required mapping of a Google Cloud region to the CA pool resource located in that region. The CA pool is used for certificate issuance, adhering to the following constraints: * Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value. * Value format: A valid CA pool resource path format like: \"projects/{project}/locations/{location}/caPools/{ca_pool}\" * Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key). |
| inlineTrustConfig? | object | PEM certificate of the PKI used for validation. Must only contain one ca certificate. |
| mode? | enum | Immutable. The mode the pool is operating in. |
| name? | string | Identifier. The resource name of the pool. |
| workloadIdentityPoolId? | string | Required. The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. |
| location? | string | The location for this resource (e.g., 'us', 'us-central1', 'europe-west1') |
fn create(waitForReady?: boolean)
Create a workloadIdentityPools
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after creation (default: true) |
fn get(identifier: string)
Get a workloadIdentityPools
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the workloadIdentityPools |
fn update(waitForReady?: boolean)
Update workloadIdentityPools attributes
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after update (default: true) |
fn delete(identifier: string)
Delete the workloadIdentityPools
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the workloadIdentityPools |
fn sync()
Sync workloadIdentityPools state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List workloadIdentityPools resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | The maximum number of pools to return. If unspecified, at most 50 pools are returned. The maximum value is 1000; values above are 1000 truncated to 1000. |
| showDeleted? | boolean | Whether to return soft-deleted pools. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn add_attestation_rule(attestationRule?: any)
add attestation rule
| Argument | Type | Description |
|---|---|---|
| attestationRule? | any |
fn get_iam_policy(options?: any)
get iam policy
| Argument | Type | Description |
|---|---|---|
| options? | any |
fn list_attestation_rules()
list attestation rules
fn set_attestation_rules(attestationRules?: any)
set attestation rules
| Argument | Type | Description |
|---|---|---|
| attestationRules? | any |
fn set_iam_policy(policy?: any, updateMask?: any)
set iam policy
| Argument | Type | Description |
|---|---|---|
| policy? | any | |
| updateMask? | any |
fn test_iam_permissions(permissions?: any)
test iam permissions
| Argument | Type | Description |
|---|---|---|
| permissions? | any |
fn undelete()
undelete
workloadidentitypools_namespaces.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| description? | string | Optional. A description of the namespace. Cannot exceed 256 characters. |
| disabled? | boolean | Optional. Whether the namespace is disabled. If disabled, credentials may no longer be issued for identities within this namespace, however existing credentials will still be accepted until they expire. |
| name? | string | Identifier. The resource name of the namespace. |
| ownerService? | object | Required. The service agent principal subject, e.g. "serviceAccount:service-1234@gcp-sa-gkehub.iam.gserviceaccount.com". |
| workloadIdentityPoolNamespaceId? | string | Required. The ID to use for the namespace. This value must: * contain at most 63 characters * contain only lowercase alphanumeric characters or `-` * start with an alphanumeric character * end with an alphanumeric character The prefix "gcp-" will be reserved for future uses. |
| location? | string | The location for this resource (e.g., 'us', 'us-central1', 'europe-west1') |
fn create(waitForReady?: boolean)
Create a namespaces
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after creation (default: true) |
fn get(identifier: string)
Get a namespaces
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the namespaces |
fn update(waitForReady?: boolean)
Update namespaces attributes
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after update (default: true) |
fn delete(identifier: string)
Delete the namespaces
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the namespaces |
fn sync()
Sync namespaces state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List namespaces resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | The maximum number of namespaces to return. If unspecified, at most 50 namespaces are returned. The maximum value is 1000; values above are 1000 truncated to 1000. |
| showDeleted? | boolean | Whether to return soft-deleted namespaces. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn undelete()
undelete
workloadidentitypools_namespaces_managedidentities.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| description? | string | Optional. A description of the managed identity. Cannot exceed 256 characters. |
| disabled? | boolean | Optional. Whether the managed identity is disabled. If disabled, credentials may no longer be issued for the identity, however existing credentials will still be accepted until they expire. |
| name? | string | Identifier. The resource name of the managed identity. |
| workloadIdentityPoolManagedIdentityId? | string | Required. The ID to use for the managed identity. This value must: * contain at most 63 characters * contain only lowercase alphanumeric characters or `-` * start with an alphanumeric character * end with an alphanumeric character The prefix "gcp-" will be reserved for future uses. |
| location? | string | The location for this resource (e.g., 'us', 'us-central1', 'europe-west1') |
fn create(waitForReady?: boolean)
Create a managedIdentities
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after creation (default: true) |
fn get(identifier: string)
Get a managedIdentities
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the managedIdentities |
fn update(waitForReady?: boolean)
Update managedIdentities attributes
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after update (default: true) |
fn delete(identifier: string)
Delete the managedIdentities
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the managedIdentities |
fn sync()
Sync managedIdentities state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List managedIdentities resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | The maximum number of managed identities to return. If unspecified, at most 50 managed identities are returned. The maximum value is 1000; values above are 1000 truncated to 1000. |
| showDeleted? | boolean | Whether to return soft-deleted managed identities. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn add_attestation_rule(attestationRule?: any)
add attestation rule
| Argument | Type | Description |
|---|---|---|
| attestationRule? | any |
fn list_attestation_rules()
list attestation rules
fn set_attestation_rules(attestationRules?: any)
set attestation rules
| Argument | Type | Description |
|---|---|---|
| attestationRules? | any |
fn undelete()
undelete
workloadidentitypools_providers.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| attributeCondition? | string | Optional. [A Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * `assertion`: JSON representing the authentication credential issued by the provider. * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: ` \"'admins' in google.groups\" ` |
| attributeMapping? | record | Optional. Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as `subject` and `segment`. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 bytes. * `google.groups`: Groups the external identity belongs to. You can grant groups access to resources using an IAM `principalSet` binding; access applies to all members of the group. You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where `{custom_attribute}` is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example: * `google.subject`: `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common Expression Language] (https://opensource.google/projects/cel) function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the `assertion` keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, if no attribute mapping is defined, the following default mapping applies: ` { "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains(\'assumed-role\')" "? assertion.arn.extract(\'{account_arn}assumed-role/\')" " + \'assumed-role/\'" " + assertion.arn.extract(\'assumed-role/{role_name}/\')" ": assertion.arn", } ` If any custom attribute mappings are defined, they must include a mapping to the `google.subject` attribute. For OIDC providers, you must supply a custom mapping, which must include the `google.subject` attribute. For example, the following maps the `sub` claim of the incoming credential to the `subject` attribute on a Google token: ` {"google.subject": "assertion.sub"} ` |
| aws? | object | Required. The AWS account ID. |
| description? | string | Optional. A description for the provider. Cannot exceed 256 characters. |
| disabled? | boolean | Optional. Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access. |
| displayName? | string | Optional. A display name for the provider. Cannot exceed 32 characters. |
| name? | string | Identifier. The resource name of the provider. |
| oidc? | object | Optional. Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ ` |
| saml? | object | Required. SAML identity provider (IdP) configuration metadata XML doc. The XML document must comply with the [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The maximum size of an acceptable XML document is 128K characters. The SAML metadata XML document must satisfy the following constraints: * Must contain an IdP Entity ID. * Must contain at least one non-expired signing certificate. * For each signing certificate, the expiration must be: * From no more than 7 days in the future. * To no more than 25 years in the future. * Up to three IdP signing keys are allowed. When updating the provider's metadata XML, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata. |
| x509? | object | PEM certificate of the PKI used for validation. Must only contain one ca certificate. |
| workloadIdentityPoolProviderId? | string | Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. |
| location? | string | The location for this resource (e.g., 'us', 'us-central1', 'europe-west1') |
fn create(waitForReady?: boolean)
Create a providers
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after creation (default: true) |
fn get(identifier: string)
Get a providers
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the providers |
fn update(waitForReady?: boolean)
Update providers attributes
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after update (default: true) |
fn delete(identifier: string)
Delete the providers
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the providers |
fn sync()
Sync providers state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List providers resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | The maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100. |
| showDeleted? | boolean | Whether to return soft-deleted providers. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn undelete()
undelete
workloadidentitypools_providers_keys.tsv2026.06.08.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| accessToken? | string | GCP OAuth2 access token; overrides GCP_ACCESS_TOKEN environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| credentialsJson? | string | GCP service account JSON credentials; overrides GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable. Wire with a vault.get(...) expression to source it from a vault. |
| project? | string | GCP project ID; overrides GCP_PROJECT / GOOGLE_CLOUD_PROJECT environment variables. |
| keyData? | object | Output only. The format of the key. |
| name? | string | Identifier. The resource name of the key. |
| use? | enum | Required. The purpose of the key. |
| workloadIdentityPoolProviderKeyId? | string | Required. The ID to use for the key, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. |
| location? | string | The location for this resource (e.g., 'us', 'us-central1', 'europe-west1') |
fn create(waitForReady?: boolean)
Create a keys
| Argument | Type | Description |
|---|---|---|
| waitForReady? | boolean | Wait for the resource to reach a ready state after creation (default: true) |
fn get(identifier: string)
Get a keys
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the keys |
fn delete(identifier: string)
Delete the keys
| Argument | Type | Description |
|---|---|---|
| identifier | string | The name of the keys |
fn sync()
Sync keys state from GCP
fn list(pageSize?: number, showDeleted?: boolean, maxPages?: number)
List keys resources
| Argument | Type | Description |
|---|---|---|
| pageSize? | number | The maximum number of keys to return. If unspecified, all keys are returned. The maximum value is 10; values above 10 are truncated to 10. |
| showDeleted? | boolean | Whether to return soft deleted resources as well. |
| maxPages? | number | Maximum number of pages to fetch (default: 10) |
fn undelete()
undelete
04Previous Versions
2026.06.07.1Jun 7, 2026
- Updated: policies, workforcepools, workforcepools_providers, workforcepools_providers_keys, workforcepools_providers_scimtenants, workforcepools_providers_scimtenants_tokens, roles, oauthclients, oauthclients_credentials, workloadidentitypools, workloadidentitypools_namespaces, workloadidentitypools_namespaces_managedidentities, workloadidentitypools_providers, workloadidentitypools_providers_keys, serviceaccounts, serviceaccounts_keys
2026.06.06.2Jun 6, 2026
- Updated: serviceaccounts
2026.06.05.1Jun 5, 2026
- Added: workforcepools, workforcepools_providers, workforcepools_providers_keys, workforcepools_providers_scimtenants, workforcepools_providers_scimtenants_tokens, oauthclients, oauthclients_credentials, workloadidentitypools, workloadidentitypools_namespaces, workloadidentitypools_namespaces_managedidentities, workloadidentitypools_providers, workloadidentitypools_providers_keys, serviceaccounts, serviceaccounts_keys
Added 14 models
2026.05.26.1May 26, 2026
- Added: roles
Added 1 models
2026.05.25.1May 25, 2026
- Updated: policies
Removed 1 models
2026.05.24.1May 24, 2026
- Updated: roles, policies
2026.05.21.3May 21, 2026
- Updated: policies, roles
2026.05.21.2May 21, 2026
Added 1 models
2026.05.19.2May 19, 2026
2026.05.19.1May 19, 2026
2026.04.23.1Apr 23, 2026
2026.04.03.3Apr 3, 2026
- Updated: policies
2026.04.03.1Apr 3, 2026
- Updated: policies
2026.04.02.2Apr 2, 2026
2026.03.27.1Mar 27, 2026
- Added: policies
05Stats
A
100 / 100
Downloads
42
Archive size
216.7 KB
Verified by Swamp
- Has README or module doc2/2earned
- README has a code example1/1earned
- README is substantive1/1earned
- Most symbols documented1/1earned
- No slow types (deprecated)1/1earned
- Dependencies pass trust audit2/2earned
- Has description1/1earned
- Platform support declared (or universal)2/2earned
- License declared1/1earned
- Verified public repository2/2earned
06Platforms
07Labels