package google.iam.v1beta

Get desktop application:
View/edit binary Protocol Buffers messages

Manages WorkloadIdentityPools.

• rpc ListWorkloadIdentityPools (ListWorkloadIdentityPoolsRequest, ListWorkloadIdentityPoolsResponse)

  workload_identity_pool.proto:40

  Lists all non-deleted [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]s in a project. If `show_deleted` is set to `true`, then deleted pools are also listed.

  message ListWorkloadIdentityPoolsRequest

  workload_identity_pool.proto:445

  Request message for ListWorkloadIdentityPools.

  • string parent = 1

    Required. The parent resource to list pools for.

  • int32 page_size = 2

    The maximum number of pools to return. If unspecified, at most 50 pools are returned. The maximum value is 1000; values above are 1000 truncated to 1000.

  • string page_token = 3

    A page token, received from a previous `ListWorkloadIdentityPools` call. Provide this to retrieve the subsequent page.

  • bool show_deleted = 4

    Whether to return soft-deleted pools.

  message ListWorkloadIdentityPoolsResponse

  workload_identity_pool.proto:468

  Response message for ListWorkloadIdentityPools.

  • repeated WorkloadIdentityPool workload_identity_pools = 1

    A list of pools.

  • string next_page_token = 2

    A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages.

• rpc GetWorkloadIdentityPool (GetWorkloadIdentityPoolRequest, WorkloadIdentityPool)

  workload_identity_pool.proto:49

  Gets an individual [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].

  message GetWorkloadIdentityPoolRequest

  workload_identity_pool.proto:478

  Request message for GetWorkloadIdentityPool.

  • string name = 1

    Required. The name of the pool to retrieve.

• rpc CreateWorkloadIdentityPool (CreateWorkloadIdentityPoolRequest, longrunning.Operation)

  workload_identity_pool.proto:60

  Creates a new [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]. You cannot reuse the name of a deleted pool until 30 days after deletion.

  message CreateWorkloadIdentityPoolRequest

  workload_identity_pool.proto:489

  Request message for CreateWorkloadIdentityPool.

  • string parent = 1

    Required. The parent resource to create the pool in. The only supported location is `global`.

  • optional WorkloadIdentityPool workload_identity_pool = 2

    Required. The pool to create.

  • string workload_identity_pool_id = 3

    Required. The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.

• rpc UpdateWorkloadIdentityPool (UpdateWorkloadIdentityPoolRequest, longrunning.Operation)

  workload_identity_pool.proto:74

  Updates an existing [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool].

  message UpdateWorkloadIdentityPoolRequest

  workload_identity_pool.proto:510

  Request message for UpdateWorkloadIdentityPool.

  • optional WorkloadIdentityPool workload_identity_pool = 1

    Required. The pool to update. The `name` field is used to identify the pool.

  • optional protobuf.FieldMask update_mask = 2

    Required. The list of fields update.

• rpc DeleteWorkloadIdentityPool (DeleteWorkloadIdentityPoolRequest, longrunning.Operation)

  workload_identity_pool.proto:98

  Deletes a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]. You cannot use a deleted pool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them.

  message DeleteWorkloadIdentityPoolRequest

  workload_identity_pool.proto:519

  Request message for DeleteWorkloadIdentityPool.

  • string name = 1

    Required. The name of the pool to delete.

• rpc UndeleteWorkloadIdentityPool (UndeleteWorkloadIdentityPoolRequest, longrunning.Operation)

  workload_identity_pool.proto:111

  Undeletes a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool], as long as it was deleted fewer than 30 days ago.

  message UndeleteWorkloadIdentityPoolRequest

  workload_identity_pool.proto:530

  Request message for UndeleteWorkloadIdentityPool.

  • string name = 1

    Required. The name of the pool to undelete.

• rpc ListWorkloadIdentityPoolProviders (ListWorkloadIdentityPoolProvidersRequest, ListWorkloadIdentityPoolProvidersResponse)

  workload_identity_pool.proto:127

  Lists all non-deleted [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPoolProvider]s in a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]. If `show_deleted` is set to `true`, then deleted providers are also listed.

  message ListWorkloadIdentityPoolProvidersRequest

  workload_identity_pool.proto:541

  Request message for ListWorkloadIdentityPoolProviders.

  • string parent = 1

    Required. The pool to list providers for.

  • int32 page_size = 2

    The maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100.

  • string page_token = 3

    A page token, received from a previous `ListWorkloadIdentityPoolProviders` call. Provide this to retrieve the subsequent page.

  • bool show_deleted = 4

    Whether to return soft-deleted providers.

  message ListWorkloadIdentityPoolProvidersResponse

  workload_identity_pool.proto:565

  Response message for ListWorkloadIdentityPoolProviders.

  • repeated WorkloadIdentityPoolProvider workload_identity_pool_providers = 1

    A list of providers.

  • string next_page_token = 2

    A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages.

• rpc GetWorkloadIdentityPoolProvider (GetWorkloadIdentityPoolProviderRequest, WorkloadIdentityPoolProvider)

  workload_identity_pool.proto:136

  Gets an individual [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPoolProvider].

  message GetWorkloadIdentityPoolProviderRequest

  workload_identity_pool.proto:575

  Request message for GetWorkloadIdentityPoolProvider.

  • string name = 1

    Required. The name of the provider to retrieve.

• rpc CreateWorkloadIdentityPoolProvider (CreateWorkloadIdentityPoolProviderRequest, longrunning.Operation)

  workload_identity_pool.proto:149

  Creates a new [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider] in a [WorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPool]. You cannot reuse the name of a deleted provider until 30 days after deletion.

  message CreateWorkloadIdentityPoolProviderRequest

  workload_identity_pool.proto:586

  Request message for CreateWorkloadIdentityPoolProvider.

  • string parent = 1

    Required. The pool to create this provider in.

  • optional WorkloadIdentityPoolProvider workload_identity_pool_provider = 2

    Required. The provider to create.

  • string workload_identity_pool_provider_id = 3

    Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.

• rpc UpdateWorkloadIdentityPoolProvider (UpdateWorkloadIdentityPoolProviderRequest, longrunning.Operation)

  workload_identity_pool.proto:163

  Updates an existing [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider].

  message UpdateWorkloadIdentityPoolProviderRequest

  workload_identity_pool.proto:606

  Request message for UpdateWorkloadIdentityPoolProvider.

  • optional WorkloadIdentityPoolProvider workload_identity_pool_provider = 1

    Required. The provider to update.

  • optional protobuf.FieldMask update_mask = 2

    Required. The list of fields to update.

• rpc DeleteWorkloadIdentityPoolProvider (DeleteWorkloadIdentityPoolProviderRequest, longrunning.Operation)

  workload_identity_pool.proto:182

  Deletes a [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider]. Deleting a provider does not revoke credentials that have already been issued; they continue to grant access. You can undelete a provider for 30 days. After 30 days, deletion is permanent. You cannot update deleted providers. However, you can view and list them.

  message DeleteWorkloadIdentityPoolProviderRequest

  workload_identity_pool.proto:615

  Request message for DeleteWorkloadIdentityPoolProvider.

  • string name = 1

    Required. The name of the provider to delete.

• rpc UndeleteWorkloadIdentityPoolProvider (UndeleteWorkloadIdentityPoolProviderRequest, longrunning.Operation)

  workload_identity_pool.proto:196

  Undeletes a [WorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityProvider], as long as it was deleted fewer than 30 days ago.

  message UndeleteWorkloadIdentityPoolProviderRequest

  workload_identity_pool.proto:626

  Request message for UndeleteWorkloadIdentityPoolProvider.

  • string name = 1

    Required. The name of the provider to undelete.

Represents a collection of external workload identities. You can define IAM policies to grant these identities access to Google Cloud resources.

Used as response type in: WorkloadIdentityPools.GetWorkloadIdentityPool

Used as field type in: CreateWorkloadIdentityPoolRequest, ListWorkloadIdentityPoolsResponse, UpdateWorkloadIdentityPoolRequest

• string name = 1

  Output only. The resource name of the pool.

• string display_name = 2

  A display name for the pool. Cannot exceed 32 characters.

• string description = 3

  A description of the pool. Cannot exceed 256 characters.

• WorkloadIdentityPool.State state = 4

  Output only. The state of the pool.

• bool disabled = 5

  Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

The current state of the pool.

Used in: WorkloadIdentityPool

• STATE_UNSPECIFIED = 0

  State unspecified.

• ACTIVE = 1

  The pool is active, and may be used in Google Cloud policies.

• DELETED = 2

  The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using [UndeleteWorkloadIdentityPool][google.iam.v1beta.WorkloadIdentityPools.UndeleteWorkloadIdentityPool]. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

Metadata for long-running WorkloadIdentityPool operations.

(message has no fields)

A configuration for an external identity provider.

Used as response type in: WorkloadIdentityPools.GetWorkloadIdentityPoolProvider

Used as field type in: CreateWorkloadIdentityPoolProviderRequest, ListWorkloadIdentityPoolProvidersResponse, UpdateWorkloadIdentityPoolProviderRequest

• string name = 1

  Output only. The resource name of the provider.

• string display_name = 2

  A display name for the provider. Cannot exceed 32 characters.

• string description = 3

  A description for the provider. Cannot exceed 256 characters.

• WorkloadIdentityPoolProvider.State state = 4

  Output only. The state of the provider.

• bool disabled = 5

  Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.

• map<string, string> attribute_mapping = 6

  Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as `subject` and `segment`. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters. * `google.groups`: Groups the external identity belongs to. You can grant groups access to resources using an IAM `principalSet` binding; access applies to all members of the group. You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where `{custom_attribute}` is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example: * `google.subject`: `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common Expression Language] (https://opensource.google/projects/cel) function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the `assertion` keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply: - If no attribute mapping is defined, the following default mapping applies: ``` { "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", } ``` - If any custom attribute mappings are defined, they must include a mapping to the `google.subject` attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the `google.subject` attribute. For example, the following maps the `sub` claim of the incoming credential to the `subject` attribute on a Google token. ``` {"google.subject": "assertion.sub"} ```

• string attribute_condition = 7

  [A Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * `assertion`: JSON representing the authentication credential issued by the provider. * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: ``` "'admins' in google.groups" ```

• oneof provider_config

  Identity provider configuration types.

  • WorkloadIdentityPoolProvider.Aws aws = 8

    An Amazon Web Services identity provider.

  • WorkloadIdentityPoolProvider.Oidc oidc = 9

    An OpenId Connect 1.0 identity provider.

Represents an Amazon Web Services identity provider.

Used in: WorkloadIdentityPoolProvider

• string account_id = 1

  Required. The AWS account ID.

Represents an OpenId Connect 1.0 identity provider.

Used in: WorkloadIdentityPoolProvider

• string issuer_uri = 1

  Required. The OIDC issuer URL.

• repeated string allowed_audiences = 2

  Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ``` //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id> https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id> ```

The current state of the provider.

Used in: WorkloadIdentityPoolProvider

• STATE_UNSPECIFIED = 0

  State unspecified.

• ACTIVE = 1

  The provider is active, and may be used to validate authentication credentials.

• DELETED = 2

  The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using [UndeleteWorkloadIdentityPoolProvider][google.iam.v1beta.WorkloadIdentityPools.UndeleteWorkloadIdentityPoolProvider]. You cannot reuse the ID of a soft-deleted provider until it is permanently deleted.

Metadata for long-running WorkloadIdentityPoolProvider operations.

(message has no fields)