google_iam_workload_identity_pool_provider

A configuration for an external identity provider.

To get more information about WorkloadIdentityPoolProvider, see:

Open in Cloud Shell

Example Usage - Iam Workload Identity Pool Provider Aws Basic

resource "google_iam_workload_identity_pool" "pool" {
  workload_identity_pool_id = "example-pool"
}

resource "google_iam_workload_identity_pool_provider" "example" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "example-prvdr"
  aws {
    account_id = "999999999999"
  }
}
Open in Cloud Shell

Example Usage - Iam Workload Identity Pool Provider Aws Full

resource "google_iam_workload_identity_pool" "pool" {
  workload_identity_pool_id = "example-pool"
}

resource "google_iam_workload_identity_pool_provider" "example" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "example-prvdr"
  display_name                       = "Name of provider"
  description                        = "AWS identity pool provider for automated test"
  disabled                           = true
  attribute_condition                = "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\""
  attribute_mapping                  = {
    "google.subject"        = "assertion.arn"
    "attribute.aws_account" = "assertion.account"
    "attribute.environment" = "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""
  }
  aws {
    account_id = "999999999999"
  }
}
Open in Cloud Shell

Example Usage - Iam Workload Identity Pool Provider Oidc Basic

resource "google_iam_workload_identity_pool" "pool" {
  workload_identity_pool_id = "example-pool"
}

resource "google_iam_workload_identity_pool_provider" "example" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "example-prvdr"
  attribute_mapping                  = {
    "google.subject" = "assertion.sub"
  }
  oidc {
    issuer_uri        = "https://sts.windows.net/azure-tenant-id"
  }
}
Open in Cloud Shell

Example Usage - Iam Workload Identity Pool Provider Oidc Full

resource "google_iam_workload_identity_pool" "pool" {
  workload_identity_pool_id = "example-pool"
}

resource "google_iam_workload_identity_pool_provider" "example" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "example-prvdr"
  display_name                       = "Name of provider"
  description                        = "OIDC identity pool provider for automated test"
  disabled                           = true
  attribute_condition                = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"
  attribute_mapping                  = {
    "google.subject"                  = "\"azure::\" + assertion.tid + \"::\" + assertion.sub"
    "attribute.tid"                   = "assertion.tid"
    "attribute.managed_identity_name" = <<EOT
      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
EOT
  }
  oidc {
    allowed_audiences = ["https://example.com/gcp-oidc-federation", "example.com/gcp-oidc-federation"]
    issuer_uri        = "https://sts.windows.net/azure-tenant-id"
  }
}
Open in Cloud Shell

Example Usage - Iam Workload Identity Pool Provider Saml Basic

resource "google_iam_workload_identity_pool" "pool" {
  workload_identity_pool_id = "example-pool"
}

resource "google_iam_workload_identity_pool_provider" "example" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "example-prvdr"
  attribute_mapping                  = {
    "google.subject"        = "assertion.arn"
    "attribute.aws_account" = "assertion.account"
    "attribute.environment" = "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""
  }
  saml {
    idp_metadata_xml = file("test-fixtures/metadata.xml")
  }
}
Open in Cloud Shell

Example Usage - Iam Workload Identity Pool Provider Saml Full

resource "google_iam_workload_identity_pool" "pool" {
  workload_identity_pool_id = "example-pool"
}

resource "google_iam_workload_identity_pool_provider" "example" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "example-prvdr"
  display_name                       = "Name of provider"
  description                        = "SAML 2.0 identity pool provider for automated test"
  disabled                           = true
  attribute_mapping                  = {
    "google.subject"        = "assertion.arn"
    "attribute.aws_account" = "assertion.account"
    "attribute.environment" = "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\""
  }
  saml {
    idp_metadata_xml = file("test-fixtures/metadata.xml")
  }
}
Open in Cloud Shell

Example Usage - Iam Workload Identity Pool Provider Oidc Upload Key

resource "google_iam_workload_identity_pool" "pool" {
  workload_identity_pool_id = "example-pool"
}

resource "google_iam_workload_identity_pool_provider" "example" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "example-prvdr"
  display_name                       = "Name of provider"
  description                        = "OIDC identity pool provider for automated test"
  disabled                           = true
  attribute_condition                = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"
  attribute_mapping                  = {
    "google.subject"                  = "\"azure::\" + assertion.tid + \"::\" + assertion.sub"
    "attribute.tid"                   = "assertion.tid"
    "attribute.managed_identity_name" = <<EOT
      {
        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
      }[assertion.oid]
EOT
  }
  oidc {
    allowed_audiences = ["https://example.com/gcp-oidc-federation", "example.com/gcp-oidc-federation"]
    issuer_uri        = "https://sts.windows.net/azure-tenant-id"
    jwks_json         = "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}"
  }
}

Argument Reference

The following arguments are supported:


      {
        "google.subject":"assertion.arn",
        "attribute.aws_role":
          "assertion.arn.contains('assumed-role')"
          " ? assertion.arn.extract('{account_arn}assumed-role/')"
          "   + 'assumed-role/'"
          "   + assertion.arn.extract('assumed-role/{role_name}/')"
          " : assertion.arn",
      }
- If any custom attribute mappings are defined, they must include a mapping to the
  `google.subject` attribute.

For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the google.subject attribute. For example, the following maps the sub claim of the incoming credential to the subject attribute on a Google token.

      {"google.subject": "assertion.sub"}
  "'admins' in google.groups"

The aws block supports:

The oidc block supports:

  //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
  https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
  {
    "keys": [
      {
            "kty": "RSA/EC",
            "alg": "<algorithm>",
            "use": "sig",
            "kid": "<key-id>",
            "n": "",
            "e": "",
            "x": "",
            "y": "",
            "crv": ""
      }
    ]
  }

The saml block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

WorkloadIdentityPoolProvider can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import WorkloadIdentityPoolProvider using one of the formats above. For example:

import {
  id = "projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}"
  to = google_iam_workload_identity_pool_provider.default
}

When using the terraform import command, WorkloadIdentityPoolProvider can be imported using one of the formats above. For example:

$ terraform import google_iam_workload_identity_pool_provider.default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}
$ terraform import google_iam_workload_identity_pool_provider.default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
$ terraform import google_iam_workload_identity_pool_provider.default {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}

User Project Overrides

This resource supports User Project Overrides.