IdentityPlatformConfig


Property Value
Google Cloud Service Name Identity Platform
Google Cloud Service Documentation /identity-platform/docs/
Google Cloud REST Resource Name v2.projects
Google Cloud REST Resource Documentation /identity-platform/docs/reference/rest/v2/Config
Config Connector Resource Short Names IdentityPlatformConfig
gcpidentityplatformconfig
gcpidentityplatformconfigs
identityplatformconfig
Config Connector Service Name identitytoolkit.googleapis.com
Config Connector Resource Fully Qualified Name identityplatformconfigs.identityplatform.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No
Config Connector Default Average Reconcile Interval In Seconds 600

Custom Resource Definition Properties

Spec

Schema

authorizedDomains:
- string
blockingFunctions:
  triggers:
    string: object
client:
  permissions:
    disabledUserDeletion: boolean
    disabledUserSignup: boolean
mfa:
  state: string
monitoring:
  requestLogging:
    enabled: boolean
multiTenant:
  allowTenants: boolean
  defaultTenantLocationRef:
    external: string
    kind: string
    name: string
    namespace: string
notification:
  defaultLocale: string
  sendEmail:
    callbackUri: string
    changeEmailTemplate:
      body: string
      bodyFormat: string
      replyTo: string
      senderDisplayName: string
      senderLocalPart: string
      subject: string
    dnsInfo:
      useCustomDomain: boolean
    method: string
    resetPasswordTemplate:
      body: string
      bodyFormat: string
      replyTo: string
      senderDisplayName: string
      senderLocalPart: string
      subject: string
    revertSecondFactorAdditionTemplate:
      body: string
      bodyFormat: string
      replyTo: string
      senderDisplayName: string
      senderLocalPart: string
      subject: string
    smtp:
      host: string
      password:
        value: string
        valueFrom:
          secretKeyRef:
            key: string
            name: string
      port: integer
      securityMode: string
      senderEmail: string
      username: string
    verifyEmailTemplate:
      body: string
      bodyFormat: string
      replyTo: string
      senderDisplayName: string
      senderLocalPart: string
      subject: string
  sendSms:
    useDeviceLocale: boolean
projectRef:
  external: string
  name: string
  namespace: string
quota:
  signUpQuotaConfig:
    quota: integer
    quotaDuration: string
    startTime: string
signIn:
  allowDuplicateEmails: boolean
  anonymous:
    enabled: boolean
  email:
    enabled: boolean
    passwordRequired: boolean
  phoneNumber:
    enabled: boolean
    testPhoneNumbers:
      string: string
Fields

authorizedDomains

Optional

list (string)

List of domains authorized for OAuth redirects

authorizedDomains[]

Optional

string

blockingFunctions

Optional

object

Configuration related to blocking functions.

blockingFunctions.triggers

Optional

map (key: string, value: object)

Map of Trigger to event type. Key should be one of the supported event types: "beforeCreate", "beforeSignIn"

client

Optional

object

Options related to how clients making requests on behalf of a project should be configured.

client.permissions

Optional

object

Configuration related to restricting a user's ability to affect their account.

client.permissions.disabledUserDeletion

Optional

boolean

When true, end users cannot delete their account on the associated project through any of our API methods

client.permissions.disabledUserSignup

Optional

boolean

When true, end users cannot sign up for a new account on the associated project through any of our API methods

mfa

Optional

object

Configuration for this project's multi-factor authentication, including whether it is active and what factors can be used for the second factor

mfa.state

Optional

string

Whether MultiFactor Authentication has been enabled for this project. Possible values: STATE_UNSPECIFIED, DISABLED, ENABLED, MANDATORY

monitoring

Optional

object

Configuration related to monitoring project activity.

monitoring.requestLogging

Optional

object

Configuration for logging requests made to this project to Stackdriver Logging

monitoring.requestLogging.enabled

Optional

boolean

Whether logging is enabled for this project or not.

multiTenant

Optional

object

Configuration related to multi-tenant functionality.

multiTenant.allowTenants

Optional

boolean

Whether this project can have tenants or not.

multiTenant.defaultTenantLocationRef

Optional

object

multiTenant.defaultTenantLocationRef.external

Optional

string

The default cloud parent org or folder that the tenant project should be created under. The parent resource name should be in the format of "/", such as "folders/123" or "organizations/456". If the value is not set, the tenant will be created under the same organization or folder as the agent project. Allowed values: * The Google Cloud resource name of a `Folder` resource (format: `folders/{{name}}`). * The Google Cloud resource name of a Google Cloud Organization (format: `organizations/{{name}}`).

multiTenant.defaultTenantLocationRef.kind

Optional

string

Kind of the referent. Allowed values: Folder

multiTenant.defaultTenantLocationRef.name

Optional

string

[WARNING] Organization not yet supported in Config Connector, use 'external' field to reference existing resources. Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

multiTenant.defaultTenantLocationRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

notification

Optional

object

Configuration related to sending notifications to users.

notification.defaultLocale

Optional

string

Default locale used for email and SMS in IETF BCP 47 format.

notification.sendEmail

Optional

object

Options for email sending.

notification.sendEmail.callbackUri

Optional

string

action url in email template.

notification.sendEmail.changeEmailTemplate

Optional

object

Email template for change email

notification.sendEmail.changeEmailTemplate.body

Optional

string

Immutable. Email body

notification.sendEmail.changeEmailTemplate.bodyFormat

Optional

string

Email body format Possible values: BODY_FORMAT_UNSPECIFIED, PLAIN_TEXT, HTML

notification.sendEmail.changeEmailTemplate.replyTo

Optional

string

Reply-to address

notification.sendEmail.changeEmailTemplate.senderDisplayName

Optional

string

Sender display name

notification.sendEmail.changeEmailTemplate.senderLocalPart

Optional

string

Local part of From address

notification.sendEmail.changeEmailTemplate.subject

Optional

string

Subject of the email

notification.sendEmail.dnsInfo

Optional

object

Information of custom domain DNS verification.

notification.sendEmail.dnsInfo.useCustomDomain

Optional

boolean

Whether to use custom domain.

notification.sendEmail.method

Optional

string

The method used for sending an email. Possible values: METHOD_UNSPECIFIED, DEFAULT, CUSTOM_SMTP

notification.sendEmail.resetPasswordTemplate

Optional

object

Email template for reset password

notification.sendEmail.resetPasswordTemplate.body

Optional

string

Email body

notification.sendEmail.resetPasswordTemplate.bodyFormat

Optional

string

Email body format Possible values: BODY_FORMAT_UNSPECIFIED, PLAIN_TEXT, HTML

notification.sendEmail.resetPasswordTemplate.replyTo

Optional

string

Reply-to address

notification.sendEmail.resetPasswordTemplate.senderDisplayName

Optional

string

Sender display name

notification.sendEmail.resetPasswordTemplate.senderLocalPart

Optional

string

Local part of From address

notification.sendEmail.resetPasswordTemplate.subject

Optional

string

Subject of the email

notification.sendEmail.revertSecondFactorAdditionTemplate

Optional

object

Email template for reverting second factor addition emails

notification.sendEmail.revertSecondFactorAdditionTemplate.body

Optional

string

Immutable. Email body

notification.sendEmail.revertSecondFactorAdditionTemplate.bodyFormat

Optional

string

Email body format Possible values: BODY_FORMAT_UNSPECIFIED, PLAIN_TEXT, HTML

notification.sendEmail.revertSecondFactorAdditionTemplate.replyTo

Optional

string

Reply-to address

notification.sendEmail.revertSecondFactorAdditionTemplate.senderDisplayName

Optional

string

Sender display name

notification.sendEmail.revertSecondFactorAdditionTemplate.senderLocalPart

Optional

string

Local part of From address

notification.sendEmail.revertSecondFactorAdditionTemplate.subject

Optional

string

Subject of the email

notification.sendEmail.smtp

Optional

object

Use a custom SMTP relay

notification.sendEmail.smtp.host

Optional

string

SMTP relay host

notification.sendEmail.smtp.password

Optional

object

SMTP relay password

notification.sendEmail.smtp.password.value

Optional

string

Value of the field. Cannot be used if 'valueFrom' is specified.

notification.sendEmail.smtp.password.valueFrom

Optional

object

Source for the field's value. Cannot be used if 'value' is specified.

notification.sendEmail.smtp.password.valueFrom.secretKeyRef

Optional

object

Reference to a value with the given key in the given Secret in the resource's namespace.

notification.sendEmail.smtp.password.valueFrom.secretKeyRef.key

Required*

string

Key that identifies the value to be extracted.

notification.sendEmail.smtp.password.valueFrom.secretKeyRef.name

Required*

string

Name of the Secret to extract a value from.

notification.sendEmail.smtp.port

Optional

integer

SMTP relay port

notification.sendEmail.smtp.securityMode

Optional

string

SMTP security mode. Possible values: SECURITY_MODE_UNSPECIFIED, SSL, START_TLS

notification.sendEmail.smtp.senderEmail

Optional

string

Sender email for the SMTP relay

notification.sendEmail.smtp.username

Optional

string

SMTP relay username

notification.sendEmail.verifyEmailTemplate

Optional

object

Email template for verify email

notification.sendEmail.verifyEmailTemplate.body

Optional

string

Immutable. Email body

notification.sendEmail.verifyEmailTemplate.bodyFormat

Optional

string

Email body format Possible values: BODY_FORMAT_UNSPECIFIED, PLAIN_TEXT, HTML

notification.sendEmail.verifyEmailTemplate.replyTo

Optional

string

Reply-to address

notification.sendEmail.verifyEmailTemplate.senderDisplayName

Optional

string

Sender display name

notification.sendEmail.verifyEmailTemplate.senderLocalPart

Optional

string

Local part of From address

notification.sendEmail.verifyEmailTemplate.subject

Optional

string

Subject of the email

notification.sendSms

Optional

object

Options for SMS sending.

notification.sendSms.useDeviceLocale

Optional

boolean

Whether to use the accept_language header for SMS.

projectRef

Required

object

Immutable. The Project that this resource belongs to.

projectRef.external

Optional

string

The project of the resource Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

quota

Optional

object

Configuration related to quotas.

quota.signUpQuotaConfig

Optional

object

Quota for the Signup endpoint, if overwritten. Signup quota is measured in sign ups per project per hour per IP.

quota.signUpQuotaConfig.quota

Optional

integer

Corresponds to the 'refill_token_count' field in QuotaServer config

quota.signUpQuotaConfig.quotaDuration

Optional

string

How long this quota will be active for

quota.signUpQuotaConfig.startTime

Optional

string

When this quota will take affect

signIn

Optional

object

Configuration related to local sign in methods.

signIn.allowDuplicateEmails

Optional

boolean

Whether to allow more than one account to have the same email.

signIn.anonymous

Optional

object

Configuration options related to authenticating an anonymous user.

signIn.anonymous.enabled

Optional

boolean

Whether anonymous user auth is enabled for the project or not.

signIn.email

Optional

object

Configuration options related to authenticating a user by their email address.

signIn.email.enabled

Optional

boolean

Whether email auth is enabled for the project or not.

signIn.email.passwordRequired

Optional

boolean

Whether a password is required for email auth or not. If true, both an email and password must be provided to sign in. If false, a user may sign in via either email/password or email link.

signIn.phoneNumber

Optional

object

Configuration options related to authenticated a user by their phone number.

signIn.phoneNumber.enabled

Optional

boolean

Whether phone number auth is enabled for the project or not.

signIn.phoneNumber.testPhoneNumbers

Optional

map (key: string, value: string)

A map of that can be used for phone auth testing.

* Field is required when parent field is specified

Status

Schema

client:
  apiKey: string
  firebaseSubdomain: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
notification:
  sendEmail:
    changeEmailTemplate:
      customized: boolean
    dnsInfo:
      customDomain: string
      customDomainState: string
      domainVerificationRequestTime: string
      pendingCustomDomain: string
    resetPasswordTemplate:
      customized: boolean
    revertSecondFactorAdditionTemplate:
      customized: boolean
    verifyEmailTemplate:
      customized: boolean
  sendSms:
    smsTemplate:
      content: string
observedGeneration: integer
signIn:
  email:
    hashConfig:
      algorithm: string
      memoryCost: integer
      rounds: integer
      saltSeparator: string
      signerKey: string
  hashConfig:
    algorithm: string
    memoryCost: integer
    rounds: integer
    saltSeparator: string
    signerKey: string
subtype: string
Fields
client

object

client.apiKey

string

Output only. API key that can be used when making requests for this project.

client.firebaseSubdomain

string

Output only. Firebase subdomain.

conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

notification

object

notification.sendEmail

object

notification.sendEmail.changeEmailTemplate

object

notification.sendEmail.changeEmailTemplate.customized

boolean

Output only. Whether the body or subject of the email is customized.

notification.sendEmail.dnsInfo

object

notification.sendEmail.dnsInfo.customDomain

string

Output only. The applied verified custom domain.

notification.sendEmail.dnsInfo.customDomainState

string

Output only. The current verification state of the custom domain. The custom domain will only be used once the domain verification is successful. Possible values: VERIFICATION_STATE_UNSPECIFIED, NOT_STARTED, IN_PROGRESS, FAILED, SUCCEEDED

notification.sendEmail.dnsInfo.domainVerificationRequestTime

string

Output only. The timestamp of initial request for the current domain verification.

notification.sendEmail.dnsInfo.pendingCustomDomain

string

Output only. The custom domain that's to be verified.

notification.sendEmail.resetPasswordTemplate

object

notification.sendEmail.resetPasswordTemplate.customized

boolean

Output only. Whether the body or subject of the email is customized.

notification.sendEmail.revertSecondFactorAdditionTemplate

object

notification.sendEmail.revertSecondFactorAdditionTemplate.customized

boolean

Output only. Whether the body or subject of the email is customized.

notification.sendEmail.verifyEmailTemplate

object

notification.sendEmail.verifyEmailTemplate.customized

boolean

Output only. Whether the body or subject of the email is customized.

notification.sendSms

object

notification.sendSms.smsTemplate

object

Output only. The template to use when sending an SMS.

notification.sendSms.smsTemplate.content

string

Output only. The SMS's content. Can contain the following placeholders which will be replaced with the appropriate values: %APP_NAME% - For Android or iOS apps, the app's display name. For web apps, the domain hosting the application. %LOGIN_CODE% - The OOB code being sent in the SMS.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

signIn

object

signIn.email

object

signIn.email.hashConfig

object

Output only. Hash config information.

signIn.email.hashConfig.algorithm

string

Output only. Different password hash algorithms used in Identity Toolkit. Possible values: HASH_ALGORITHM_UNSPECIFIED, HMAC_SHA256, HMAC_SHA1, HMAC_MD5, SCRYPT, PBKDF_SHA1, MD5, HMAC_SHA512, SHA1, BCRYPT, PBKDF2_SHA256, SHA256, SHA512, STANDARD_SCRYPT

signIn.email.hashConfig.memoryCost

integer

Output only. Memory cost for hash calculation. Used by scrypt and other similar password derivation algorithms. See https://tools.ietf.org/html/rfc7914 for explanation of field.

signIn.email.hashConfig.rounds

integer

Output only. How many rounds for hash calculation. Used by scrypt and other similar password derivation algorithms.

signIn.email.hashConfig.saltSeparator

string

Output only. Non-printable character to be inserted between the salt and plain text password in base64.

signIn.email.hashConfig.signerKey

string

Output only. Signer key in base64.

signIn.hashConfig

object

Output only. Hash config information.

signIn.hashConfig.algorithm

string

Output only. Different password hash algorithms used in Identity Toolkit. Possible values: HASH_ALGORITHM_UNSPECIFIED, HMAC_SHA256, HMAC_SHA1, HMAC_MD5, SCRYPT, PBKDF_SHA1, MD5, HMAC_SHA512, SHA1, BCRYPT, PBKDF2_SHA256, SHA256, SHA512, STANDARD_SCRYPT

signIn.hashConfig.memoryCost

integer

Output only. Memory cost for hash calculation. Used by scrypt and other similar password derivation algorithms. See https://tools.ietf.org/html/rfc7914 for explanation of field.

signIn.hashConfig.rounds

integer

Output only. How many rounds for hash calculation. Used by scrypt and other similar password derivation algorithms.

signIn.hashConfig.saltSeparator

string

Output only. Non-printable character to be inserted between the salt and plain text password in base64.

signIn.hashConfig.signerKey

string

Output only. Signer key in base64.

subtype

string

Output only. The subtype of this config. Possible values: SUBTYPE_UNSPECIFIED, IDENTITY_PLATFORM, FIREBASE_AUTH

Sample YAML(s)

Typical Use Case

# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: identityplatform.cnrm.cloud.google.com/v1beta1
kind: IdentityPlatformConfig
metadata:
  name: identityplatformconfig-sample
spec:
  projectRef:
    # Replace "${PROJECT_ID?}" with your project ID
    external: "projects/${PROJECT_ID?}"
  signIn:
    email:
      enabled: true
      passwordRequired: true
    phoneNumber:
      enabled: true
      testPhoneNumbers:
        +1 555-555-5555: "000000"
    anonymous:
      enabled: true
    allowDuplicateEmails: true
  notification:
    sendEmail:
      method: "CUSTOM_SMTP"
      smtp:
        senderEmail: "magic-modules-guitar-testing@system.gserviceaccount.com"
        host: "system.gserviceaccount.com"
        port: 8080
        username: "sample-username"
        password:
          value: "sample-password"
        securityMode: "SSL"
      resetPasswordTemplate:
        senderLocalPart: "noreply"
        subject: "Reset your password for %APP_NAME%"
        senderDisplayName: "DCL Team"
        body: "<p>Hello,</p>\n<p>Follow this link to reset your %APP_NAME% password\
          \ for your %EMAIL% account.</p>\n<p><a href='%LINK%'>%LINK%</a></p>\n<p>If\
          \ you didn’t ask to reset your password, you can ignore this email.</p>\n\
          <p>Thanks,</p>\n<p>Your %APP_NAME% team</p>"
        bodyFormat: "PLAIN_TEXT"
        replyTo: "noreply"
      verifyEmailTemplate:
        senderLocalPart: "noreply"
        subject: "Verify your email for %APP_NAME%"
        senderDisplayName: "DCL Team"
        body: "<p>Hello %DISPLAY_NAME%,</p>\n<p>Follow this link to verify your email\
          \ address.</p>\n<p><a href='%LINK%'>%LINK%</a></p>\n<p>If you didn’t ask\
          \ to verify this address, you can ignore this email.</p>\n<p>Thanks,</p>\n\
          <p>Your %APP_NAME% team</p>"
        bodyFormat: "PLAIN_TEXT"
        replyTo: "noreply"
      changeEmailTemplate:
        senderLocalPart: "noreply"
        subject: "Your sign-in email was changed for %APP_NAME%"
        senderDisplayName: "DCL Team"
        body: "<p>Hello %DISPLAY_NAME%,</p>\n<p>Your sign-in email for %APP_NAME%\
          \ was changed to %NEW_EMAIL%.</p>\n<p>If you didn’t ask to change your email,\
          \ follow this link to reset your sign-in email.</p>\n<p><a href='%LINK%'>%LINK%</a></p>\n\
          <p>Thanks,</p>\n<p>Your %APP_NAME% team</p>"
        bodyFormat: "PLAIN_TEXT"
        replyTo: "noreply"
      callbackUri: "https://config-connector-sample.firebaseapp.com/__/auth/action"
      dnsInfo:
        useCustomDomain: true
      revertSecondFactorAdditionTemplate:
        senderLocalPart: "noreply"
        subject: "You've added 2 step verification to your %APP_NAME% account."
        senderDisplayName: "DCL Team"
        body: "<p>Hello %DISPLAY_NAME%,</p>\n<p>Your account in %APP_NAME% has been\
          \ updated with a phone number %SECOND_FACTOR% for 2-step verification.</p>\n\
          <p>If you didn't add this phone number for 2-step verification, click the\
          \ link below to remove it.</p>\n<p><a href='%LINK%'>%LINK%</a></p>\n<p>Thanks,</p>\n\
          <p>Your %APP_NAME% team</p>"
        bodyFormat: "PLAIN_TEXT"
        replyTo: "noreply"
    sendSms:
      useDeviceLocale: true
    defaultLocale: "en"
  quota:
    signUpQuotaConfig:
      quota: 1
      startTime: "2022-08-10T00:22:56.247547Z"
      quotaDuration: "604800s"
  monitoring:
    requestLogging:
      enabled: true
  multiTenant:
    allowTenants: true
    defaultTenantLocationRef:
      kind: Folder
      name: "identityplatformconfig-dep"
  authorizedDomains:
  - "localhost"
  - "config-connector-sample.firebaseapp.com"
  subtype: "IDENTITY_PLATFORM"
  client:
    permissions:
      disabledUserSignup: true
      disabledUserDeletion: true
  mfa:
    state: "ENABLED"
  blockingFunctions:
    triggers:
      beforeCreate:
        functionUriRef:
          name: "identityplatformconfig-dep"
    forwardInboundCredentials:
      idToken: true
      accessToken: true
      refereshToken: true
---
apiVersion: cloudfunctions.cnrm.cloud.google.com/v1beta1
kind: CloudFunctionsFunction
metadata:
  name: identityplatformconfig-dep
spec:
  region: "us-west2"
  runtime: "nodejs10"
  availableMemoryMb: 128
  sourceArchiveUrl: "gs://aaa-dont-delete-dcl-cloud-functions-testing/http_trigger.zip"
  timeout: "60s"
  entryPoint: "helloGET"
  ingressSettings: "ALLOW_INTERNAL_ONLY"
  maxInstances: 10
  httpsTrigger:
    securityLevel: "SECURE_OPTIONAL"
  projectRef:
    # Replace "${PROJECT_ID?}" with your project ID
    external: "projects/${PROJECT_ID?}"
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Folder
metadata:
  name: identityplatformconfig-dep
spec:
  displayName: Default Tenant Location
  organizationRef:
    # Replace "${ORG_ID?}" with the numeric ID for your organization
    external: "${ORG_ID?}"