Identity and Access Management API overview

The Identity and Access Management (IAM) API uses Kubernetes custom resources to manage the control access for identity providers.

To use the IAM API, use the GDC console. If your application uses your own libraries to call the API, adopt the example service endpoint in the following section, and the full API definition to build your requests.

Service endpoint and discovery document

The API endpoint for the IAM API is https://MANAGEMENT_API_SERVER_ENDPOINT/apis/iam.gdc.goog/v1, where MANAGEMENT_API_SERVER_ENDPOINT is the endpoint of the Management API server.

Using the kubectl proxy command, access the URL in your browser to obtain the discovery document for the IAM API. The kubectl proxy command opens up a proxy on 127.0.0.1:8001 to the Kubernetes API server on your local machine. Once that command is running, access the document at the following URL: http://127.0.0.1:8001/apis/iam.gdc.goog/v1

Example resources

The following is a sample resource:

apiVersion: iam.gdc.goog/v1
kind: IdentityProviderConfig
metadata:
  name: example-provider
  namespace: platform
spec:
  - oidc:
    clientID: clientID
    clientSecret: clientSecret
    groupPrefix: example-
    groupsClaim: groups
    issuerURI: https://test-oidc-provider.example.com
    scopes: openid email profile
    userClaim: user-email@example.com
    userPrefix: example-