Managing workload identity pools and providers

This page explains how to manage workload identity pools and their identity providers.

You can manage pools and providers using the gcloud command-line tool or the REST API; using the Cloud Console or the Google Cloud client libraries is not supported for Beta.

Before you begin

Create a workload identity pool, and configure an identity provider. See one of the following pages to learn how:

Managing workload identity pools

Creating a pool

To create a workload identity pool:

gcloud

Execute the gcloud beta iam workload-identity-pools create command.

REST

Call projects.locations.workloadIdentityPools.create().

Listing pools

To list all the workload identity pools in a project:

gcloud

Execute the gcloud beta iam workload-identity-pools list command.

REST

Call projects.locations.workloadIdentityPools.list().

Getting a pool

To get details for a specific workload identity pool:

gcloud

Execute the gcloud beta iam workload-identity-pools describe command.

REST

Call projects.locations.workloadIdentityPools.get().

Updating a pool

To update an existing workload identity pool:

gcloud

Execute the gcloud beta iam workload-identity-pools update command.

REST

Call projects.locations.workloadIdentityPools.patch().

Deleting a pool

To delete a workload identity pool:

gcloud

Execute the gcloud beta iam workload-identity-pools delete command.

REST

Call projects.locations.workloadIdentityPools.delete().

You can undelete a pool for up to 30 days after deletion. After 30 days, deletion is permanent. Until a pool is permanently deleted, you cannot reuse its name when creating a new workload identity pool.

Undeleting a pool

You can recover a deleted workload identity pool for up to 30 days after deletion. To undelete a pool:

gcloud

Execute the gcloud beta iam workload-identity-pools undelete command.

REST

Call projects.locations.workloadIdentityPools.undelete().

Managing workload identity providers

Creating a provider

To create a workload identity provider:

gcloud

Execute the gcloud beta iam workload-identity-pools providers create-aws command to create an AWS provider.

Execute the gcloud beta iam workload-identity-pools providers create-oidc command to create an OIDC provider. This includes Microsoft Azure.

REST

Call projects.locations.workloadIdentityPools.providers.create().

Listing providers

To list all the workload identity providers in a project:

gcloud

Execute the gcloud beta iam workload-identity-pools providers list command.

REST

Call projects.locations.workloadIdentityPools.providers.list().

Getting a provider

To get details for a specific workload identity provider:

gcloud

Execute the gcloud beta iam workload-identity-pools providers describe command.

REST

Call projects.locations.workloadIdentityPools.providers.get().

Updating a provider

To update an existing workload identity provider:

gcloud

Execute the gcloud beta iam workload-identity-pools providers update-aws command to update an AWS provider.

Execute the gcloud beta iam workload-identity-pools providers update-oidc command to update an OIDC provider. This includes Microsoft Azure.

REST

Call projects.locations.workloadIdentityPools.providers.patch().

Deleting a provider

To delete a workload identity provider:

gcloud

Execute the gcloud beta iam workload-identity-pools providers delete command.

REST

Call projects.locations.workloadIdentityPools.providers.delete().

You can undelete a provider for up to 30 days after deletion. After 30 days, deletion is permanent. Until a provider is permanently deleted, you cannot reuse its name when creating a new provider.

Undeleting a pool

You can recover a deleted workload identity provider for up to 30 days after deletion. To undelete a provider:

gcloud

Execute the gcloud beta iam workload-identity-pools providers undelete command.

REST

Call projects.locations.workloadIdentityPools.providers.undelete().

Restricting identity provider configuration using organization policy

By default, any user with the Workload Identity Pool Admin role (roles/iam.workloadIdentityPoolAdmin) can configure federation with any supported identity provider. However, as an organization administrator, you may only want to allow access to resources from specific, trusted providers.

You can restrict what identity providers are allowed using organization policies. In the Cloud Console, or using the gcloud command-line tool, enable the constraints/iam.workloadIdentityPoolProviders constraint, and specify the issuer URIs of the allowed providers.

To only allow federation from AWS, create a single constraint with the URI https://sts.amazonaws.com. The following example shows how to create this constraint using the gcloud command-line tool:

gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \
     https://sts.amazonaws.com --organization=organization-number

To only allow federation from one OIDC provider, create a single constraint with the issuer_uri of the allowed provider. For example, the following only allows federation from a specific Azure tenant:

gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \
     https://sts.windows.net/azure-tenant-id --organization=organization-number

You can repeat these commands to allow federation from additional providers.

To block federation from all providers:

  1. Create a YAML file containing the following:

    constraint: constraints/iam.workloadIdentityPoolProviders
    listPolicy:
      allValues: DENY
    
  2. Pass the file to the gcloud beta resource-manager org-policies set-policy command:

    gcloud beta resource-manager org-policies set-policy file-name.yaml \
        --organization=organization-number
    

To allow federation from any provider, delete all the constraints/iam.workloadIdentityPoolProviders constraints for your organization.

What's next