This page explains how to manage workload identity pools and their identity providers.
You can manage pools and providers using the gcloud
command-line tool or the
REST API.
Before you begin
Create a workload identity pool, and configure an identity provider. See one of the following pages to learn how:
- Accessing resources from AWS
- Accessing resources from Microsoft Azure
- Accessing resources from an OIDC identity provider
Managing workload identity pools
Creating a pool
To create a workload identity pool:
gcloud
Execute the
gcloud beta iam workload-identity-pools create
command.
REST
Listing pools
To list all the workload identity pools in a project:
gcloud
Execute the gcloud beta iam workload-identity-pools list
command.
REST
Getting a pool
To get details for a specific workload identity pool:
gcloud
Execute the
gcloud beta iam workload-identity-pools describe
command.
REST
Updating a pool
To update an existing workload identity pool:
gcloud
Execute the
gcloud beta iam workload-identity-pools update
command.
REST
Deleting a pool
To delete a workload identity pool:
gcloud
Execute the
gcloud beta iam workload-identity-pools delete
command.
REST
You can undelete a pool for up to 30 days after deletion. After 30 days, deletion is permanent. Until a pool is permanently deleted, you cannot reuse its name when creating a new workload identity pool.
Undeleting a pool
You can recover a deleted workload identity pool for up to 30 days after deletion. To undelete a pool:
gcloud
Execute the
gcloud beta iam workload-identity-pools undelete
command.
REST
Managing workload identity providers
Creating a provider
To create a workload identity provider:
gcloud
Execute the
gcloud beta iam workload-identity-pools providers create-aws
command to create an AWS provider.
Execute the
gcloud beta iam workload-identity-pools providers create-oidc
command to create an OIDC provider. This includes Microsoft Azure.
REST
Call projects.locations.workloadIdentityPools.providers.create()
.
Listing providers
To list all the workload identity providers in a project:
gcloud
Execute the
gcloud beta iam workload-identity-pools providers list
command.
REST
Call projects.locations.workloadIdentityPools.providers.list()
.
Getting a provider
To get details for a specific workload identity provider:
gcloud
Execute the
gcloud beta iam workload-identity-pools providers describe
command.
REST
Call projects.locations.workloadIdentityPools.providers.get()
.
Updating a provider
To update an existing workload identity provider:
gcloud
Execute the
gcloud beta iam workload-identity-pools providers update-aws
command to update an AWS provider.
Execute the
gcloud beta iam workload-identity-pools providers update-oidc
command to update an OIDC provider. This includes Microsoft Azure.
REST
Call projects.locations.workloadIdentityPools.providers.patch()
.
Deleting a provider
To delete a workload identity provider:
gcloud
Execute the
gcloud beta iam workload-identity-pools providers delete
command.
REST
Call projects.locations.workloadIdentityPools.providers.delete()
.
You can undelete a provider for up to 30 days after deletion. After 30 days, deletion is permanent. Until a provider is permanently deleted, you cannot reuse its name when creating a new provider.
Undeleting a pool
You can recover a deleted workload identity provider for up to 30 days after deletion. To undelete a provider:
gcloud
Execute the
gcloud beta iam workload-identity-pools providers undelete
command.
REST
Call projects.locations.workloadIdentityPools.providers.undelete()
.
Restricting identity provider configuration using organization policy
As an organization administrator, you must decide which identity providers your organization is allowed to federate with.
To manage which identity providers are allowed, update the
organization policy for
your organization. In the
Cloud Console,
or using the gcloud
command-line tool,
enable the constraints/iam.workloadIdentityPoolProviders
constraint, and
specify the issuer URIs of the allowed providers.
To only allow federation from AWS, create a single constraint with the URI
https://sts.amazonaws.com
. The following example shows how to create this
constraint using the gcloud
command-line tool:
gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \ https://sts.amazonaws.com --organization=organization-number
To only allow federation from one OIDC provider, create a single constraint with
the issuer_uri
of the allowed provider. For example, the following only allows
federation from a specific Azure tenant:
gcloud beta resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \ https://sts.windows.net/azure-tenant-id --organization=organization-number
You can repeat these commands to allow federation from additional providers.
To block federation from all providers:
Create a YAML file containing the following:
constraint: constraints/iam.workloadIdentityPoolProviders listPolicy: allValues: DENY
Pass the file to the
gcloud beta resource-manager org-policies set-policy
command:gcloud beta resource-manager org-policies set-policy file-name.yaml \ --organization=organization-number
What's next
Learn more about workload identity federation.