Managing workload identity pools and providers

This page explains how to manage workload identity pools and their identity providers.

You can manage pools and providers using the gcloud command-line tool or the REST API.

Before you begin

Create a workload identity pool, and configure an identity provider. See one of the following pages to learn how:

Managing workload identity pools

Creating a pool

To create a workload identity pool:

Listing pools

To list all the workload identity pools in a project:

Getting a pool

To get details for a specific workload identity pool:

Updating a pool

To update an existing workload identity pool:

Deleting a pool

To delete a workload identity pool:

You can undelete a pool for up to 30 days after deletion. After 30 days, deletion is permanent. Until a pool is permanently deleted, you cannot reuse its name when creating a new workload identity pool.

Undeleting a pool

You can recover a deleted workload identity pool for up to 30 days after deletion. To undelete a pool:

Managing workload identity providers

Creating a provider

To create a workload identity provider:

gcloud

Execute the gcloud iam workload-identity-pools providers create-aws command to create an AWS provider.

Execute the gcloud iam workload-identity-pools providers create-oidc command to create an OIDC provider. This includes Microsoft Azure.

REST

Call projects.locations.workloadIdentityPools.providers.create().

Listing providers

To list all the workload identity providers in a project:

Getting a provider

To get details for a specific workload identity provider:

Updating a provider

To update an existing workload identity provider:

gcloud

Execute the gcloud iam workload-identity-pools providers update-aws command to update an AWS provider.

Execute the gcloud iam workload-identity-pools providers update-oidc command to update an OIDC provider. This includes Microsoft Azure.

REST

Call projects.locations.workloadIdentityPools.providers.patch().

Deleting a provider

To delete a workload identity provider:

You can undelete a provider for up to 30 days after deletion. After 30 days, deletion is permanent. Until a provider is permanently deleted, you cannot reuse its name when creating a new provider.

Undeleting a pool

You can recover a deleted workload identity provider for up to 30 days after deletion. To undelete a provider:

Managing constraints for workload identity federation

You can use organization policy constraints to restrict how resources in your Google Cloud organization can be used.

This section describes constraints that are recommended when you use workload identity federation.

Restricting identity provider configuration

As an organization administrator, you can decide which identity providers your organization is allowed to federate with.

To manage which identity providers are allowed, enable the constraints/iam.workloadIdentityPoolProviders list constraint in the organization policy for your organization. This constraint specifies the issuer URIs of the allowed providers. You can use the Cloud Console or the gcloud command-line tool to enable this constraint.

To only allow federation from AWS, create a single constraint with the URI https://sts.amazonaws.com. The following example shows how to create this constraint using the gcloud tool:

gcloud resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \
     https://sts.amazonaws.com --organization=organization-number

You can also specify which AWS account IDs have access to your Google Cloud resources. To specify the account IDs, use the constraints/iam.workloadIdentityPoolAwsAccounts list constraint:

gcloud resource-manager org-policies allow constraints/iam.workloadIdentityPoolAwsAccounts \
    account-id --organization=organization-number

To only allow federation from one OIDC provider, create a single constraint with the issuer_uri of the allowed provider. For example, the following only allows federation from a specific Azure tenant:

gcloud resource-manager org-policies allow constraints/iam.workloadIdentityPoolProviders \
     https://sts.windows.net/azure-tenant-id --organization=organization-number

You can repeat these commands to allow federation from additional providers.

To block federation from all providers:

  1. Create a YAML file containing the following:

    constraint: constraints/iam.workloadIdentityPoolProviders
    listPolicy:
      allValues: DENY
    
  2. Pass the file to the gcloud resource-manager org-policies set-policy command:

    gcloud resource-manager org-policies set-policy file-name.yaml \
        --organization=organization-number
    

Restricting service account key creation

Workload identity federation lets you access Google Cloud resources from outside of Google Cloud without using a service account key. If you never use service account keys to authenticate, you can help reduce risk by disabling key creation.

To disable the creation of service account keys, enforce the iam.disableServiceAccountKeyCreation boolean constraint in the organization policy for your organization. You can also enforce the iam.disableServiceAccountKeyUpload boolean constraint, which disables uploading of public keys for service accounts.

You can use the Cloud Console or the gcloud tool to enable these constraints. For example, the following gcloud tool commands enable both constraints:

gcloud resource-manager org-policies enable-enforce \
    constraints/iam.disableServiceAccountKeyCreation \
    --organization=organization-number
gcloud resource-manager org-policies enable-enforce \
    constraints/iam.disableServiceAccountKeyUpload \
    --organization=organization-number

What's next

Learn more about workload identity federation.