Index
WorkloadIdentityPools
(interface)AuditConfig
(message)AuditLogConfig
(message)AuditLogConfig.LogType
(enum)Binding
(message)BindingDelta
(message)BindingDelta.Action
(enum)CreateWorkloadIdentityPoolProviderKeyRequest
(message)CreateWorkloadIdentityPoolProviderRequest
(message)CreateWorkloadIdentityPoolRequest
(message)DeleteWorkloadIdentityPoolProviderKeyRequest
(message)DeleteWorkloadIdentityPoolProviderRequest
(message)DeleteWorkloadIdentityPoolRequest
(message)GetIamPolicyRequest
(message)GetPolicyOptions
(message)GetWorkloadIdentityPoolProviderKeyRequest
(message)GetWorkloadIdentityPoolProviderRequest
(message)GetWorkloadIdentityPoolRequest
(message)ListWorkloadIdentityPoolProviderKeysRequest
(message)ListWorkloadIdentityPoolProviderKeysResponse
(message)ListWorkloadIdentityPoolProvidersRequest
(message)ListWorkloadIdentityPoolProvidersResponse
(message)ListWorkloadIdentityPoolsRequest
(message)ListWorkloadIdentityPoolsResponse
(message)Policy
(message)PolicyDelta
(message)SetIamPolicyRequest
(message)TestIamPermissionsRequest
(message)TestIamPermissionsResponse
(message)UndeleteWorkloadIdentityPoolProviderKeyRequest
(message)UndeleteWorkloadIdentityPoolProviderRequest
(message)UndeleteWorkloadIdentityPoolRequest
(message)UpdateWorkloadIdentityPoolProviderRequest
(message)UpdateWorkloadIdentityPoolRequest
(message)WorkloadIdentityPool
(message)WorkloadIdentityPool.State
(enum)WorkloadIdentityPoolOperationMetadata
(message)WorkloadIdentityPoolProvider
(message)WorkloadIdentityPoolProvider.Aws
(message)WorkloadIdentityPoolProvider.Oidc
(message)WorkloadIdentityPoolProvider.Saml
(message)WorkloadIdentityPoolProvider.State
(enum)WorkloadIdentityPoolProviderKey
(message)WorkloadIdentityPoolProviderKey.KeyUse
(enum)WorkloadIdentityPoolProviderKey.State
(enum)WorkloadIdentityPoolProviderKeyOperationMetadata
(message)WorkloadIdentityPoolProviderOperationMetadata
(message)
WorkloadIdentityPools
Manages WorkloadIdentityPools.
CreateWorkloadIdentityPool |
---|
Creates a new You cannot reuse the name of a deleted pool until 30 days after deletion.
|
CreateWorkloadIdentityPoolProvider |
---|
Creates a new You cannot reuse the name of a deleted provider until 30 days after deletion.
|
CreateWorkloadIdentityPoolProviderKey |
---|
Create a new
|
DeleteWorkloadIdentityPool |
---|
Deletes a You cannot use a deleted pool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them.
|
DeleteWorkloadIdentityPoolProvider |
---|
Deletes a
|
DeleteWorkloadIdentityPoolProviderKey |
---|
Deletes an
|
GetWorkloadIdentityPool |
---|
Gets an individual
|
GetWorkloadIdentityPoolProvider |
---|
Gets an individual
|
GetWorkloadIdentityPoolProviderKey |
---|
Gets an individual
|
ListWorkloadIdentityPoolProviderKeys |
---|
Lists all non-deleted
|
ListWorkloadIdentityPoolProviders |
---|
Lists all non-deleted
|
ListWorkloadIdentityPools |
---|
Lists all non-deleted
|
UndeleteWorkloadIdentityPool |
---|
Undeletes a
|
UndeleteWorkloadIdentityPoolProvider |
---|
Undeletes a
|
UndeleteWorkloadIdentityPoolProviderKey |
---|
Undeletes an
|
UpdateWorkloadIdentityPool |
---|
Updates an existing
|
UpdateWorkloadIdentityPoolProvider |
---|
Updates an existing
|
AuditConfig
Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.
If there are AuditConfigs for both allServices
and a specific service, the union of the two AuditConfigs is used for that service: the log_types specified in each AuditConfig are enabled, and the exempted_members in each AuditLogConfig are exempted.
Example Policy with multiple AuditConfigs:
{
"audit_configs": [
{
"service": "allServices",
"audit_log_configs": [
{
"log_type": "DATA_READ",
"exempted_members": [
"user:jose@example.com"
]
},
{
"log_type": "DATA_WRITE"
},
{
"log_type": "ADMIN_READ"
}
]
},
{
"service": "sampleservice.googleapis.com",
"audit_log_configs": [
{
"log_type": "DATA_READ"
},
{
"log_type": "DATA_WRITE",
"exempted_members": [
"user:aliya@example.com"
]
}
]
}
]
}
For sampleservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ logging. It also exempts jose@example.com
from DATA_READ logging, and aliya@example.com
from DATA_WRITE logging.
Fields | |
---|---|
service |
Specifies a service that will be enabled for audit logging. For example, |
audit_log_configs[] |
The configuration for logging of each type of permission. |
AuditLogConfig
Provides the configuration for logging a type of permissions. Example:
{
"audit_log_configs": [
{
"log_type": "DATA_READ",
"exempted_members": [
"user:jose@example.com"
]
},
{
"log_type": "DATA_WRITE"
}
]
}
This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting jose@example.com from DATA_READ logging.
Fields | |
---|---|
log_type |
The log type that this config enables. |
exempted_members[] |
Specifies the identities that do not cause logging for this type of permission. Follows the same format of |
LogType
The list of valid permission types for which logging can be configured. Admin writes are always logged, and are not configurable.
Enums | |
---|---|
LOG_TYPE_UNSPECIFIED |
Default case. Should never be this. |
ADMIN_READ |
Admin reads. Example: CloudIAM getIamPolicy |
DATA_WRITE |
Data writes. Example: CloudSQL Users create |
DATA_READ |
Data reads. Example: CloudSQL Users list |
Binding
Associates members
, or principals, with a role
.
Fields | |
---|---|
role |
Role that is assigned to the list of For an overview of the IAM roles and permissions, see the IAM documentation. For a list of the available pre-defined roles, see here. |
members[] |
Specifies the principals requesting access for a Google Cloud resource.
|
condition |
The condition that is associated with this binding. If the condition evaluates to If the condition evaluates to To learn which resources support conditions in their IAM policies, see the IAM documentation. |
BindingDelta
One delta entry for Binding. Each individual change (only one member in each entry) to a binding will be a separate entry.
Fields | |
---|---|
action |
The action that was performed on a Binding. Required |
role |
Role that is assigned to |
member |
A single identity requesting access for a Google Cloud resource. Follows the same format of Binding.members. Required |
condition |
The condition that is associated with this binding. |
Action
The type of action performed on a Binding in a policy.
Enums | |
---|---|
ACTION_UNSPECIFIED |
Unspecified. |
ADD |
Addition of a Binding. |
REMOVE |
Removal of a Binding. |
CreateWorkloadIdentityPoolProviderKeyRequest
Request message for CreateWorkloadIdentityPoolProviderKey.
Fields | |
---|---|
parent |
Required. The parent provider resource to create the key in. |
workload_identity_pool_provider_key |
Required. The WorkloadIdentityPoolProviderKey to create. |
workload_identity_pool_provider_key_id |
Required. The ID to use for the key, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. |
CreateWorkloadIdentityPoolProviderRequest
Request message for CreateWorkloadIdentityPoolProvider.
Fields | |
---|---|
parent |
Required. The pool to create this provider in. |
workload_identity_pool_provider |
Required. The provider to create. |
workload_identity_pool_provider_id |
Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix |
CreateWorkloadIdentityPoolRequest
Request message for CreateWorkloadIdentityPool.
Fields | |
---|---|
parent |
Required. The parent resource to create the pool in. The only supported location is |
workload_identity_pool |
Required. The pool to create. |
workload_identity_pool_id |
Required. The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix |
DeleteWorkloadIdentityPoolProviderKeyRequest
Request message for DeleteWorkloadIdentityPoolProviderKey.
Fields | |
---|---|
name |
Required. The name of the encryption key to delete. |
DeleteWorkloadIdentityPoolProviderRequest
Request message for DeleteWorkloadIdentityPoolProvider.
Fields | |
---|---|
name |
Required. The name of the provider to delete. |
DeleteWorkloadIdentityPoolRequest
Request message for DeleteWorkloadIdentityPool.
Fields | |
---|---|
name |
Required. The name of the pool to delete. |
GetIamPolicyRequest
Request message for GetIamPolicy
method.
Fields | |
---|---|
resource |
REQUIRED: The resource for which the policy is being requested. See Resource names for the appropriate value for this field. |
options |
OPTIONAL: A |
GetPolicyOptions
Encapsulates settings provided to GetIamPolicy.
Fields | |
---|---|
requested_policy_version |
Optional. The maximum policy version that will be used to format the policy. Valid values are 0, 1, and 3. Requests specifying an invalid value will be rejected. Requests for policies with any conditional role bindings must specify version 3. Policies with no conditional role bindings may specify any valid value or leave the field unset. The policy in the response might use the policy version that you specified, or it might use a lower policy version. For example, if you specify version 3, but the policy has no conditional role bindings, the response uses version 1. To learn which resources support conditions in their IAM policies, see the IAM documentation. |
GetWorkloadIdentityPoolProviderKeyRequest
Request message for GetWorkloadIdentityPoolProviderKey.
Fields | |
---|---|
name |
Required. The name of the key to retrieve. |
GetWorkloadIdentityPoolProviderRequest
Request message for GetWorkloadIdentityPoolProvider.
Fields | |
---|---|
name |
Required. The name of the provider to retrieve. |
GetWorkloadIdentityPoolRequest
Request message for GetWorkloadIdentityPool.
Fields | |
---|---|
name |
Required. The name of the pool to retrieve. |
ListWorkloadIdentityPoolProviderKeysRequest
Request message for ListWorkloadIdentityPoolProviderKeys.
Fields | |
---|---|
parent |
Required. The parent provider resource to list encryption keys for. |
page_size |
The maximum number of keys to return. If unspecified, all keys are returned. The maximum value is 10; values above 10 are truncated to 10. |
page_token |
A page token, received from a previous |
show_deleted |
Whether to return soft deleted resources as well. |
ListWorkloadIdentityPoolProviderKeysResponse
Response message for ListWorkloadIdentityPoolProviderKeys.
Fields | |
---|---|
workload_identity_pool_provider_keys[] |
A list of WorkloadIdentityPoolProviderKey |
next_page_token |
A token, which can be sent as |
ListWorkloadIdentityPoolProvidersRequest
Request message for ListWorkloadIdentityPoolProviders.
Fields | |
---|---|
parent |
Required. The pool to list providers for. |
page_size |
The maximum number of providers to return. If unspecified, at most 50 providers are returned. The maximum value is 100; values above 100 are truncated to 100. |
page_token |
A page token, received from a previous |
show_deleted |
Whether to return soft-deleted providers. |
ListWorkloadIdentityPoolProvidersResponse
Response message for ListWorkloadIdentityPoolProviders.
Fields | |
---|---|
workload_identity_pool_providers[] |
A list of providers. |
next_page_token |
A token, which can be sent as |
ListWorkloadIdentityPoolsRequest
Request message for ListWorkloadIdentityPools.
Fields | |
---|---|
parent |
Required. The parent resource to list pools for. |
page_size |
The maximum number of pools to return. If unspecified, at most 50 pools are returned. The maximum value is 1000; values above are 1000 truncated to 1000. |
page_token |
A page token, received from a previous |
show_deleted |
Whether to return soft-deleted pools. |
ListWorkloadIdentityPoolsResponse
Response message for ListWorkloadIdentityPools.
Fields | |
---|---|
workload_identity_pools[] |
A list of pools. |
next_page_token |
A token, which can be sent as |
Policy
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.
A Policy
is a collection of bindings
. A binding
binds one or more members
, or principals, to a single role
. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role
is a named list of permissions; each role
can be an IAM predefined role or a user-created custom role.
For some types of Google Cloud resources, a binding
can also specify a condition
, which is a logical expression that allows access to a resource only if the expression evaluates to true
. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation.
JSON example:
{
"bindings": [
{
"role": "roles/resourcemanager.organizationAdmin",
"members": [
"user:mike@example.com",
"group:admins@example.com",
"domain:google.com",
"serviceAccount:my-project-id@appspot.gserviceaccount.com"
]
},
{
"role": "roles/resourcemanager.organizationViewer",
"members": [
"user:eve@example.com"
],
"condition": {
"title": "expirable access",
"description": "Does not grant access after Sep 2020",
"expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
}
}
],
"etag": "BwWWja0YfJA=",
"version": 3
}
YAML example:
bindings:
- members:
- user:mike@example.com
- group:admins@example.com
- domain:google.com
- serviceAccount:my-project-id@appspot.gserviceaccount.com
role: roles/resourcemanager.organizationAdmin
- members:
- user:eve@example.com
role: roles/resourcemanager.organizationViewer
condition:
title: expirable access
description: Does not grant access after Sep 2020
expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
etag: BwWWja0YfJA=
version: 3
For a description of IAM and its features, see the IAM documentation.
Fields | |
---|---|
version |
Specifies the format of the policy. Valid values are Any operation that affects conditional role bindings must specify version
Important: If you use IAM Conditions, you must include the If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset. To learn which resources support conditions in their IAM policies, see the IAM documentation. |
bindings[] |
Associates a list of The |
audit_configs[] |
Specifies cloud audit logging configuration for this policy. |
etag |
Important: If you use IAM Conditions, you must include the |
PolicyDelta
The difference delta between two policies.
Fields | |
---|---|
binding_deltas[] |
The delta for Bindings between two policies. |
SetIamPolicyRequest
Request message for SetIamPolicy
method.
Fields | |
---|---|
resource |
REQUIRED: The resource for which the policy is being specified. See Resource names for the appropriate value for this field. |
policy |
REQUIRED: The complete policy to be applied to the |
update_mask |
OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only the fields in the mask will be modified. If no mask is provided, the following default mask is used:
|
TestIamPermissionsRequest
Request message for TestIamPermissions
method.
Fields | |
---|---|
resource |
REQUIRED: The resource for which the policy detail is being requested. See Resource names for the appropriate value for this field. |
permissions[] |
The set of permissions to check for the |
TestIamPermissionsResponse
Response message for TestIamPermissions
method.
Fields | |
---|---|
permissions[] |
A subset of |
UndeleteWorkloadIdentityPoolProviderKeyRequest
Request message for UndeleteWorkloadIdentityPoolProviderKey.
Fields | |
---|---|
name |
Required. The name of the encryption key to undelete. |
UndeleteWorkloadIdentityPoolProviderRequest
Request message for UndeleteWorkloadIdentityPoolProvider.
Fields | |
---|---|
name |
Required. The name of the provider to undelete. |
UndeleteWorkloadIdentityPoolRequest
Request message for UndeleteWorkloadIdentityPool.
Fields | |
---|---|
name |
Required. The name of the pool to undelete. |
UpdateWorkloadIdentityPoolProviderRequest
Request message for UpdateWorkloadIdentityPoolProvider.
Fields | |
---|---|
workload_identity_pool_provider |
Required. The provider to update. |
update_mask |
Required. The list of fields to update. |
UpdateWorkloadIdentityPoolRequest
Request message for UpdateWorkloadIdentityPool.
Fields | |
---|---|
workload_identity_pool |
Required. The pool to update. The |
update_mask |
Required. The list of fields to update. |
WorkloadIdentityPool
Represents a collection of workload identities. You can define IAM policies to grant these identities access to Google Cloud resources.
Fields | |
---|---|
name |
Output only. The resource name of the pool. |
display_name |
A display name for the pool. Cannot exceed 32 characters. |
description |
A description of the pool. Cannot exceed 256 characters. |
state |
Output only. The state of the pool. |
disabled |
Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. |
expire_time |
Output only. Time after which the workload identity pool will be permanently purged and cannot be recovered. |
State
The current state of the pool.
Enums | |
---|---|
STATE_UNSPECIFIED |
State unspecified. |
ACTIVE |
The pool is active, and may be used in Google Cloud policies. |
DELETED |
The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again. |
WorkloadIdentityPoolOperationMetadata
This type has no fields.
Metadata for long-running WorkloadIdentityPool operations.
WorkloadIdentityPoolProvider
A configuration for an external identity provider.
Fields | |
---|---|
name |
Output only. The resource name of the provider. |
display_name |
A display name for the provider. Cannot exceed 32 characters. |
description |
A description for the provider. Cannot exceed 256 characters. |
state |
Output only. The state of the provider. |
disabled |
Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access. |
attribute_mapping |
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported:
You can also provide custom attributes by specifying You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example:
Each value must be a Common Expression Language function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, if no attribute mapping is defined, the following default mapping applies:
If any custom attribute mappings are defined, they must include a mapping to the For OIDC providers, you must supply a custom mapping, which must include the
|
attribute_condition |
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions:
The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped
|
expire_time |
Output only. Time after which the workload identity pool provider will be permanently purged and cannot be recovered. |
Union field provider_config . Identity provider configuration types. provider_config can be only one of the following: |
|
aws |
An Amazon Web Services identity provider. |
oidc |
An OpenId Connect 1.0 identity provider. |
saml |
An SAML 2.0 identity provider. |
Aws
Represents an Amazon Web Services identity provider.
Fields | |
---|---|
account_id |
Required. The AWS account ID. |
Oidc
Represents an OpenId Connect 1.0 identity provider.
Fields | |
---|---|
issuer_uri |
Required. The OIDC issuer URL. Must be an HTTPS endpoint. |
allowed_audiences[] |
Acceptable values for the If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example:
|
jwks_json |
Optional. OIDC JWKs in JSON String format. For details on the definition of a JWK, see https://tools.ietf.org/html/rfc7517. If not set, the |
Saml
Represents an SAML 2.0 identity provider.
Fields | |
---|---|
Union field
|
|
idp_metadata_xml |
Required. SAML identity provider (IdP) configuration metadata XML doc. The XML document must comply with the SAML 2.0 specification. The maximum size of an acceptable XML document is 128K characters. The SAML metadata XML document must satisfy the following constraints:
When updating the provider's metadata XML, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata. |
State
The current state of the provider.
Enums | |
---|---|
STATE_UNSPECIFIED |
State unspecified. |
ACTIVE |
The provider is active, and may be used to validate authentication credentials. |
DELETED |
The provider is soft-deleted. Soft-deleted providers are permanently deleted after approximately 30 days. You can restore a soft-deleted provider using You cannot reuse the ID of a soft-deleted provider until it is permanently deleted. |
WorkloadIdentityPoolProviderKey
Represents a public key configuration for your workload identity pool provider. The key can be configured in your identity provider to encrypt the SAML assertions. Google holds the corresponding private key which it uses to decrypt encrypted tokens.
Fields | |
---|---|
name |
Output only. The resource name of the key. |
key_data |
Immutable. Public half of the asymmetric key. |
state |
Output only. The state of the key. |
use |
Required. The purpose of the key. |
expire_time |
Output only. Time after which the key will be permanently purged and cannot be recovered. Note that the key may get purged before this timestamp if the total limit of keys per provider is crossed. |
KeyUse
The uses for which a workload identity pool provider key might be generated. A key has exactly one use.
Enums | |
---|---|
KEY_USE_UNSPECIFIED |
The key use is not known. |
ENCRYPTION |
The public key is used for encryption purposes. |
State
The current state of the key.
Enums | |
---|---|
STATE_UNSPECIFIED |
State unspecified. |
ACTIVE |
The key is active. |
DELETED |
The key is soft-deleted. Soft-deleted keys are permanently deleted after approximately 30 days. You can restore a soft-deleted key using UndeleteWorkloadIdentityPoolProviderKey . While a key is deleted, you cannot use it during the federation. |
WorkloadIdentityPoolProviderKeyOperationMetadata
This type has no fields.
Metadata for long-running WorkloadIdentityPoolProviderKey operations.
WorkloadIdentityPoolProviderOperationMetadata
This type has no fields.
Metadata for long-running WorkloadIdentityPoolProvider operations.