Index
MembershipSpec
(message)MembershipSpec.AuthMethod
(message)MembershipSpec.AuthMethod.AzureADConfig
(message)MembershipSpec.AuthMethod.GoogleConfig
(message)MembershipSpec.AuthMethod.LdapConfig
(message)MembershipSpec.AuthMethod.LdapConfig.GroupConfig
(message)MembershipSpec.AuthMethod.LdapConfig.ServerConfig
(message)MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig
(message)MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials
(message)MembershipSpec.AuthMethod.LdapConfig.UserConfig
(message)MembershipSpec.AuthMethod.OidcConfig
(message)MembershipSpec.AuthMethod.SamlConfig
(message)MembershipSpec.IdentityServiceOptions
(message)MembershipSpec.IdentityServiceOptions.DiagnosticInterface
(message)MembershipState
(message)MembershipState.DeploymentState
(enum)
MembershipSpec
Anthos Identity Service: Configuration for a single Membership.
Fields | |
---|---|
auth_ |
A member may support multiple auth methods. |
identity_ |
Optional. non-protocol-related configuration options. |
AuthMethod
Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod.
Fields | |
---|---|
name |
Identifier for auth config. |
proxy |
Proxy server address to use for auth method. |
Union field auth_config . supported auth configurations. auth_config can be only one of the following: |
|
oidc_ |
OIDC specific configuration. |
azuread_ |
AzureAD specific Configuration. |
google_ |
GoogleConfig specific configuration. |
saml_ |
SAML specific configuration. |
ldap_ |
LDAP specific configuration. |
AzureADConfig
Configuration for the AzureAD Auth flow.
Fields | |
---|---|
client_ |
ID for the registered client application that makes authentication requests to the Azure AD identity provider. |
tenant |
Kind of Azure AD account to be authenticated. Supported values are |
kubectl_ |
The redirect URL that kubectl uses for authorization. |
client_ |
Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH. |
encrypted_ |
Output only. Encrypted AzureAD client secret. |
user_ |
Optional. Claim in the AzureAD ID Token that holds the user details. |
group_ |
Optional. Format of the AzureAD groups that the client wants for auth. |
GoogleConfig
Configuration for the Google Plugin Auth flow.
Fields | |
---|---|
disable |
Disable automatic configuration of Google Plugin on supported platforms. |
LdapConfig
Configuration for the LDAP Auth flow.
Fields | |
---|---|
server |
Required. Server settings for the external LDAP server. |
user |
Required. Defines where users exist in the LDAP directory. |
group |
Optional. Contains the properties for locating and authenticating groups in the directory. |
service_ |
Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. |
GroupConfig
Contains the properties for locating and authenticating groups in the directory.
Fields | |
---|---|
base_ |
Required. The location of the subtree in the LDAP directory to search for group entries. |
id_ |
Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". |
filter |
Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". |
ServerConfig
Server settings for the external LDAP server.
Fields | |
---|---|
host |
Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". |
connection_ |
Optional. Defines the connection type to communicate with the LDAP server. If |
certificate_ |
Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. |
ServiceAccountConfig
Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
Fields | |
---|---|
Union field authentication_mechanism . Guarantees that the user supplies one authentication mechanism at a time. authentication_mechanism can be only one of the following: |
|
simple_ |
Credentials for basic auth. |
SimpleBindCredentials
The structure holds the LDAP simple binding credential.
Fields | |
---|---|
dn |
Required. The distinguished name(DN) of the service account object/user. |
password |
Required. Input only. The password of the service account object/user. |
encrypted_ |
Output only. The encrypted password of the service account object/user. |
UserConfig
Defines where users exist in the LDAP directory.
Fields | |
---|---|
base_ |
Required. The location of the subtree in the LDAP directory to search for user entries. |
login_ |
Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "( |
id_ |
Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". |
filter |
Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". |
OidcConfig
Configuration for OIDC Auth flow.
Fields | |
---|---|
client_ |
ID for OIDC client application. |
certificate_ |
PEM-encoded CA for OIDC provider. |
issuer_ |
URI for the OIDC provider. This should point to the level below .well-known/openid-configuration. |
kubectl_ |
Registered redirect uri to redirect users going through OAuth flow using kubectl plugin. |
scopes |
Comma-separated list of identifiers. |
extra_ |
Comma-separated list of key-value pairs. |
user_ |
Claim in OIDC ID token that holds username. |
user_ |
Prefix to prepend to user name. |
groups_ |
Claim in OIDC ID token that holds group information. |
group_ |
Prefix to prepend to group name. |
deploy_ |
Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console. |
client_ |
Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH. |
encrypted_ |
Output only. Encrypted OIDC Client secret |
enable_ |
Enable access token. |
SamlConfig
Configuration for the SAML Auth flow.
Fields | |
---|---|
identity_ |
Required. The entity ID of the SAML IdP. |
identity_ |
Required. The URI where the SAML IdP exposes the SSO service. |
identity_ |
Required. The list of IdP certificates to validate the SAML response against. |
user_ |
Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the |
groups_ |
Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the |
user_ |
Optional. Prefix to prepend to user name. |
group_ |
Optional. Prefix to prepend to group name. |
attribute_ |
Optional. The mapping of additional user attributes like nickname, birthday and address etc.. |
IdentityServiceOptions
Holds non-protocol-related configuration options.
Fields | |
---|---|
session_ |
Determines the lifespan of STS tokens issued by Anthos Identity Service. |
diagnostic_ |
Configuration options for the AIS diagnostic interface. |
DiagnosticInterface
Configuration options for the AIS diagnostic interface.
Fields | |
---|---|
enabled |
Determines whether to enable the diagnostic interface. |
expiration_ |
Determines the expiration time of the diagnostic interface enablement. When reached, requests to the interface would be automatically rejected. |
MembershipState
Anthos Identity Service: State for a single Membership.
Fields | |
---|---|
installed_ |
Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK. |
state |
Deployment state on this member |
failure_ |
The reason of the failure. |
member_ |
Last reconciled membership configuration |
DeploymentState
Deployment state enum
Enums | |
---|---|
DEPLOYMENT_STATE_UNSPECIFIED |
Unspecified state |
OK |
deployment succeeds |
ERROR |
Failure with error. |