- NAME
-
- gcloud alpha iam workload-identity-pools create-cred-config - create a configuration file for generated credentials
- SYNOPSIS
-
-
gcloud alpha iam workload-identity-pools create-cred-config
AUDIENCE
--output-file
=OUTPUT_FILE
(--aws
|--azure
|--credential-cert-path
=CREDENTIAL_CERT_PATH
|--credential-source-file
=CREDENTIAL_SOURCE_FILE
|--credential-source-url
=CREDENTIAL_SOURCE_URL
|--executable-command
=EXECUTABLE_COMMAND
) [--app-id-uri
=APP_ID_URI
] [--credential-source-field-name
=CREDENTIAL_SOURCE_FIELD_NAME
] [--credential-source-headers
=[key
=value
,…]] [--credential-source-type
=CREDENTIAL_SOURCE_TYPE
] [--enable-imdsv2
] [--subject-token-type
=SUBJECT_TOKEN_TYPE
] [--credential-cert-private-key-path
=CREDENTIAL_CERT_PRIVATE_KEY_PATH
:--credential-cert-configuration-output-file
=CREDENTIAL_CERT_CONFIGURATION_OUTPUT_FILE
] [--executable-output-file
=EXECUTABLE_OUTPUT_FILE
--executable-timeout-millis
=EXECUTABLE_TIMEOUT_MILLIS
] [--service-account
=SERVICE_ACCOUNT
:--service-account-token-lifetime-seconds
=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS
] [GCLOUD_WIDE_FLAG …
]
-
- DESCRIPTION
-
(ALPHA)
This command creates a configuration file to allow access to authenticated Google Cloud actions from a variety of external accounts. - EXAMPLES
-
To create a file-sourced credential configuration for your project, run:
gcloud alpha iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-source-file=$PATH_TO_OIDC_ID_TOKEN --output-file=credentials.json
To create a URL-sourced credential configuration for your project, run:
gcloud alpha iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-source-url=$URL_FOR_OIDC_TOKEN --credential-source-headers=Key=Value --output-file=credentials.json
To create an executable-source credential configuration for your project, run the following command:
gcloud alpha iam workload-identity-pools create-cred-config locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID --executable-command=$EXECUTABLE_COMMAND --executable-timeout-millis=30000 --executable-output-file=$CACHE_FILE --output-file=credentials.json
To create an AWS-based credential configuration for your project, run:
gcloud alpha iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --aws --enable-imdsv2 --output-file=credentials.json
To create an Azure-based credential configuration for your project, run:
gcloud alpha iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --azure --app-id-uri=$URI_FOR_AZURE_APP_ID --output-file=credentials.json
To create an X.509 certificate-based credential configuration for your project, run:
gcloud alpha iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-cert-path=$PATH_TO_CERTIFICATE_FILE --credential-cert-private-key-path=$PATH_TO_PRIVATE_KEY_FILE --output-file=credentials.json
To use the resulting file for any of these commands, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the generated file
- POSITIONAL ARGUMENTS
-
AUDIENCE
- The workload identity pool provider fully qualified identifier.
- REQUIRED FLAGS
-
--output-file
=OUTPUT_FILE
- Location to store the generated credential configuration file.
-
Credential types.
Exactly one of these must be specified:
--aws
- Use AWS.
--azure
- Use Azure.
--credential-cert-path
=CREDENTIAL_CERT_PATH
- Path of the X.509 certificate file.
--credential-source-file
=CREDENTIAL_SOURCE_FILE
- Location of the credential source file.
--credential-source-url
=CREDENTIAL_SOURCE_URL
- URL to obtain the credential from.
--executable-command
=EXECUTABLE_COMMAND
- The full command to run to retrieve the credential. Must be an absolute path for the program including arguments.
- OPTIONAL FLAGS
-
--app-id-uri
=APP_ID_URI
- The custom Application ID URI for the Azure access token.
--credential-source-field-name
=CREDENTIAL_SOURCE_FIELD_NAME
- Subject token field name (key) in a JSON credential source.
--credential-source-headers
=[key
=value
,…]- Headers to use when querying the credential-source-url.
--credential-source-type
=CREDENTIAL_SOURCE_TYPE
- Format of the credential source (JSON or text).
--enable-imdsv2
- Adds the AWS IMDSv2 session token Url to the credential source to enforce the AWS IMDSv2 flow.
--subject-token-type
=SUBJECT_TOKEN_TYPE
- The type of token being used for authorization. This defaults to urn:ietf:params:oauth:token-type:jwt.
-
Arguments for an X.509 certificate type credential source.
--credential-cert-private-key-path
=CREDENTIAL_CERT_PRIVATE_KEY_PATH
-
Path of the X.509 private key file.
This flag argument must be specified if any of the other arguments in this group are specified.
--credential-cert-configuration-output-file
=CREDENTIAL_CERT_CONFIGURATION_OUTPUT_FILE
- Path for the certificate configuration file. If specified, a certificate configuration file will be created at the specified path. If not specified, the certificate configuration will be created at the default gcloud location.
-
Arguments for an executable type credential source.
--executable-output-file
=EXECUTABLE_OUTPUT_FILE
- Absolute path to the file storing the executable response.
--executable-timeout-millis
=EXECUTABLE_TIMEOUT_MILLIS
- Timeout duration, in milliseconds, to wait for the executable to finish.
-
Service account impersonation options.
--service-account
=SERVICE_ACCOUNT
-
Email of the service account to impersonate.
This flag argument must be specified if any of the other arguments in this group are specified.
--service-account-token-lifetime-seconds
=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS
-
Lifetime duration of the service account access token in seconds. Defaults to
one hour if not specified. If a lifetime greater than one hour is required, the
service account must be added as an allowed value in an Organization Policy that
enforces the
constraints/iam.allowServiceAccountCredentialLifetimeExtension
constraint.
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details. - NOTES
-
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct project,
you might be trying to access an API with an invitation-only early access
allowlist. These variants are also available:
gcloud iam workload-identity-pools create-cred-config
gcloud beta iam workload-identity-pools create-cred-config
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-08-13 UTC.