gcloud iam workload-identity-pools create-cred-config

NAME
gcloud iam workload-identity-pools create-cred-config - create a configuration file for generated credentials
SYNOPSIS
gcloud iam workload-identity-pools create-cred-config AUDIENCE --output-file=OUTPUT_FILE (--aws     | --azure     | --credential-source-file=CREDENTIAL_SOURCE_FILE     | --credential-source-url=CREDENTIAL_SOURCE_URL     | --executable-command=EXECUTABLE_COMMAND) [--app-id-uri=APP_ID_URI] [--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME] [--credential-source-headers=[key=value,…]] [--credential-source-type=CREDENTIAL_SOURCE_TYPE] [--enable-imdsv2] [--subject-token-type=SUBJECT_TOKEN_TYPE] [--executable-output-file=EXECUTABLE_OUTPUT_FILE --executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS] [--service-account=SERVICE_ACCOUNT : --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS] [GCLOUD_WIDE_FLAG]
DESCRIPTION
This command creates a configuration file to allow access to authenticated Google Cloud actions from a variety of external accounts.
EXAMPLES
To create a file-sourced credential configuration for your project, run:
gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-source-file=$PATH_TO_OIDC_ID_TOKEN --output-file=credentials.json

To create a URL-sourced credential configuration for your project, run:

gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-source-url=$URL_FOR_OIDC_TOKEN --credential-source-headers=Key=Value --output-file=credentials.json

To create an executable-source credential configuration for your project, run the following command:

gcloud iam workload-identity-pools create-cred-config locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID --executable-command=$EXECUTABLE_COMMAND --executable-timeout-millis=30000 --executable-output-file=$CACHE_FILE --output-file=credentials.json

To create an AWS-based credential configuration for your project, run:

gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --aws --enable-imdsv2 --output-file=credentials.json

To create an Azure-based credential configuration for your project, run:

gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --azure --app-id-uri=$URI_FOR_AZURE_APP_ID --output-file=credentials.json

To use the resulting file for any of these commands, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the generated file

POSITIONAL ARGUMENTS
AUDIENCE
The workload identity pool provider fully qualified identifier.
REQUIRED FLAGS
--output-file=OUTPUT_FILE
Location to store the generated credential configuration file.
Credential types.

Exactly one of these must be specified:

--aws
Use AWS.
--azure
Use Azure.
--credential-source-file=CREDENTIAL_SOURCE_FILE
Location of the credential source file.
--credential-source-url=CREDENTIAL_SOURCE_URL
URL to obtain the credential from.
--executable-command=EXECUTABLE_COMMAND
The full command to run to retrieve the credential. Must be an absolute path for the program including arguments.
OPTIONAL FLAGS
--app-id-uri=APP_ID_URI
The custom Application ID URI for the Azure access token.
--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME
Subject token field name (key) in a JSON credential source.
--credential-source-headers=[key=value,…]
Headers to use when querying the credential-source-url.
--credential-source-type=CREDENTIAL_SOURCE_TYPE
Format of the credential source (JSON or text).
--enable-imdsv2
Adds the AWS IMDSv2 session token Url to the credential source to enforce the AWS IMDSv2 flow.
--subject-token-type=SUBJECT_TOKEN_TYPE
The type of token being used for authorization. This defaults to urn:ietf:params:oauth:token-type:jwt.
Arguments for an executable type credential source.
--executable-output-file=EXECUTABLE_OUTPUT_FILE
Absolute path to the file storing the executable response.
--executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS
Timeout duration, in milliseconds, to wait for the executable to finish.
Service account impersonation options.
--service-account=SERVICE_ACCOUNT
Email of the service account to impersonate.

This flag argument must be specified if any of the other arguments in this group are specified.

--service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS
Lifetime duration of the service account access token in seconds. Defaults to one hour if not specified. If a lifetime greater than one hour is required, the service account must be added as an allowed value in an Organization Policy that enforces the constraints/iam.allowServiceAccountCredentialLifetimeExtension constraint.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES
These variants are also available:
gcloud alpha iam workload-identity-pools create-cred-config
gcloud beta iam workload-identity-pools create-cred-config