gcloud iam workload-identity-pools create-cred-config

NAME
gcloud iam workload-identity-pools create-cred-config - create a configuration file for generated credentials
SYNOPSIS
gcloud iam workload-identity-pools create-cred-config AUDIENCE --output-file=OUTPUT_FILE (--aws     | --azure     | --credential-cert-path=CREDENTIAL_CERT_PATH     | --credential-source-file=CREDENTIAL_SOURCE_FILE     | --credential-source-url=CREDENTIAL_SOURCE_URL     | --executable-command=EXECUTABLE_COMMAND) [--app-id-uri=APP_ID_URI] [--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME] [--credential-source-headers=[key=value,…]] [--credential-source-type=CREDENTIAL_SOURCE_TYPE] [--enable-imdsv2] [--subject-token-type=SUBJECT_TOKEN_TYPE] [--credential-cert-private-key-path=CREDENTIAL_CERT_PRIVATE_KEY_PATH : --credential-cert-configuration-output-file=CREDENTIAL_CERT_CONFIGURATION_OUTPUT_FILE] [--executable-output-file=EXECUTABLE_OUTPUT_FILE --executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS] [--service-account=SERVICE_ACCOUNT : --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS] [GCLOUD_WIDE_FLAG]
DESCRIPTION
This command creates a configuration file to allow access to authenticated Google Cloud actions from a variety of external accounts.
EXAMPLES
To create a file-sourced credential configuration for your project, run:
gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-source-file=$PATH_TO_OIDC_ID_TOKEN --output-file=credentials.json

To create a URL-sourced credential configuration for your project, run:

gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-source-url=$URL_FOR_OIDC_TOKEN --credential-source-headers=Key=Value --output-file=credentials.json

To create an executable-source credential configuration for your project, run the following command:

gcloud iam workload-identity-pools create-cred-config locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID --executable-command=$EXECUTABLE_COMMAND --executable-timeout-millis=30000 --executable-output-file=$CACHE_FILE --output-file=credentials.json

To create an AWS-based credential configuration for your project, run:

gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --aws --enable-imdsv2 --output-file=credentials.json

To create an Azure-based credential configuration for your project, run:

gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --azure --app-id-uri=$URI_FOR_AZURE_APP_ID --output-file=credentials.json

To create an X.509 certificate-based credential configuration for your project, run:

gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-cert-path=$PATH_TO_CERTIFICATE_FILE --credential-cert-private-key-path=$PATH_TO_PRIVATE_KEY_FILE --output-file=credentials.json

To use the resulting file for any of these commands, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the generated file

POSITIONAL ARGUMENTS
AUDIENCE
The workload identity pool provider fully qualified identifier.
REQUIRED FLAGS
--output-file=OUTPUT_FILE
Location to store the generated credential configuration file.
Credential types.

Exactly one of these must be specified:

--aws
Use AWS.
--azure
Use Azure.
--credential-cert-path=CREDENTIAL_CERT_PATH
Path of the X.509 certificate file.
--credential-source-file=CREDENTIAL_SOURCE_FILE
Location of the credential source file.
--credential-source-url=CREDENTIAL_SOURCE_URL
URL to obtain the credential from.
--executable-command=EXECUTABLE_COMMAND
The full command to run to retrieve the credential. Must be an absolute path for the program including arguments.
OPTIONAL FLAGS
--app-id-uri=APP_ID_URI
The custom Application ID URI for the Azure access token.
--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME
Subject token field name (key) in a JSON credential source.
--credential-source-headers=[key=value,…]
Headers to use when querying the credential-source-url.
--credential-source-type=CREDENTIAL_SOURCE_TYPE
Format of the credential source (JSON or text).
--enable-imdsv2
Adds the AWS IMDSv2 session token Url to the credential source to enforce the AWS IMDSv2 flow.
--subject-token-type=SUBJECT_TOKEN_TYPE
The type of token being used for authorization. This defaults to urn:ietf:params:oauth:token-type:jwt.
Arguments for an X.509 certificate type credential source.
--credential-cert-private-key-path=CREDENTIAL_CERT_PRIVATE_KEY_PATH
Path of the X.509 private key file.

This flag argument must be specified if any of the other arguments in this group are specified.

--credential-cert-configuration-output-file=CREDENTIAL_CERT_CONFIGURATION_OUTPUT_FILE
Path for the certificate configuration file. If specified, a certificate configuration file will be created at the specified path. If not specified, the certificate configuration will be created at the default gcloud location.
Arguments for an executable type credential source.
--executable-output-file=EXECUTABLE_OUTPUT_FILE
Absolute path to the file storing the executable response.
--executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS
Timeout duration, in milliseconds, to wait for the executable to finish.
Service account impersonation options.
--service-account=SERVICE_ACCOUNT
Email of the service account to impersonate.

This flag argument must be specified if any of the other arguments in this group are specified.

--service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS
Lifetime duration of the service account access token in seconds. Defaults to one hour if not specified. If a lifetime greater than one hour is required, the service account must be added as an allowed value in an Organization Policy that enforces the constraints/iam.allowServiceAccountCredentialLifetimeExtension constraint.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES
These variants are also available:
gcloud alpha iam workload-identity-pools create-cred-config
gcloud beta iam workload-identity-pools create-cred-config