Docs Home
Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi
gcp.iam.getWorkloadIdentityPoolProvider
Explore with Pulumi AI
Get a IAM workload identity provider from Google Cloud by its id.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const foo = gcp.iam.getWorkloadIdentityPoolProvider({
workloadIdentityPoolId: "foo-pool",
workloadIdentityPoolProviderId: "bar-provider",
});
import pulumi
import pulumi_gcp as gcp
foo = gcp.iam.get_workload_identity_pool_provider(workload_identity_pool_id="foo-pool",
workload_identity_pool_provider_id="bar-provider")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.LookupWorkloadIdentityPoolProvider(ctx, &iam.LookupWorkloadIdentityPoolProviderArgs{
WorkloadIdentityPoolId: "foo-pool",
WorkloadIdentityPoolProviderId: "bar-provider",
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var foo = Gcp.Iam.GetWorkloadIdentityPoolProvider.Invoke(new()
{
WorkloadIdentityPoolId = "foo-pool",
WorkloadIdentityPoolProviderId = "bar-provider",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.IamFunctions;
import com.pulumi.gcp.iam.inputs.GetWorkloadIdentityPoolProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var foo = IamFunctions.getWorkloadIdentityPoolProvider(GetWorkloadIdentityPoolProviderArgs.builder()
.workloadIdentityPoolId("foo-pool")
.workloadIdentityPoolProviderId("bar-provider")
.build());
}
}
variables:
foo:
fn::invoke:
function: gcp:iam:getWorkloadIdentityPoolProvider
arguments:
workloadIdentityPoolId: foo-pool
workloadIdentityPoolProviderId: bar-provider
Using getWorkloadIdentityPoolProvider
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getWorkloadIdentityPoolProvider(args: GetWorkloadIdentityPoolProviderArgs, opts?: InvokeOptions): Promise<GetWorkloadIdentityPoolProviderResult>
function getWorkloadIdentityPoolProviderOutput(args: GetWorkloadIdentityPoolProviderOutputArgs, opts?: InvokeOptions): Output<GetWorkloadIdentityPoolProviderResult>def get_workload_identity_pool_provider(project: Optional[str] = None,
workload_identity_pool_id: Optional[str] = None,
workload_identity_pool_provider_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetWorkloadIdentityPoolProviderResult
def get_workload_identity_pool_provider_output(project: Optional[pulumi.Input[str]] = None,
workload_identity_pool_id: Optional[pulumi.Input[str]] = None,
workload_identity_pool_provider_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetWorkloadIdentityPoolProviderResult]func LookupWorkloadIdentityPoolProvider(ctx *Context, args *LookupWorkloadIdentityPoolProviderArgs, opts ...InvokeOption) (*LookupWorkloadIdentityPoolProviderResult, error)
func LookupWorkloadIdentityPoolProviderOutput(ctx *Context, args *LookupWorkloadIdentityPoolProviderOutputArgs, opts ...InvokeOption) LookupWorkloadIdentityPoolProviderResultOutput> Note: This function is named LookupWorkloadIdentityPoolProvider in the Go SDK.
public static class GetWorkloadIdentityPoolProvider
{
public static Task<GetWorkloadIdentityPoolProviderResult> InvokeAsync(GetWorkloadIdentityPoolProviderArgs args, InvokeOptions? opts = null)
public static Output<GetWorkloadIdentityPoolProviderResult> Invoke(GetWorkloadIdentityPoolProviderInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetWorkloadIdentityPoolProviderResult> getWorkloadIdentityPoolProvider(GetWorkloadIdentityPoolProviderArgs args, InvokeOptions options)
public static Output<GetWorkloadIdentityPoolProviderResult> getWorkloadIdentityPoolProvider(GetWorkloadIdentityPoolProviderArgs args, InvokeOptions options)
fn::invoke:
function: gcp:iam/getWorkloadIdentityPoolProvider:getWorkloadIdentityPoolProvider
arguments:
# arguments dictionaryThe following arguments are supported:
- Workload
Identity stringPool Id - The id of the pool which is the final component of the pool resource name.
- Workload
Identity stringPool Provider Id - The id of the provider which is the
final component of the resource name.
- Project string
- The project in which the resource belongs. If it is not provided, the provider project is used.
- Workload
Identity stringPool Id - The id of the pool which is the final component of the pool resource name.
- Workload
Identity stringPool Provider Id - The id of the provider which is the
final component of the resource name.
- Project string
- The project in which the resource belongs. If it is not provided, the provider project is used.
- workload
Identity StringPool Id - The id of the pool which is the final component of the pool resource name.
- workload
Identity StringPool Provider Id - The id of the provider which is the
final component of the resource name.
- project String
- The project in which the resource belongs. If it is not provided, the provider project is used.
- workload
Identity stringPool Id - The id of the pool which is the final component of the pool resource name.
- workload
Identity stringPool Provider Id - The id of the provider which is the
final component of the resource name.
- project string
- The project in which the resource belongs. If it is not provided, the provider project is used.
- workload_
identity_ strpool_ id - The id of the pool which is the final component of the pool resource name.
- workload_
identity_ strpool_ provider_ id - The id of the provider which is the
final component of the resource name.
- project str
- The project in which the resource belongs. If it is not provided, the provider project is used.
- workload
Identity StringPool Id - The id of the pool which is the final component of the pool resource name.
- workload
Identity StringPool Provider Id - The id of the provider which is the
final component of the resource name.
- project String
- The project in which the resource belongs. If it is not provided, the provider project is used.
getWorkloadIdentityPoolProvider Result
The following output properties are available:
- Attribute
Condition string - Attribute
Mapping Dictionary<string, string> - Aws
List<Get
Workload Identity Pool Provider Aw> - Description string
- Disabled bool
- Display
Name string - Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Oidcs
List<Get
Workload Identity Pool Provider Oidc> - Samls
List<Get
Workload Identity Pool Provider Saml> - State string
- Workload
Identity stringPool Id - Workload
Identity stringPool Provider Id - X509s
List<Get
Workload Identity Pool Provider X509> - Project string
- Attribute
Condition string - Attribute
Mapping map[string]string - Aws
[]Get
Workload Identity Pool Provider Aw - Description string
- Disabled bool
- Display
Name string - Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Oidcs
[]Get
Workload Identity Pool Provider Oidc - Samls
[]Get
Workload Identity Pool Provider Saml - State string
- Workload
Identity stringPool Id - Workload
Identity stringPool Provider Id - X509s
[]Get
Workload Identity Pool Provider X509 - Project string
- attribute
Condition String - attribute
Mapping Map<String,String> - aws
List<Get
Workload Identity Pool Provider Aw> - description String
- disabled Boolean
- display
Name String - id String
- The provider-assigned unique ID for this managed resource.
- name String
- oidcs
List<Get
Workload Identity Pool Provider Oidc> - samls
List<Get
Workload Identity Pool Provider Saml> - state String
- workload
Identity StringPool Id - workload
Identity StringPool Provider Id - x509s
List<Get
Workload Identity Pool Provider X509> - project String
- attribute
Condition string - attribute
Mapping {[key: string]: string} - aws
Get
Workload Identity Pool Provider Aw[] - description string
- disabled boolean
- display
Name string - id string
- The provider-assigned unique ID for this managed resource.
- name string
- oidcs
Get
Workload Identity Pool Provider Oidc[] - samls
Get
Workload Identity Pool Provider Saml[] - state string
- workload
Identity stringPool Id - workload
Identity stringPool Provider Id - x509s
Get
Workload Identity Pool Provider X509[] - project string
- attribute_
condition str - attribute_
mapping Mapping[str, str] - aws
Sequence[Get
Workload Identity Pool Provider Aw] - description str
- disabled bool
- display_
name str - id str
- The provider-assigned unique ID for this managed resource.
- name str
- oidcs
Sequence[Get
Workload Identity Pool Provider Oidc] - samls
Sequence[Get
Workload Identity Pool Provider Saml] - state str
- workload_
identity_ strpool_ id - workload_
identity_ strpool_ provider_ id - x509s
Sequence[Get
Workload Identity Pool Provider X509] - project str
- attribute
Condition String - attribute
Mapping Map<String> - aws List<Property Map>
- description String
- disabled Boolean
- display
Name String - id String
- The provider-assigned unique ID for this managed resource.
- name String
- oidcs List<Property Map>
- samls List<Property Map>
- state String
- workload
Identity StringPool Id - workload
Identity StringPool Provider Id - x509s List<Property Map>
- project String
Supporting Types
GetWorkloadIdentityPoolProviderAw
- Account
Id string - The AWS account ID.
- Account
Id string - The AWS account ID.
- account
Id String - The AWS account ID.
- account
Id string - The AWS account ID.
- account_
id str - The AWS account ID.
- account
Id String - The AWS account ID.
GetWorkloadIdentityPoolProviderOidc
- Allowed
Audiences List<string> Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.
If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''
- Issuer
Uri string - The OIDC issuer URL.
- Jwks
Json string - OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''
- Allowed
Audiences []string Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.
If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''
- Issuer
Uri string - The OIDC issuer URL.
- Jwks
Json string - OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''
- allowed
Audiences List<String> Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.
If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''
- issuer
Uri String - The OIDC issuer URL.
- jwks
Json String - OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''
- allowed
Audiences string[] Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.
If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''
- issuer
Uri string - The OIDC issuer URL.
- jwks
Json string - OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''
- allowed_
audiences Sequence[str] Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.
If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''
- issuer_
uri str - The OIDC issuer URL.
- jwks_
json str - OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''
- allowed
Audiences List<String> Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.
If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''
- issuer
Uri String - The OIDC issuer URL.
- jwks
Json String - OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''
GetWorkloadIdentityPoolProviderSaml
- Idp
Metadata stringXml - SAML Identity provider configuration metadata xml doc.
- Idp
Metadata stringXml - SAML Identity provider configuration metadata xml doc.
- idp
Metadata StringXml - SAML Identity provider configuration metadata xml doc.
- idp
Metadata stringXml - SAML Identity provider configuration metadata xml doc.
- idp_
metadata_ strxml - SAML Identity provider configuration metadata xml doc.
- idp
Metadata StringXml - SAML Identity provider configuration metadata xml doc.
GetWorkloadIdentityPoolProviderX509
- Trust
Stores List<GetWorkload Identity Pool Provider X509Trust Store> - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
- Trust
Stores []GetWorkload Identity Pool Provider X509Trust Store - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
- trust
Stores List<GetWorkload Identity Pool Provider X509Trust Store> - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
- trust
Stores GetWorkload Identity Pool Provider X509Trust Store[] - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
- trust_
stores Sequence[GetWorkload Identity Pool Provider X509Trust Store] - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
- trust
Stores List<Property Map> - A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
GetWorkloadIdentityPoolProviderX509TrustStore
- Intermediate
Cas List<GetWorkload Identity Pool Provider X509Trust Store Intermediate Ca> - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
- Trust
Anchors List<GetWorkload Identity Pool Provider X509Trust Store Trust Anchor> - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
- Intermediate
Cas []GetWorkload Identity Pool Provider X509Trust Store Intermediate Ca - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
- Trust
Anchors []GetWorkload Identity Pool Provider X509Trust Store Trust Anchor - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
- intermediate
Cas List<GetWorkload Identity Pool Provider X509Trust Store Intermediate Ca> - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
- trust
Anchors List<GetWorkload Identity Pool Provider X509Trust Store Trust Anchor> - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
- intermediate
Cas GetWorkload Identity Pool Provider X509Trust Store Intermediate Ca[] - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
- trust
Anchors GetWorkload Identity Pool Provider X509Trust Store Trust Anchor[] - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
- intermediate_
cas Sequence[GetWorkload Identity Pool Provider X509Trust Store Intermediate Ca] - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
- trust_
anchors Sequence[GetWorkload Identity Pool Provider X509Trust Store Trust Anchor] - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
- intermediate
Cas List<Property Map> - Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
- trust
Anchors List<Property Map> - List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCa
- Pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- Pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate String - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem_
certificate str - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate String - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchor
- Pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- Pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate String - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate string - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem_
certificate str - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
- pem
Certificate String - PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.