Workload Identity Pool Provider

A Workload Identity Pool Provider in GCP enables external identities from systems such as other clouds or identity providers to authenticate to Google Cloud without using long‑lived service account keys. It defines how Google Cloud trusts and maps external credentials into a workload identity pool. This allows secure, scalable, and managed federation between external identity sources and Google Cloud IAM for accessing resources.

gcp.iam_workload_identity_pool_provider

Fields

TitleIDTypeData TypeDescription
_keycorestring
ancestorscorearray<string>
attribute_conditioncorestringOptional. [A Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * `assertion`: JSON representing the authentication credential issued by the provider. * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: ``` "'admins' in google.groups" ```
awscorejsonAn Amazon Web Services identity provider.
datadog_display_namecorestring
descriptioncorestringOptional. A description for the provider. Cannot exceed 256 characters.
disabledcoreboolOptional. Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access.
expire_timecoretimestampOutput only. Time after which the workload identity pool provider will be permanently purged and cannot be recovered.
gcp_display_namecorestringOptional. A display name for the provider. Cannot exceed 32 characters.
labelscorearray<string>
namecorestringIdentifier. The resource name of the provider.
oidccorejsonAn OpenId Connect 1.0 identity provider.
organization_idcorestring
parentcorestring
project_idcorestring
project_numbercorestring
region_idcorestring
resource_namecorestring
samlcorejsonAn SAML 2.0 identity provider.
statecorestringOutput only. The state of the provider.
tagscorehstore_csv
x509corejsonAn X.509-type identity provider.
zone_idcorestring