--- title: Workload Identity Pool Provider description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > DDSQL Reference > Data Directory > Workload Identity Pool Provider --- # Workload Identity Pool Provider A Workload Identity Pool Provider in GCP enables external identities from systems such as other clouds or identity providers to authenticate to Google Cloud without using long‑lived service account keys. It defines how Google Cloud trusts and maps external credentials into a workload identity pool. This allows secure, scalable, and managed federation between external identity sources and Google Cloud IAM for accessing resources. ```gdscript3 gcp.iam_workload_identity_pool_provider ``` ## Fields | Title | ID | Type | Data Type | Description | | -------------------- | ---- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | | _key | core | string | | ancestors | core | array | | attribute_condition | core | string | Optional. [A Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * `assertion`: JSON representing the authentication credential issued by the provider. * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: ``` "'admins' in google.groups" ``` | | aws | core | json | An Amazon Web Services identity provider. | | datadog_display_name | core | string | | description | core | string | Optional. A description for the provider. Cannot exceed 256 characters. | | disabled | core | bool | Optional. Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access. | | expire_time | core | timestamp | Output only. Time after which the workload identity pool provider will be permanently purged and cannot be recovered. | | gcp_display_name | core | string | Optional. A display name for the provider. Cannot exceed 32 characters. | | labels | core | array | | name | core | string | Identifier. The resource name of the provider. | | oidc | core | json | An OpenId Connect 1.0 identity provider. | | organization_id | core | string | | parent | core | string | | project_id | core | string | | project_number | core | string | | region_id | core | string | | resource_name | core | string | | saml | core | json | An SAML 2.0 identity provider. | | state | core | string | Output only. The state of the provider. | | tags | core | hstore_csv | | x509 | core | json | An X.509-type identity provider. | | zone_id | core | string |