--- title: Workload Identity Pool Provider description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > DDSQL Reference > Data Directory > Workload Identity Pool Provider --- # Workload Identity Pool Provider A Workload Identity Pool Provider in GCP enables external identities from systems such as other clouds or identity providers to authenticate to Google Cloud without using long-lived service account keys. It defines how Google Cloud trusts and maps external credentials into a workload identity pool. This allows secure, scalable, and managed federation between external identity sources and Google Cloud IAM for accessing resources. ```gdscript3 gcp.iam_workload_identity_pool_provider ``` ## Fields | Title | ID | Type | Data Type | Description | | -------------------- | ---- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | | _key | core | string | | ancestors | core | array | | attribute_condition | core | string | Optional. [A Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * `assertion`: JSON representing the authentication credential issued by the provider. * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: ``` "'admins' in google.groups" ``` | | aws | core | json | An Amazon Web Services identity provider. | | datadog_display_name | core | string | | description | core | string | Optional. A description for the provider. Cannot exceed 256 characters. | | disabled | core | bool | Optional. Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access. | | expire_time | core | timestamp | Output only. Time after which the workload identity pool provider will be permanently purged and cannot be recovered. | | gcp_display_name | core | string | Optional. A display name for the provider. Cannot exceed 32 characters. | | labels | core | array | | name | core | string | Identifier. The resource name of the provider. | | oidc | core | json | An OpenId Connect 1.0 identity provider. | | organization_id | core | string | | parent | core | string | | project_id | core | string | | project_number | core | string | | region_id | core | string | | resource_name | core | string | | saml | core | json | An SAML 2.0 identity provider. | | state | core | string | Output only. The state of the provider. | | tags | core | hstore_csv | | x509 | core | json | An X.509-type identity provider. | | zone_id | core | string |