--- title: Getting Started with Datadog description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog --- # gcp_iam_workload_identity_pool{% #gcp_iam_workload_identity_pool %} ## `ancestors`{% #ancestors %} **Type**: `UNORDERED_LIST_STRING` ## `description`{% #description %} **Type**: `STRING`**Provider name**: `description`**Description**: Optional. A description of the pool. Cannot exceed 256 characters. ## `disabled`{% #disabled %} **Type**: `BOOLEAN`**Provider name**: `disabled`**Description**: Optional. Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. ## `expire_time`{% #expire_time %} **Type**: `TIMESTAMP`**Provider name**: `expireTime`**Description**: Output only. Time after which the workload identity pool will be permanently purged and cannot be recovered. ## `gcp_display_name`{% #gcp_display_name %} **Type**: `STRING`**Provider name**: `displayName`**Description**: Optional. A display name for the pool. Cannot exceed 32 characters. ## `inline_certificate_issuance_config`{% #inline_certificate_issuance_config %} **Type**: `STRUCT`**Provider name**: `inlineCertificateIssuanceConfig`**Description**: Optional. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. - `key_algorithm`**Type**: `STRING`**Provider name**: `keyAlgorithm`**Description**: Optional. Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If not specified, this will default to ECDSA_P256.**Possible values**: - `KEY_ALGORITHM_UNSPECIFIED` - Unspecified key algorithm. Defaults to ECDSA_P256. - `RSA_2048` - Specifies RSA with a 2048-bit modulus. - `RSA_3072` - Specifies RSA with a 3072-bit modulus. - `RSA_4096` - Specifies RSA with a 4096-bit modulus. - `ECDSA_P256` - Specifies ECDSA with curve P256. - `ECDSA_P384` - Specifies ECDSA with curve P384. - `lifetime`**Type**: `STRING`**Provider name**: `lifetime`**Description**: Optional. Lifetime of the workload certificates issued by the CA pool. Must be between 24 hours and 30 days. If not specified, this will be defaulted to 24 hours. - `rotation_window_percentage`**Type**: `INT32`**Provider name**: `rotationWindowPercentage`**Description**: Optional. Rotation window percentage, the percentage of remaining lifetime after which certificate rotation is initiated. Must be between 50 and 80. If no value is specified, rotation window percentage is defaulted to 50. ## `inline_trust_config`{% #inline_trust_config %} **Type**: `STRUCT`**Provider name**: `inlineTrustConfig`**Description**: Optional. Represents config to add additional trusted trust domains. ## `labels`{% #labels %} **Type**: `UNORDERED_LIST_STRING` ## `mode`{% #mode %} **Type**: `STRING`**Provider name**: `mode`**Description**: Immutable. The mode the pool is operating in.**Possible values**: - `MODE_UNSPECIFIED` - State unspecified. New pools should not use this mode. Pools with an unspecified mode will operate as if they are in federation-only mode. - `FEDERATION_ONLY` - Federation-only mode. Federation-only pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a federation-only pool, and you cannot create any resources within the pool besides providers. - `TRUST_DOMAIN` - Trust-domain mode. Trust-domain pools can be used to assign identities to Google Cloud workloads. All identities within a trust-domain pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: `ns//sa/` WorkloadIdentityPoolProviders cannot be created within trust-domain pools. ## `name`{% #name %} **Type**: `STRING`**Provider name**: `name`**Description**: Output only. The resource name of the pool. ## `organization_id`{% #organization_id %} **Type**: `STRING` ## `parent`{% #parent %} **Type**: `STRING` ## `project_id`{% #project_id %} **Type**: `STRING` ## `project_number`{% #project_number %} **Type**: `STRING` ## `region_id`{% #region_id %} **Type**: `STRING` ## `resource_name`{% #resource_name %} **Type**: `STRING` ## `state`{% #state %} **Type**: `STRING`**Provider name**: `state`**Description**: Output only. The state of the pool.**Possible values**: - `STATE_UNSPECIFIED` - State unspecified. - `ACTIVE` - The pool is active, and may be used in Google Cloud policies. - `DELETED` - The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again. ## `tags`{% #tags %} **Type**: `UNORDERED_LIST_STRING` ## `zone_id`{% #zone_id %} **Type**: `STRING`