NAME

gcloud alpha iam workload-identity-pools create-cred-config - create a configuration file for generated credentials

SYNOPSIS

gcloud alpha iam workload-identity-pools create-cred-config AUDIENCE --output-file=OUTPUT_FILE (--aws | --azure | --credential-source-file=CREDENTIAL_SOURCE_FILE | --credential-source-url=CREDENTIAL_SOURCE_URL | --executable-command=EXECUTABLE_COMMAND) [--app-id-uri=APP_ID_URI] [--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME] [--credential-source-headers=[key=value,...]] [--credential-source-type=CREDENTIAL_SOURCE_TYPE] [--enable-imdsv2] [--subject-token-type=SUBJECT_TOKEN_TYPE] [--executable-output-file=EXECUTABLE_OUTPUT_FILE --executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS] [--service-account=SERVICE_ACCOUNT : --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION

(ALPHA) This command creates a configuration file to allow access to authenticated Google Cloud actions from a variety of external accounts.

EXAMPLES

To create a file-sourced credential configuration for your project, run:

$ gcloud alpha iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL \ --credential-source-file=$PATH_TO_OIDC_ID_TOKEN \ --output-file=credentials.json

To create a URL-sourced credential configuration for your project, run:

$ gcloud alpha iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL \ --credential-source-url=$URL_FOR_OIDC_TOKEN \ --credential-source-headers=Key=Value \ --output-file=credentials.json

To create an executable-source credential configuration for your project, run the following command:

$ gcloud alpha iam workload-identity-pools create-cred-config \ locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/\ $PROVIDER_ID --executable-command=$EXECUTABLE_COMMAND \ --executable-timeout-millis=30000 \ --executable-output-file=$CACHE_FILE \ --output-file=credentials.json

To create an AWS-based credential configuration for your project, run:

$ gcloud alpha iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL --aws --enable-imdsv2 \ --output-file=credentials.json

To create an Azure-based credential configuration for your project, run:

$ gcloud alpha iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL --azure \ --app-id-uri=$URI_FOR_AZURE_APP_ID \ --output-file=credentials.json

To use the resulting file for any of these commands, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the generated file

POSITIONAL ARGUMENTS

AUDIENCE

The workload identity pool provider resource name.

REQUIRED FLAGS

--output-file=OUTPUT_FILE

Location to store the generated credential configuration file.

Credential types.

Exactly one of these must be specified:

--aws

Use AWS.

--azure

Use Azure.

--credential-source-file=CREDENTIAL_SOURCE_FILE

Location of the credential source file.

--credential-source-url=CREDENTIAL_SOURCE_URL

URL to obtain the credential from.

--executable-command=EXECUTABLE_COMMAND

The full command to run to retrieve the credential. Must be an absolute path for the program including arguments.

OPTIONAL FLAGS

--app-id-uri=APP_ID_URI

The custom Application ID URI for the Azure access token.

--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME

The subject token field name (key) in a JSON credential source.

--credential-source-headers=[key=value,...]

Headers to use when querying the credential-source-url.

--credential-source-type=CREDENTIAL_SOURCE_TYPE

The format of the credential source (JSON or text).

--enable-imdsv2

Adds the AWS IMDSv2 session token Url to the credential source to enforce the AWS IMDSv2 flow.

--subject-token-type=SUBJECT_TOKEN_TYPE

The type of token being used for authorization. This defaults to urn:ietf:params:oauth:token-type:jwt.

Arguments for an executable type credential source.
--executable-output-file=EXECUTABLE_OUTPUT_FILE

The absolute path to the file storing the executable response.

--executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS

The timeout duration in milliseconds for waiting for the executable to finish.

Service account impersonation options.
--service-account=SERVICE_ACCOUNT

The email of the service account to impersonate.

This flag argument must be specified if any of the other arguments in this group are specified.

--service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS

The desired lifetime duration of the service account access token in seconds. This defaults to one hour when not provided. If a lifetime greater than one hour is required, the service account must be added as an allowed value in an Organization Policy that enforces the constraints/iam.allowServiceAccountCredentialLifetimeExtension constraint.

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES

This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:

$ gcloud iam workload-identity-pools create-cred-config

$ gcloud beta iam workload-identity-pools create-cred-config