gcloud iam workload-identity-pools create-cred-config - create a configuration file for generated credentials
gcloud iam workload-identity-pools create-cred-config AUDIENCE --output-file=OUTPUT_FILE (--aws | --azure | --credential-source-file=CREDENTIAL_SOURCE_FILE | --credential-source-url=CREDENTIAL_SOURCE_URL | --executable-command=EXECUTABLE_COMMAND) [--app-id-uri=APP_ID_URI] [--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME] [--credential-source-headers=[key=value,...]] [--credential-source-type=CREDENTIAL_SOURCE_TYPE] [--enable-imdsv2] [--subject-token-type=SUBJECT_TOKEN_TYPE] [--executable-output-file=EXECUTABLE_OUTPUT_FILE --executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS] [--service-account=SERVICE_ACCOUNT : --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS] [GCLOUD_WIDE_FLAG ...]
This command creates a configuration file to allow access to authenticated Google Cloud actions from a variety of external accounts.
To create a file-sourced credential configuration for your project, run:
$ gcloud iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL \ --credential-source-file=$PATH_TO_OIDC_ID_TOKEN \ --output-file=credentials.json
To create a URL-sourced credential configuration for your project, run:
$ gcloud iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL \ --credential-source-url=$URL_FOR_OIDC_TOKEN \ --credential-source-headers=Key=Value \ --output-file=credentials.json
To create an executable-source credential configuration for your project, run the following command:
$ gcloud iam workload-identity-pools create-cred-config \ locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/\ $PROVIDER_ID --executable-command=$EXECUTABLE_COMMAND \ --executable-timeout-millis=30000 \ --executable-output-file=$CACHE_FILE \ --output-file=credentials.json
To create an AWS-based credential configuration for your project, run:
$ gcloud iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL --aws --enable-imdsv2 \ --output-file=credentials.json
To create an Azure-based credential configuration for your project, run:
$ gcloud iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL --azure \ --app-id-uri=$URI_FOR_AZURE_APP_ID \ --output-file=credentials.json
To use the resulting file for any of these commands, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the generated file
- AUDIENCE
The workload identity pool provider resource name.
- --output-file=OUTPUT_FILE
Location to store the generated credential configuration file.
- Credential types.
Exactly one of these must be specified:
- --aws
Use AWS.
- --azure
Use Azure.
- --credential-source-file=CREDENTIAL_SOURCE_FILE
Location of the credential source file.
- --credential-source-url=CREDENTIAL_SOURCE_URL
URL to obtain the credential from.
- --executable-command=EXECUTABLE_COMMAND
The full command to run to retrieve the credential. Must be an absolute path for the program including arguments.
- --app-id-uri=APP_ID_URI
The custom Application ID URI for the Azure access token.
- --credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME
The subject token field name (key) in a JSON credential source.
- --credential-source-headers=[key=value,...]
Headers to use when querying the credential-source-url.
- --credential-source-type=CREDENTIAL_SOURCE_TYPE
The format of the credential source (JSON or text).
- --enable-imdsv2
Adds the AWS IMDSv2 session token Url to the credential source to enforce the AWS IMDSv2 flow.
- --subject-token-type=SUBJECT_TOKEN_TYPE
The type of token being used for authorization. This defaults to urn:ietf:params:oauth:token-type:jwt.
- Arguments for an executable type credential source.
- --executable-output-file=EXECUTABLE_OUTPUT_FILE
The absolute path to the file storing the executable response.
- --executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS
The timeout duration in milliseconds for waiting for the executable to finish.
- Service account impersonation options.
- --service-account=SERVICE_ACCOUNT
The email of the service account to impersonate.
This flag argument must be specified if any of the other arguments in this group are specified.
- --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS
The desired lifetime duration of the service account access token in seconds. This defaults to one hour when not provided. If a lifetime greater than one hour is required, the service account must be added as an allowed value in an Organization Policy that enforces the constraints/iam.allowServiceAccountCredentialLifetimeExtension constraint.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
These variants are also available:
$ gcloud alpha iam workload-identity-pools create-cred-config
$ gcloud beta iam workload-identity-pools create-cred-config