NAME

gcloud iam workload-identity-pools create-cred-config - create a configuration file for generated credentials

SYNOPSIS

gcloud iam workload-identity-pools create-cred-config AUDIENCE --output-file=OUTPUT_FILE (--aws | --azure | --credential-source-file=CREDENTIAL_SOURCE_FILE | --credential-source-url=CREDENTIAL_SOURCE_URL | --executable-command=EXECUTABLE_COMMAND) [--app-id-uri=APP_ID_URI] [--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME] [--credential-source-headers=[key=value,...]] [--credential-source-type=CREDENTIAL_SOURCE_TYPE] [--enable-imdsv2] [--subject-token-type=SUBJECT_TOKEN_TYPE] [--executable-output-file=EXECUTABLE_OUTPUT_FILE --executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS] [--service-account=SERVICE_ACCOUNT : --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION

This command creates a configuration file to allow access to authenticated Google Cloud actions from a variety of external accounts.

EXAMPLES

To create a file-sourced credential configuration for your project, run:

$ gcloud iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL \ --credential-source-file=$PATH_TO_OIDC_ID_TOKEN \ --output-file=credentials.json

To create a URL-sourced credential configuration for your project, run:

$ gcloud iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL \ --credential-source-url=$URL_FOR_OIDC_TOKEN \ --credential-source-headers=Key=Value \ --output-file=credentials.json

To create an executable-source credential configuration for your project, run the following command:

$ gcloud iam workload-identity-pools create-cred-config \ locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/\ $PROVIDER_ID --executable-command=$EXECUTABLE_COMMAND \ --executable-timeout-millis=30000 \ --executable-output-file=$CACHE_FILE \ --output-file=credentials.json

To create an AWS-based credential configuration for your project, run:

$ gcloud iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL --aws --enable-imdsv2 \ --output-file=credentials.json

To create an Azure-based credential configuration for your project, run:

$ gcloud iam workload-identity-pools create-cred-config \ projects/$PROJECT_NUMBER/locations/$REGION/\ workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \ --service-account=$EMAIL --azure \ --app-id-uri=$URI_FOR_AZURE_APP_ID \ --output-file=credentials.json

To use the resulting file for any of these commands, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the generated file

POSITIONAL ARGUMENTS

AUDIENCE

The workload identity pool provider resource name.

REQUIRED FLAGS

--output-file=OUTPUT_FILE

Location to store the generated credential configuration file.

Credential types.

Exactly one of these must be specified:

--aws

Use AWS.

--azure

Use Azure.

--credential-source-file=CREDENTIAL_SOURCE_FILE

Location of the credential source file.

--credential-source-url=CREDENTIAL_SOURCE_URL

URL to obtain the credential from.

--executable-command=EXECUTABLE_COMMAND

The full command to run to retrieve the credential. Must be an absolute path for the program including arguments.

OPTIONAL FLAGS

--app-id-uri=APP_ID_URI

The custom Application ID URI for the Azure access token.

--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME

The subject token field name (key) in a JSON credential source.

--credential-source-headers=[key=value,...]

Headers to use when querying the credential-source-url.

--credential-source-type=CREDENTIAL_SOURCE_TYPE

The format of the credential source (JSON or text).

--enable-imdsv2

Adds the AWS IMDSv2 session token Url to the credential source to enforce the AWS IMDSv2 flow.

--subject-token-type=SUBJECT_TOKEN_TYPE

The type of token being used for authorization. This defaults to urn:ietf:params:oauth:token-type:jwt.

Arguments for an executable type credential source.
--executable-output-file=EXECUTABLE_OUTPUT_FILE

The absolute path to the file storing the executable response.

--executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS

The timeout duration in milliseconds for waiting for the executable to finish.

Service account impersonation options.
--service-account=SERVICE_ACCOUNT

The email of the service account to impersonate.

This flag argument must be specified if any of the other arguments in this group are specified.

--service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS

The desired lifetime duration of the service account access token in seconds. This defaults to one hour when not provided. If a lifetime greater than one hour is required, the service account must be added as an allowed value in an Organization Policy that enforces the constraints/iam.allowServiceAccountCredentialLifetimeExtension constraint.

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

NOTES

These variants are also available:

$ gcloud alpha iam workload-identity-pools create-cred-config

$ gcloud beta iam workload-identity-pools create-cred-config