Google Cloud IAM IAM Workload Identity Pool

This page shows how to write Terraform for Cloud IAM IAM Workload Identity Pool and write them securely.

google_iam_workload_identity_pool (Terraform)

The IAM Workload Identity Pool in Cloud IAM can be configured in Terraform with the resource name google_iam_workload_identity_pool. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub
resource "google_iam_workload_identity_pool" "iam_identity_pool" {
  provider = google-beta
  workload_identity_pool_id = var.identity_pool_id
  display_name = var.identity_pool_display_name
  description = var.identity_pool_description
  disabled = true
resource "google_iam_workload_identity_pool" "gh_pool" {
  project                   = var.project_id
  provider                  = google-beta
  workload_identity_pool_id = "gh-pool"
resource "google_iam_workload_identity_pool" "employee" {
  provider                  = google-beta
  workload_identity_pool_id = "employee"

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


The following arguments are supported:

  • workload_identity_pool_id - (Required) The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified.

  • display_name - (Optional) A display name for the pool. Cannot exceed 32 characters.

  • description - (Optional) A description of the pool. Cannot exceed 256 characters.

  • disabled - (Optional) Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/[[project]]/locations/global/workloadIdentityPools/[[workload_identity_pool_id]]

  • state - The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
  • name - The resource name of the pool as projects/[project_number]/locations/global/workloadIdentityPools/[workload_identity_pool_id].

Explanation in Terraform Registry

Represents a collection of external workload identities. You can define IAM policies to grant these identities access to Google Cloud resources.

Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources. To get more information about WorkloadIdentityPool, see:

Frequently asked questions

What is Google Cloud IAM IAM Workload Identity Pool?

Google Cloud IAM IAM Workload Identity Pool is a resource for Cloud IAM of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud IAM IAM Workload Identity Pool?

For Terraform, the imcuteani/gcloud_resources_demo, outofdevops/ghshr-gcp-wlif and rikodao/gcp-terraform-template source code examples are useful. See the Terraform Example section for further details.


Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.