Google Cloud IAM IAM Workload Identity Pool
This page shows how to write Terraform for Cloud IAM IAM Workload Identity Pool and write them securely.
google_iam_workload_identity_pool (Terraform)
The IAM Workload Identity Pool in Cloud IAM can be configured in Terraform with the resource name google_iam_workload_identity_pool
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_iam_workload_identity_pool" "iam_identity_pool" {
provider = google-beta
workload_identity_pool_id = var.identity_pool_id
display_name = var.identity_pool_display_name
description = var.identity_pool_description
disabled = true
resource "google_iam_workload_identity_pool" "gh_pool" {
project = var.project_id
provider = google-beta
workload_identity_pool_id = "gh-pool"
}
resource "google_iam_workload_identity_pool" "employee" {
provider = google-beta
workload_identity_pool_id = "employee"
Parameters
The following arguments are supported:
workload_identity_pool_id
- (Required) The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefixgcp-
is reserved for use by Google, and may not be specified.
display_name
- (Optional) A display name for the pool. Cannot exceed 32 characters.description
- (Optional) A description of the pool. Cannot exceed 256 characters.disabled
- (Optional) Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.project
- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with formatprojects/[[project]]/locations/global/workloadIdentityPools/[[workload_identity_pool_id]]
state
- The state of the pool.- STATE_UNSPECIFIED: State unspecified.
- ACTIVE: The pool is active, and may be used in Google Cloud policies.
- DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
name
- The resource name of the pool asprojects/[project_number]/locations/global/workloadIdentityPools/[workload_identity_pool_id]
.
Explanation in Terraform Registry
Represents a collection of external workload identities. You can define IAM policies to grant these identities access to Google Cloud resources.
Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources. To get more information about WorkloadIdentityPool, see:
- API documentation
- How-to Guides
Frequently asked questions
What is Google Cloud IAM IAM Workload Identity Pool?
Google Cloud IAM IAM Workload Identity Pool is a resource for Cloud IAM of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud IAM IAM Workload Identity Pool?
For Terraform, the imcuteani/gcloud_resources_demo, outofdevops/ghshr-gcp-wlif and rikodao/gcp-terraform-template source code examples are useful. See the Terraform Example section for further details.