NAME
    gcloud alpha iam workload-identity-pools create-cred-config - create a
        configuration file for generated credentials

SYNOPSIS
    gcloud alpha iam workload-identity-pools create-cred-config AUDIENCE
        --output-file=OUTPUT_FILE
        (--aws | --azure | --credential-cert-path=CREDENTIAL_CERT_PATH
          | --credential-source-file=CREDENTIAL_SOURCE_FILE
          | --credential-source-url=CREDENTIAL_SOURCE_URL
          | --executable-command=EXECUTABLE_COMMAND) [--app-id-uri=APP_ID_URI]
        [--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME]
        [--credential-source-headers=[key=value,...]]
        [--credential-source-type=CREDENTIAL_SOURCE_TYPE] [--enable-imdsv2]
        [--sts-location=STS_LOCATION] [--subject-token-type=SUBJECT_TOKEN_TYPE]
        [--credential-cert-private-key-path=CREDENTIAL_CERT_PRIVATE_KEY_PATH
          : --credential-cert-configuration-output-file=CREDENTIAL_CERT_CONFIGURATION_OUTPUT_FILE --credential-cert-trust-chain-path=CREDENTIAL_CERT_TRUST_CHAIN_PATH]
        [--executable-output-file=EXECUTABLE_OUTPUT_FILE
          --executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS]
        [--service-account=SERVICE_ACCOUNT
          : --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (ALPHA) This command creates a configuration file to allow access to
    authenticated Google Cloud actions from a variety of external accounts.

EXAMPLES
    To create a file-sourced credential configuration for your project, run:

        $ gcloud alpha iam workload-identity-pools create-cred-config \
            projects/$PROJECT_NUMBER/locations/$REGION/\
        workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \
            --service-account=$EMAIL \
            --credential-source-file=$PATH_TO_OIDC_ID_TOKEN \
            --output-file=credentials.json

    To create a URL-sourced credential configuration for your project, run:

        $ gcloud alpha iam workload-identity-pools create-cred-config \
            projects/$PROJECT_NUMBER/locations/$REGION/\
        workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \
            --service-account=$EMAIL \
            --credential-source-url=$URL_FOR_OIDC_TOKEN \
            --credential-source-headers=Key=Value \
            --output-file=credentials.json

    To create an executable-source credential configuration for your project,
    run the following command:

        $ gcloud alpha iam workload-identity-pools create-cred-config \
            locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/\
        $PROVIDER_ID --executable-command=$EXECUTABLE_COMMAND \
            --executable-timeout-millis=30000 \
            --executable-output-file=$CACHE_FILE \
            --output-file=credentials.json

    To create an AWS-based credential configuration for your project, run:

        $ gcloud alpha iam workload-identity-pools create-cred-config \
            projects/$PROJECT_NUMBER/locations/$REGION/\
        workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \
            --service-account=$EMAIL --aws --enable-imdsv2 \
            --output-file=credentials.json

    To create an Azure-based credential configuration for your project, run:

        $ gcloud alpha iam workload-identity-pools create-cred-config \
            projects/$PROJECT_NUMBER/locations/$REGION/\
        workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \
            --service-account=$EMAIL --azure \
            --app-id-uri=$URI_FOR_AZURE_APP_ID \
            --output-file=credentials.json

    To create an X.509 certificate-based credential configuration for your
    project, run:

        $ gcloud alpha iam workload-identity-pools create-cred-config \
            projects/$PROJECT_NUMBER/locations/$REGION/\
        workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \
            --service-account=$EMAIL \
            --credential-cert-path=$PATH_TO_CERTIFICATE_FILE \
            --credential-cert-private-key-path=$PATH_TO_PRIVATE_KEY_FILE \
            --output-file=credentials.json

    To use the resulting file for any of these commands, set the
    GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the
    generated file

POSITIONAL ARGUMENTS
     AUDIENCE
        The workload identity pool provider fully qualified identifier.

REQUIRED FLAGS
     --output-file=OUTPUT_FILE
        Location to store the generated credential configuration file.

     Credential types.

     Exactly one of these must be specified:

       --aws
          Use AWS.

       --azure
          Use Azure.

       --credential-cert-path=CREDENTIAL_CERT_PATH
          Path of the X.509 certificate file.

       --credential-source-file=CREDENTIAL_SOURCE_FILE
          Location of the credential source file.

       --credential-source-url=CREDENTIAL_SOURCE_URL
          URL to obtain the credential from.

       --executable-command=EXECUTABLE_COMMAND
          The full command to run to retrieve the credential. Must be an
          absolute path for the program including arguments.

OPTIONAL FLAGS
     --app-id-uri=APP_ID_URI
        The custom Application ID URI for the Azure access token.

     --credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME
        Subject token field name (key) in a JSON credential source.

     --credential-source-headers=[key=value,...]
        Headers to use when querying the credential-source-url.

     --credential-source-type=CREDENTIAL_SOURCE_TYPE
        Format of the credential source (JSON or text).

     --enable-imdsv2
        Adds the AWS IMDSv2 session token Url to the credential source to
        enforce the AWS IMDSv2 flow.

     --sts-location=STS_LOCATION
        The location to use for the Security Token Service token endpoint. For
        example, specifying us-central1 will configure the client to use the
        regional endpoint sts.us-central1.rep.googleapis.com. If not specified,
        the global endpoint sts.googleapis.com is used.

     --subject-token-type=SUBJECT_TOKEN_TYPE
        The type of token being used for authorization. This defaults to
        urn:ietf:params:oauth:token-type:jwt.

     Arguments for an X.509 certificate type credential source.

     --credential-cert-private-key-path=CREDENTIAL_CERT_PRIVATE_KEY_PATH
        Path of the X.509 private key file.

        This flag argument must be specified if any of the other arguments in
        this group are specified.

     --credential-cert-configuration-output-file=CREDENTIAL_CERT_CONFIGURATION_OUTPUT_FILE
        Path for the certificate configuration file. If specified, a
        certificate configuration file will be created at the specified path.
        If not specified, the certificate configuration will be created at the
        default gcloud location.

     --credential-cert-trust-chain-path=CREDENTIAL_CERT_TRUST_CHAIN_PATH
        Path for the trust chain file. A trust chain file is required if there
        are intermediate certificates in the certificate chain in between the
        root certificate stored in the workload identity pool provider trust
        store. This trust chain file should be a list of PEM certificates, with
        the leaf certificate at the top.

     Arguments for an executable type credential source.

     --executable-output-file=EXECUTABLE_OUTPUT_FILE
        Absolute path to the file storing the executable response.

     --executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS
        Timeout duration, in milliseconds, to wait for the executable to
        finish.

     Service account impersonation options.

     --service-account=SERVICE_ACCOUNT
        Email of the service account to impersonate.

        This flag argument must be specified if any of the other arguments in
        this group are specified.

     --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS
        Lifetime duration of the service account access token in seconds.
        Defaults to one hour if not specified. If a lifetime greater than one
        hour is required, the service account must be added as an allowed value
        in an Organization Policy that enforces the
        constraints/iam.allowServiceAccountCredentialLifetimeExtension
        constraint.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    This command is currently in alpha and might change without notice. If this
    command fails with API permission errors despite specifying the correct
    project, you might be trying to access an API with an invitation-only early
    access allowlist. These variants are also available:

        $ gcloud iam workload-identity-pools create-cred-config

        $ gcloud beta iam workload-identity-pools create-cred-config

