mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-19 07:15:23 +00:00
gcloud: Wed May 14 10:45:02 UTC 2025
This commit is contained in:
parent
dfebca5b6c
commit
82f3a66664
423 changed files with 11160 additions and 1149 deletions
213
gcloud/iam/workload-identity-pools/providers/create-x509
Normal file
213
gcloud/iam/workload-identity-pools/providers/create-x509
Normal file
|
|
@ -0,0 +1,213 @@
|
|||
NAME
|
||||
gcloud iam workload-identity-pools providers create-x509 - create a new
|
||||
X.509 workload identity pool provider
|
||||
|
||||
SYNOPSIS
|
||||
gcloud iam workload-identity-pools providers create-x509
|
||||
(PROVIDER : --location=LOCATION
|
||||
--workload-identity-pool=WORKLOAD_IDENTITY_POOL)
|
||||
--trust-store-config-path=TRUST_STORE_CONFIG_PATH
|
||||
[--attribute-condition=ATTRIBUTE_CONDITION]
|
||||
[--attribute-mapping=[KEY=VALUE,...]] [--description=DESCRIPTION]
|
||||
[--disabled] [--display-name=DISPLAY_NAME] [GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
Create a new X.509 workload identity pool provider.
|
||||
|
||||
EXAMPLES
|
||||
The following command creates a disabled X.509 workload identity pool
|
||||
provider in the default project with the ID
|
||||
my-workload-identity-pool-provider. Explicit values for all required and
|
||||
optional parameters are provided.
|
||||
|
||||
$ gcloud iam workload-identity-pools providers create-x509 \
|
||||
my-workload-identity-pool-provider --location="global" \
|
||||
--workload-identity-pool="my-workload-identity-pool" \
|
||||
--display-name="My workload pool provider" \
|
||||
--description="My workload pool provider description" \
|
||||
--disabled --attribute-mapping="google.subject=assertion.sub" \
|
||||
--attribute-condition="true" \
|
||||
--trust-store-config-path="path/to/config/file.yaml"
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
Workload identity pool provider resource - The workload identity pool
|
||||
provider to create. The arguments in this group can be used to specify the
|
||||
attributes of this resource. (NOTE) Some attributes are not given
|
||||
arguments in this group but can be set in other ways.
|
||||
|
||||
To set the project attribute:
|
||||
◆ provide the argument provider on the command line with a fully
|
||||
specified name;
|
||||
◆ provide the argument --project on the command line;
|
||||
◆ set the property core/project.
|
||||
|
||||
This must be specified.
|
||||
|
||||
PROVIDER
|
||||
ID of the workload identity pool provider or fully qualified
|
||||
identifier for the workload identity pool provider.
|
||||
|
||||
To set the provider attribute:
|
||||
▸ provide the argument provider on the command line.
|
||||
|
||||
This positional argument must be specified if any of the other
|
||||
arguments in this group are specified.
|
||||
|
||||
--location=LOCATION
|
||||
The location name.
|
||||
|
||||
To set the location attribute:
|
||||
▸ provide the argument provider on the command line with a fully
|
||||
specified name;
|
||||
▸ provide the argument --location on the command line.
|
||||
|
||||
--workload-identity-pool=WORKLOAD_IDENTITY_POOL
|
||||
The ID to use for the pool, which becomes the final component of the
|
||||
resource name. This value should be 4-32 characters, and may contain
|
||||
the characters [a-z0-9-]. The prefix gcp- is reserved for use by
|
||||
Google, and may not be specified.
|
||||
|
||||
To set the workload-identity-pool attribute:
|
||||
▸ provide the argument provider on the command line with a fully
|
||||
specified name;
|
||||
▸ provide the argument --workload-identity-pool on the command
|
||||
line.
|
||||
|
||||
REQUIRED FLAGS
|
||||
--trust-store-config-path=TRUST_STORE_CONFIG_PATH
|
||||
YAML file with configuration metadata for the X.509 identity provider.
|
||||
Example file format: trustStore:
|
||||
trustAnchors:
|
||||
- pemCertificate: "-----BEGIN CERTIFICATE-----
|
||||
<certificate>
|
||||
-----END CERTIFICATE-----"
|
||||
intermediateCas:
|
||||
- pemCertificate: "-----BEGIN CERTIFICATE-----
|
||||
<certificate>
|
||||
-----END CERTIFICATE-----"
|
||||
|
||||
OPTIONAL FLAGS
|
||||
--attribute-condition=ATTRIBUTE_CONDITION
|
||||
A Common Expression Language (https://opensource.google/projects/cel)
|
||||
expression, in plain text, to restrict what otherwise valid
|
||||
authentication credentials issued by the provider should not be
|
||||
accepted.
|
||||
|
||||
The expression must output a boolean representing whether to allow the
|
||||
federation.
|
||||
|
||||
The following keywords may be referenced in the expressions:
|
||||
|
||||
◆ assertion: JSON representing the authentication credential issued
|
||||
by the provider.
|
||||
◆ google: The Google attributes mapped from the assertion in the
|
||||
attribute_mappings.
|
||||
◆ attribute: The custom attributes mapped from the assertion in the
|
||||
attribute_mappings.
|
||||
|
||||
The maximum length of the attribute condition expression is 4096
|
||||
characters. If unspecified, all valid authentication credential are
|
||||
accepted.
|
||||
|
||||
The following example shows how to only allow credentials with a mapped
|
||||
google.groups value of admins:
|
||||
|
||||
"'admins' in google.groups"
|
||||
|
||||
--attribute-mapping=[KEY=VALUE,...]
|
||||
Maps attributes from authentication credentials issued by an external
|
||||
identity provider to Google Cloud attributes, such as subject and
|
||||
segment.
|
||||
|
||||
Each key must be a string specifying the Google Cloud IAM attribute to
|
||||
map to.
|
||||
|
||||
The following keys are supported:
|
||||
|
||||
◆ google.subject: The principal IAM is authenticating. You can
|
||||
reference this value in IAM bindings. This is also the subject that
|
||||
appears in Cloud Logging logs. Cannot exceed 127 bytes.
|
||||
|
||||
◆ google.groups: Groups the external identity belongs to. You can
|
||||
grant groups access to resources using an IAM principalSet binding;
|
||||
access applies to all members of the group.
|
||||
|
||||
You can also provide custom attributes by specifying
|
||||
attribute.{custom_attribute}, where {custom_attribute} is the name of
|
||||
the custom attribute to be mapped. You can define a maximum of 50
|
||||
custom attributes. The maximum length of a mapped attribute key is 100
|
||||
characters, and the key may only contain the characters [a-z_0-9].
|
||||
|
||||
You can reference these attributes in IAM policies to define
|
||||
fine-grained access for a workload to Google Cloud resources. For
|
||||
example:
|
||||
|
||||
◆ google.subject:
|
||||
principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
|
||||
|
||||
◆ google.groups:
|
||||
principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
|
||||
|
||||
◆ attribute.{custom_attribute}:
|
||||
principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
|
||||
|
||||
Each value must be a [Common Expression Language]
|
||||
(https://opensource.google/projects/cel) function that maps an identity
|
||||
provider credential to the normalized attribute specified by the
|
||||
corresponding map key.
|
||||
|
||||
You can use the assertion keyword in the expression to access a JSON
|
||||
representation of the authentication credential issued by the provider.
|
||||
|
||||
The maximum length of an attribute mapping expression is 2048
|
||||
characters. When evaluated, the total size of all mapped attributes
|
||||
must not exceed 8KB.
|
||||
|
||||
For AWS providers, the following rules apply:
|
||||
|
||||
◆ If no attribute mapping is defined, the following default mapping
|
||||
applies:
|
||||
|
||||
{
|
||||
"google.subject":"assertion.arn",
|
||||
"attribute.aws_role":
|
||||
"assertion.arn.contains('assumed-role')"
|
||||
" ? assertion.arn.extract('{account_arn}assumed-role/')"
|
||||
" + 'assumed-role/'"
|
||||
" + assertion.arn.extract('assumed-role/{role_name}/')"
|
||||
" : assertion.arn",
|
||||
}
|
||||
|
||||
◆ If any custom attribute mappings are defined, they must include a
|
||||
mapping to the google.subject attribute.
|
||||
|
||||
For OIDC providers, the following rules apply:
|
||||
|
||||
◆ Custom attribute mappings must be defined, and must include a
|
||||
mapping to the google.subject attribute. For example, the following
|
||||
maps the sub claim of the incoming credential to the subject
|
||||
attribute on a Google token.
|
||||
|
||||
{"google.subject": "assertion.sub"}
|
||||
|
||||
--description=DESCRIPTION
|
||||
A description for the provider. Cannot exceed 256 characters.
|
||||
|
||||
--disabled
|
||||
Whether the provider is disabled. You cannot use a disabled provider to
|
||||
exchange tokens. However, existing tokens still grant access.
|
||||
|
||||
--display-name=DISPLAY_NAME
|
||||
A display name for the provider. Cannot exceed 32 characters.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
API REFERENCE
|
||||
This command uses the iam/v1 API. The full documentation for this API can
|
||||
be found at: https://cloud.google.com/iam/
|
||||
|
|
@ -35,6 +35,9 @@ COMMANDS
|
|||
create-saml
|
||||
Create a new SAML workload identity pool provider.
|
||||
|
||||
create-x509
|
||||
Create a new X.509 workload identity pool provider.
|
||||
|
||||
delete
|
||||
Delete a workload identity pool provider.
|
||||
|
||||
|
|
@ -56,6 +59,9 @@ COMMANDS
|
|||
update-saml
|
||||
Update a SAML workload identity pool provider.
|
||||
|
||||
update-x509
|
||||
Update an X.509 workload identity pool provider.
|
||||
|
||||
NOTES
|
||||
These variants are also available:
|
||||
|
||||
|
|
|
|||
212
gcloud/iam/workload-identity-pools/providers/update-x509
Normal file
212
gcloud/iam/workload-identity-pools/providers/update-x509
Normal file
|
|
@ -0,0 +1,212 @@
|
|||
NAME
|
||||
gcloud iam workload-identity-pools providers update-x509 - update an X.509
|
||||
workload identity pool provider
|
||||
|
||||
SYNOPSIS
|
||||
gcloud iam workload-identity-pools providers update-x509
|
||||
(PROVIDER : --location=LOCATION
|
||||
--workload-identity-pool=WORKLOAD_IDENTITY_POOL)
|
||||
[--attribute-condition=ATTRIBUTE_CONDITION]
|
||||
[--attribute-mapping=[KEY=VALUE,...]] [--description=DESCRIPTION]
|
||||
[--disabled] [--display-name=DISPLAY_NAME]
|
||||
[--trust-store-config-path=TRUST_STORE_CONFIG_PATH]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
Update an X.509 workload identity pool provider.
|
||||
|
||||
EXAMPLES
|
||||
The following command updates the X.509 workload identity pool provider
|
||||
with the ID my-workload-identity-pool-provider. Explicit values for all
|
||||
required and optional parameters are provided:
|
||||
|
||||
$ gcloud iam workload-identity-pools providers update-x509 \
|
||||
my-workload-identity-pool-provider --location="global" \
|
||||
--workload-identity-pool="my-workload-identity-pool" \
|
||||
--display-name="My workload pool provider" \
|
||||
--description="My workload pool provider description" \
|
||||
--disabled --attribute-mapping="google.subject=assertion.sub" \
|
||||
--attribute-condition="true" \
|
||||
--trust-store-config-path="path/to/config/file.yaml"
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
Workload identity pool provider resource - The workload identity pool
|
||||
provider to update. The arguments in this group can be used to specify the
|
||||
attributes of this resource. (NOTE) Some attributes are not given
|
||||
arguments in this group but can be set in other ways.
|
||||
|
||||
To set the project attribute:
|
||||
◆ provide the argument provider on the command line with a fully
|
||||
specified name;
|
||||
◆ provide the argument --project on the command line;
|
||||
◆ set the property core/project.
|
||||
|
||||
This must be specified.
|
||||
|
||||
PROVIDER
|
||||
ID of the workload identity pool provider or fully qualified
|
||||
identifier for the workload identity pool provider.
|
||||
|
||||
To set the provider attribute:
|
||||
▸ provide the argument provider on the command line.
|
||||
|
||||
This positional argument must be specified if any of the other
|
||||
arguments in this group are specified.
|
||||
|
||||
--location=LOCATION
|
||||
The location name.
|
||||
|
||||
To set the location attribute:
|
||||
▸ provide the argument provider on the command line with a fully
|
||||
specified name;
|
||||
▸ provide the argument --location on the command line.
|
||||
|
||||
--workload-identity-pool=WORKLOAD_IDENTITY_POOL
|
||||
The ID to use for the pool, which becomes the final component of the
|
||||
resource name. This value should be 4-32 characters, and may contain
|
||||
the characters [a-z0-9-]. The prefix gcp- is reserved for use by
|
||||
Google, and may not be specified.
|
||||
|
||||
To set the workload-identity-pool attribute:
|
||||
▸ provide the argument provider on the command line with a fully
|
||||
specified name;
|
||||
▸ provide the argument --workload-identity-pool on the command
|
||||
line.
|
||||
|
||||
FLAGS
|
||||
--attribute-condition=ATTRIBUTE_CONDITION
|
||||
A Common Expression Language (https://opensource.google/projects/cel)
|
||||
expression, in plain text, to restrict what otherwise valid
|
||||
authentication credentials issued by the provider should not be
|
||||
accepted.
|
||||
|
||||
The expression must output a boolean representing whether to allow the
|
||||
federation.
|
||||
|
||||
The following keywords may be referenced in the expressions:
|
||||
|
||||
◆ assertion: JSON representing the authentication credential issued
|
||||
by the provider.
|
||||
◆ google: The Google attributes mapped from the assertion in the
|
||||
attribute_mappings.
|
||||
◆ attribute: The custom attributes mapped from the assertion in the
|
||||
attribute_mappings.
|
||||
|
||||
The maximum length of the attribute condition expression is 4096
|
||||
characters. If unspecified, all valid authentication credential are
|
||||
accepted.
|
||||
|
||||
The following example shows how to only allow credentials with a mapped
|
||||
google.groups value of admins:
|
||||
|
||||
"'admins' in google.groups"
|
||||
|
||||
--attribute-mapping=[KEY=VALUE,...]
|
||||
Maps attributes from authentication credentials issued by an external
|
||||
identity provider to Google Cloud attributes, such as subject and
|
||||
segment.
|
||||
|
||||
Each key must be a string specifying the Google Cloud IAM attribute to
|
||||
map to.
|
||||
|
||||
The following keys are supported:
|
||||
|
||||
◆ google.subject: The principal IAM is authenticating. You can
|
||||
reference this value in IAM bindings. This is also the subject that
|
||||
appears in Cloud Logging logs. Cannot exceed 127 bytes.
|
||||
|
||||
◆ google.groups: Groups the external identity belongs to. You can
|
||||
grant groups access to resources using an IAM principalSet binding;
|
||||
access applies to all members of the group.
|
||||
|
||||
You can also provide custom attributes by specifying
|
||||
attribute.{custom_attribute}, where {custom_attribute} is the name of
|
||||
the custom attribute to be mapped. You can define a maximum of 50
|
||||
custom attributes. The maximum length of a mapped attribute key is 100
|
||||
characters, and the key may only contain the characters [a-z_0-9].
|
||||
|
||||
You can reference these attributes in IAM policies to define
|
||||
fine-grained access for a workload to Google Cloud resources. For
|
||||
example:
|
||||
|
||||
◆ google.subject:
|
||||
principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}
|
||||
|
||||
◆ google.groups:
|
||||
principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}
|
||||
|
||||
◆ attribute.{custom_attribute}:
|
||||
principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}
|
||||
|
||||
Each value must be a [Common Expression Language]
|
||||
(https://opensource.google/projects/cel) function that maps an identity
|
||||
provider credential to the normalized attribute specified by the
|
||||
corresponding map key.
|
||||
|
||||
You can use the assertion keyword in the expression to access a JSON
|
||||
representation of the authentication credential issued by the provider.
|
||||
|
||||
The maximum length of an attribute mapping expression is 2048
|
||||
characters. When evaluated, the total size of all mapped attributes
|
||||
must not exceed 8KB.
|
||||
|
||||
For AWS providers, the following rules apply:
|
||||
|
||||
◆ If no attribute mapping is defined, the following default mapping
|
||||
applies:
|
||||
|
||||
{
|
||||
"google.subject":"assertion.arn",
|
||||
"attribute.aws_role":
|
||||
"assertion.arn.contains('assumed-role')"
|
||||
" ? assertion.arn.extract('{account_arn}assumed-role/')"
|
||||
" + 'assumed-role/'"
|
||||
" + assertion.arn.extract('assumed-role/{role_name}/')"
|
||||
" : assertion.arn",
|
||||
}
|
||||
|
||||
◆ If any custom attribute mappings are defined, they must include a
|
||||
mapping to the google.subject attribute.
|
||||
|
||||
For OIDC providers, the following rules apply:
|
||||
|
||||
◆ Custom attribute mappings must be defined, and must include a
|
||||
mapping to the google.subject attribute. For example, the following
|
||||
maps the sub claim of the incoming credential to the subject
|
||||
attribute on a Google token.
|
||||
|
||||
{"google.subject": "assertion.sub"}
|
||||
|
||||
--description=DESCRIPTION
|
||||
A description for the provider. Cannot exceed 256 characters.
|
||||
|
||||
--disabled
|
||||
Whether the provider is disabled. You cannot use a disabled provider to
|
||||
exchange tokens. However, existing tokens still grant access.
|
||||
|
||||
--display-name=DISPLAY_NAME
|
||||
A display name for the provider. Cannot exceed 32 characters.
|
||||
|
||||
--trust-store-config-path=TRUST_STORE_CONFIG_PATH
|
||||
YAML file with configuration metadata for the X.509 identity provider.
|
||||
Example file format: trustStore:
|
||||
trustAnchors:
|
||||
- pemCertificate: "-----BEGIN CERTIFICATE-----
|
||||
<certificate>
|
||||
-----END CERTIFICATE-----"
|
||||
intermediateCas:
|
||||
- pemCertificate: "-----BEGIN CERTIFICATE-----
|
||||
<certificate>
|
||||
-----END CERTIFICATE-----"
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
API REFERENCE
|
||||
This command uses the iam/v1 API. The full documentation for this API can
|
||||
be found at: https://cloud.google.com/iam/
|
||||
Loading…
Add table
Add a link
Reference in a new issue