1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 10:35:03 +00:00
gcloud-help/gcloud/iam/workload-identity-pools/create-cred-config
2022-08-03 09:18:38 +00:00

163 lines
6.4 KiB
Text

NAME
gcloud iam workload-identity-pools create-cred-config - create a
configuration file for generated credentials
SYNOPSIS
gcloud iam workload-identity-pools create-cred-config AUDIENCE
--output-file=OUTPUT_FILE
(--aws | --azure | --credential-source-file=CREDENTIAL_SOURCE_FILE
| --credential-source-url=CREDENTIAL_SOURCE_URL
| --executable-command=EXECUTABLE_COMMAND) [--app-id-uri=APP_ID_URI]
[--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME]
[--credential-source-headers=[key=value,...]]
[--credential-source-type=CREDENTIAL_SOURCE_TYPE] [--enable-imdsv2]
[--subject-token-type=SUBJECT_TOKEN_TYPE]
[--executable-output-file=EXECUTABLE_OUTPUT_FILE
--executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS]
[--service-account=SERVICE_ACCOUNT
: --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
This command creates a configuration file to allow access to authenticated
Google Cloud actions from a variety of external accounts.
EXAMPLES
To create a file-sourced credential configuration for your project, run:
$ gcloud iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/$REGION/\
workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \
--service-account=$EMAIL \
--credential-source-file=$PATH_TO_OIDC_ID_TOKEN \
--output-file=credentials.json
To create a URL-sourced credential configuration for your project, run:
$ gcloud iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/$REGION/\
workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \
--service-account=$EMAIL \
--credential-source-url=$URL_FOR_OIDC_TOKEN \
--credential-source-headers=Key=Value \
--output-file=credentials.json
To create an executable-source credential configuration for your project,
run the following command:
$ gcloud iam workload-identity-pools create-cred-config \
locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/\
$PROVIDER_ID --executable-command=$EXECUTABLE_COMMAND \
--executable-timeout-millis=30000 \
--executable-output-file=$CACHE_FILE \
--output-file=credentials.json
To create an AWS-based credential configuration for your project, run:
$ gcloud iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/$REGION/\
workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \
--service-account=$EMAIL --aws --enable-imdsv2 \
--output-file=credentials.json
To create an Azure-based credential configuration for your project, run:
$ gcloud iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/$REGION/\
workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID \
--service-account=$EMAIL --azure \
--app-id-uri=$URI_FOR_AZURE_APP_ID \
--output-file=credentials.json
To use the resulting file for any of these commands, set the
GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the
generated file
POSITIONAL ARGUMENTS
AUDIENCE
The workload identity pool provider resource name.
REQUIRED FLAGS
--output-file=OUTPUT_FILE
Location to store the generated credential configuration file.
Credential types.
Exactly one of these must be specified:
--aws
Use AWS.
--azure
Use Azure.
--credential-source-file=CREDENTIAL_SOURCE_FILE
Location of the credential source file.
--credential-source-url=CREDENTIAL_SOURCE_URL
URL to obtain the credential from.
--executable-command=EXECUTABLE_COMMAND
The full command to run to retrieve the credential. Must be an
absolute path for the program including arguments.
OPTIONAL FLAGS
--app-id-uri=APP_ID_URI
The custom Application ID URI for the Azure access token.
--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME
The subject token field name (key) in a JSON credential source.
--credential-source-headers=[key=value,...]
Headers to use when querying the credential-source-url.
--credential-source-type=CREDENTIAL_SOURCE_TYPE
The format of the credential source (JSON or text).
--enable-imdsv2
Adds the AWS IMDSv2 session token Url to the credential source to
enforce the AWS IMDSv2 flow.
--subject-token-type=SUBJECT_TOKEN_TYPE
The type of token being used for authorization.
Arguments for an executable type credential source.
--executable-output-file=EXECUTABLE_OUTPUT_FILE
The absolute path to the file storing the executable response.
--executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS
The timeout duration in milliseconds for waiting for the executable
to finish.
Service account impersonation options.
--service-account=SERVICE_ACCOUNT
The email of the service account to impersonate.
This flag must be specified if any of the other arguments in this
group are specified.
--service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS
The desired lifetime duration of the service account access token in
seconds. This defaults to one hour when not provided. If a lifetime
greater than one hour is required, the service account must be added
as an allowed value in an Organization Policy that enforces the
constraints/iam.allowServiceAccountCredentialLifetimeExtension
constraint.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
These variants are also available:
$ gcloud alpha iam workload-identity-pools create-cred-config
$ gcloud beta iam workload-identity-pools create-cred-config