1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-08 02:25:19 +00:00
gcloud-help/gcloud/iam/workforce-pools/providers/create-oidc
2024-06-06 09:19:36 +00:00

318 lines
14 KiB
Text

NAME
gcloud iam workforce-pools providers create-oidc - create a new OIDC
workforce pool provider
SYNOPSIS
gcloud iam workforce-pools providers create-oidc
(PROVIDER : --location=LOCATION --workforce-pool=WORKFORCE_POOL)
--attribute-mapping=[KEY=VALUE,...] --client-id=CLIENT_ID
--issuer-uri=ISSUER_URI
(--web-sso-assertion-claims-behavior=WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR
--web-sso-response-type=WEB_SSO_RESPONSE_TYPE
: --web-sso-additional-scopes=[WEB_SSO_ADDITIONAL_SCOPES,...])
[--async] [--attribute-condition=ATTRIBUTE_CONDITION]
[--client-secret-value=CLIENT_SECRET_VALUE] [--description=DESCRIPTION]
[--disabled] [--display-name=DISPLAY_NAME]
[--jwk-json-path=JWK_JSON_PATH]
[--extra-attributes-client-id=EXTRA_ATTRIBUTES_CLIENT_ID
--extra-attributes-client-secret-value=EXTRA_ATTRIBUTES_CLIENT_SECRET_VALUE --extra-attributes-issuer-uri=EXTRA_ATTRIBUTES_ISSUER_URI --extra-attributes-type=EXTRA_ATTRIBUTES_TYPE : --extra-attributes-filter=EXTRA_ATTRIBUTES_FILTER]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
Create a new OIDC workforce pool provider.
EXAMPLES
The following command creates a disabled OIDC workforce pool provider with
the ID my-workforce-pool-provider. Explicit values for all required and
optional parameters are provided.
$ gcloud iam workforce-pools providers create-oidc \
my-workforce-pool-provider \
--workforce-pool="my-workforce-pool" --location="global" \
--display-name="My Workforce Pool Provider" \
--description="My workforce pool provider description." \
--disabled --attribute-mapping="google.subject=assertion.sub" \
--attribute-condition="true" --client-id="client-id" \
--client-secret-value="client-secret" \
--issuer-uri="https://test-idp.com" \
--web-sso-response-type="code" \
--web-sso-assertion-claims-behavior="merge-user-info-over-id-tok\
en-claims" --web-sso-additional-scopes="groups,photos" \
--jwk-json-path="path/to/jwk.json"
POSITIONAL ARGUMENTS
Workforce pool provider resource - The workforce pool provider to create.
The arguments in this group can be used to specify the attributes of this
resource.
This must be specified.
PROVIDER
ID of the workforce pool provider or fully qualified identifier for
the workforce pool provider.
To set the provider attribute:
▸ provide the argument provider on the command line.
This positional argument must be specified if any of the other
arguments in this group are specified.
--location=LOCATION
The location for the workforce pool.
To set the location attribute:
▸ provide the argument provider on the command line with a fully
specified name;
▸ provide the argument --location on the command line.
--workforce-pool=WORKFORCE_POOL
The ID to use for the workforce pool, which becomes the final
component of the resource name. This value must be a globally unique
string of 6 to 63 lowercase letters, digits, or hyphens. It must
start with a letter, and cannot have a trailing hyphen. The prefix
gcp- is reserved for use by Google, and may not be specified.
To set the workforce-pool attribute:
▸ provide the argument provider on the command line with a fully
specified name;
▸ provide the argument --workforce-pool on the command line.
REQUIRED FLAGS
--attribute-mapping=[KEY=VALUE,...]
Maps claims from the authentication credentials issued by the Identity
Provider into Google Cloud IAM attributes, e.g. subject, segment.
Each key must be a string specifying the Google Cloud IAM attribute to
be produced.
The following predefined keys are currently supported:
◆ google.subject: required field that indicates the principal that is
being authenticated to IAM, and will be logged in all API accesses
for which Cloud Audit Logging is configured.
◆ google.groups: optional field that indicates asserted groups that
the user should be considered to belong to. You can create IAM
bindings using the groups attribute and access to a resource will be
granted if any of the groups asserted here match a group in the
respective binding.
◆ google.display_name: optional field that overrides the name of the
user. If not set, google.subject will be displayed instead. This
attribute cannot be used in IAM policies. The maximum length of this
field is 100 characters.
◆ google.profile_photo: optional fields that may be set to a valid
URL specifying the user's thumbnail photo. When set, the image will
be visible as the user's profile picture. If not set, a generic user
icon will be displayed instead. This attribute cannot be used in IAM
policies.
Custom attributes can also be mapped by specifying
attribute.{custom_attribute}, replacing {custom_attribute} with the
name of the custom attribute to be mapped. A maximum of 50 custom
attribute mappings can be defined. The maximum length of a mapped
attribute key is 2048 characters and may only contain the characters
[a-z0-9].
These attributes can then be referenced in IAM policies to define
fine-grained access for the workforce pool to Google Cloud resources by
specifying:
◆ google.subject:
principal://iam.googleapis.com/locations/global/workforcePools/{pool}/subject/{value}
◆ google.groups:
principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/group/{value}
◆ attribute.{custom_attribute}:
principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language
(https://opensource.google/projects/cel) function that maps an Identity
Provider credential to the normalized attribute specified by the
corresponding map key.
The following keywords may be referenced in the expressions:
◆ assertion: JSON representing the authentication credential issued
by the Identity Provider.
The maximum length of an attribute mapping expression is 2048
characters. When evaluated, the total size of all mapped attributes
must not exceed 8KB.
Example: Map the sub claim of the incoming credential to the subject
Google Cloud IAM attribute.
{"google.subject": "assertion.sub"}
--client-id=CLIENT_ID
The OIDC client ID. This must match the audience claim of the JWT
issued by the identity provider.
--issuer-uri=ISSUER_URI
The OIDC issuer URI. Must be a valid URI using the 'https' scheme.
This must be specified.
--web-sso-assertion-claims-behavior=WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR
The behavior for how OIDC Claims are included in the assertion object
used for attribute mapping and attribute condition.
Use merge-user-info-over-id-token-claims to merge the UserInfo
Endpoint Claims with ID Token Claims, preferring UserInfo Claim
Values for the same Claim Name. Currently this option is only
available for Authorization Code flow.
Use only-id-token-claims to include only ID token claims.
WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR must be one of:
assertion-claims-behavior-unspecified,
merge-user-info-over-id-token-claims, only-id-token-claims.
This flag argument must be specified if any of the other arguments in
this group are specified.
--web-sso-response-type=WEB_SSO_RESPONSE_TYPE
Response Type to request for in the OIDC Authorization Request for
web sign-in.
Use code to select the authorization code flow
(https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
Use id-token to select the implicit flow
(https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth).
WEB_SSO_RESPONSE_TYPE must be one of: code, id-token,
response-type-unspecified.
This flag argument must be specified if any of the other arguments in
this group are specified.
--web-sso-additional-scopes=[WEB_SSO_ADDITIONAL_SCOPES,...]
Additional scopes to request for the OIDC authentication on top of
scopes requested by default. By default, the openid, profile and
email scopes that are supported by the identity provider are
requested.
Each additional scope may be at most 256 characters. A maximum of 10
additional scopes may be configured.
OPTIONAL FLAGS
--async
Return immediately, without waiting for the operation in progress to
complete.
--attribute-condition=ATTRIBUTE_CONDITION
A Common Expression Language (https://opensource.google/projects/cel)
expression, in plain text, to restrict which otherwise valid
authentication credentials issued by the provider should be accepted.
The expression must output a boolean representing whether to allow the
federation.
The following keywords may be referenced in the expressions:
◆ assertion: JSON representing the authentication credential issued
by the Provider.
◆ google: The Google attributes mapped from the assertion in the
attribute_mappings. google.profile_photo and google.display_name are
not supported.
◆ attribute: The custom attributes mapped from the assertion in the
attribute_mappings.
The maximum length of the attribute condition expression is 4096
characters. If unspecified, all valid authentication credential will be
accepted.
Example: Only allow credentials with a mapped google.groups value of
admins.
"'admins' in google.groups"
--client-secret-value=CLIENT_SECRET_VALUE
The OIDC client secret. Required to enable Authorization Code flow for
web sign-in.
--description=DESCRIPTION
A description for the workforce pool provider. Cannot exceed 256
characters in length.
--disabled
Disables the workforce pool provider. You cannot use a disabled
provider to perform new token exchanges or sign-ins. However, existing
tokens still grant access. Specify --no-disabled to enable a disabled
pool.
--display-name=DISPLAY_NAME
A display name for the workforce pool provider. Cannot exceed 32
characters in length.
--jwk-json-path=JWK_JSON_PATH
Optional file containing JSON Web Key (JWK) public keys. The file
format must follow JWK specifications
(https://www.rfc-editor.org/rfc/rfc7517#section-4). Example file
format: {
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}
--extra-attributes-client-id=EXTRA_ATTRIBUTES_CLIENT_ID
The OAuth 2.0 client ID for retrieving extra attributes from the
identity provider. Required to get the Access Token using client
credentials grant flow.
--extra-attributes-client-secret-value=EXTRA_ATTRIBUTES_CLIENT_SECRET_VALUE
The OAuth 2.0 client secret for retrieving extra attributes from the
identity provider. Required to get the Access Token using client
credentials grant flow.
--extra-attributes-issuer-uri=EXTRA_ATTRIBUTES_ISSUER_URI
OIDC identity provider's issuer URI. Must be a valid URI using the
'https' scheme. Required to get the OIDC discovery document.
--extra-attributes-type=EXTRA_ATTRIBUTES_TYPE
Represents the identity provider and type of claims that should be
fetched. EXTRA_ATTRIBUTES_TYPE must be (only one value is supported):
azure-ad-groups-mail.
--extra-attributes-filter=EXTRA_ATTRIBUTES_FILTER
The filter used to request specific records from IdP. In case of
attributes type as AZURE_AD_GROUPS_MAIL, it represents the filter used
to request specific groups for users from IdP. By default all the
groups associated with the user are fetched. The groups that are used
should be mail enabled and security enabled. See
https://learn.microsoft.com/en-us/graph/search-query-parameter for more
details.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
API REFERENCE
This command uses the iam/v1 API. The full documentation for this API can
be found at: https://cloud.google.com/iam/
NOTES
These variants are also available:
$ gcloud alpha iam workforce-pools providers create-oidc
$ gcloud beta iam workforce-pools providers create-oidc