workforce_pools
Creates, updates, deletes, gets or lists a workforce_pools resource.
Overview
| Name | workforce_pools |
| Type | Resource |
| Id | google.iam.workforce_pools |
Fields
The following fields are returned by SELECT queries:
- get
- list
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Identifier. The resource name of the pool. Format: locations/{location}/workforcePools/{workforce_pool_id} |
accessRestrictions | object | Optional. Configure access restrictions on the workforce pool users. This is an optional field. If specified web sign-in can be restricted to given set of services or programmatic sign-in can be disabled for pool users. (id: AccessRestrictions) |
description | string | Optional. A user-specified description of the pool. Cannot exceed 256 characters. |
disabled | boolean | Optional. Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. |
displayName | string | Optional. A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters. |
expireTime | string (google-datetime) | Output only. Time after which the workforce pool will be permanently purged and cannot be recovered. |
parent | string | Immutable. The resource name of the parent. Format: organizations/{org-id}. |
sessionDuration | string (google-duration) | Optional. Duration that the Google Cloud access tokens, console sign-in sessions, and gcloud sign-in sessions from this pool are valid. Must be greater than 15 minutes (900s) and less than 12 hours (43200s). If session_duration is not configured, minted credentials have a default duration of one hour (3600s). For SAML providers, the lifetime of the token is the minimum of the session_duration and the SessionNotOnOrAfter claim in the SAML assertion. |
state | string | Output only. The state of the pool. |
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Identifier. The resource name of the pool. Format: locations/{location}/workforcePools/{workforce_pool_id} |
accessRestrictions | object | Optional. Configure access restrictions on the workforce pool users. This is an optional field. If specified web sign-in can be restricted to given set of services or programmatic sign-in can be disabled for pool users. (id: AccessRestrictions) |
description | string | Optional. A user-specified description of the pool. Cannot exceed 256 characters. |
disabled | boolean | Optional. Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. |
displayName | string | Optional. A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters. |
expireTime | string (google-datetime) | Output only. Time after which the workforce pool will be permanently purged and cannot be recovered. |
parent | string | Immutable. The resource name of the parent. Format: organizations/{org-id}. |
sessionDuration | string (google-duration) | Optional. Duration that the Google Cloud access tokens, console sign-in sessions, and gcloud sign-in sessions from this pool are valid. Must be greater than 15 minutes (900s) and less than 12 hours (43200s). If session_duration is not configured, minted credentials have a default duration of one hour (3600s). For SAML providers, the lifetime of the token is the minimum of the session_duration and the SessionNotOnOrAfter claim in the SAML assertion. |
state | string | Output only. The state of the pool. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | locationsId, workforcePoolsId | Gets an individual WorkforcePool. | |
list | select | locationsId | parent, pageSize, pageToken, showDeleted | Lists all non-deleted WorkforcePools under the specified parent. If show_deleted is set to true, then deleted pools are also listed. |
create | insert | locationsId | workforcePoolId | Creates a new WorkforcePool. You cannot reuse the name of a deleted pool until 30 days after deletion. |
patch | update | locationsId, workforcePoolsId | updateMask | Updates an existing WorkforcePool. |
delete | delete | locationsId, workforcePoolsId | Deletes a WorkforcePool. You cannot use a deleted WorkforcePool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them. | |
undelete | exec | locationsId, workforcePoolsId | Undeletes a WorkforcePool, as long as it was deleted fewer than 30 days ago. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
locationsId | string | |
workforcePoolsId | string | |
pageSize | integer (int32) | |
pageToken | string | |
parent | string | |
showDeleted | boolean | |
updateMask | string (google-fieldmask) | |
workforcePoolId | string |
SELECT examples
- get
- list
Gets an individual WorkforcePool.
SELECT
name,
accessRestrictions,
description,
disabled,
displayName,
expireTime,
parent,
sessionDuration,
state
FROM google.iam.workforce_pools
WHERE locationsId = '{{ locationsId }}' -- required
AND workforcePoolsId = '{{ workforcePoolsId }}' -- required;
Lists all non-deleted WorkforcePools under the specified parent. If show_deleted is set to true, then deleted pools are also listed.
SELECT
name,
accessRestrictions,
description,
disabled,
displayName,
expireTime,
parent,
sessionDuration,
state
FROM google.iam.workforce_pools
WHERE locationsId = '{{ locationsId }}' -- required
AND parent = '{{ parent }}'
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}'
AND showDeleted = '{{ showDeleted }}';
INSERT examples
- create
- Manifest
Creates a new WorkforcePool. You cannot reuse the name of a deleted pool until 30 days after deletion.
INSERT INTO google.iam.workforce_pools (
data__name,
data__parent,
data__displayName,
data__description,
data__disabled,
data__sessionDuration,
data__accessRestrictions,
locationsId,
workforcePoolId
)
SELECT
'{{ name }}',
'{{ parent }}',
'{{ displayName }}',
'{{ description }}',
{{ disabled }},
'{{ sessionDuration }}',
'{{ accessRestrictions }}',
'{{ locationsId }}',
'{{ workforcePoolId }}'
RETURNING
name,
done,
error,
metadata,
response
;
# Description fields are for documentation purposes
- name: workforce_pools
props:
- name: locationsId
value: string
description: Required parameter for the workforce_pools resource.
- name: name
value: string
description: >
Identifier. The resource name of the pool. Format: `locations/{location}/workforcePools/{workforce_pool_id}`
- name: parent
value: string
description: >
Immutable. The resource name of the parent. Format: `organizations/{org-id}`.
- name: displayName
value: string
description: >
Optional. A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters.
- name: description
value: string
description: >
Optional. A user-specified description of the pool. Cannot exceed 256 characters.
- name: disabled
value: boolean
description: >
Optional. Disables the workforce pool. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
- name: sessionDuration
value: string
description: >
Optional. Duration that the Google Cloud access tokens, console sign-in sessions, and `gcloud` sign-in sessions from this pool are valid. Must be greater than 15 minutes (900s) and less than 12 hours (43200s). If `session_duration` is not configured, minted credentials have a default duration of one hour (3600s). For SAML providers, the lifetime of the token is the minimum of the `session_duration` and the `SessionNotOnOrAfter` claim in the SAML assertion.
- name: accessRestrictions
value: object
description: >
Optional. Configure access restrictions on the workforce pool users. This is an optional field. If specified web sign-in can be restricted to given set of services or programmatic sign-in can be disabled for pool users.
- name: workforcePoolId
value: string
UPDATE examples
- patch
Updates an existing WorkforcePool.
UPDATE google.iam.workforce_pools
SET
data__name = '{{ name }}',
data__parent = '{{ parent }}',
data__displayName = '{{ displayName }}',
data__description = '{{ description }}',
data__disabled = {{ disabled }},
data__sessionDuration = '{{ sessionDuration }}',
data__accessRestrictions = '{{ accessRestrictions }}'
WHERE
locationsId = '{{ locationsId }}' --required
AND workforcePoolsId = '{{ workforcePoolsId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
done,
error,
metadata,
response;
DELETE examples
- delete
Deletes a WorkforcePool. You cannot use a deleted WorkforcePool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them.
DELETE FROM google.iam.workforce_pools
WHERE locationsId = '{{ locationsId }}' --required
AND workforcePoolsId = '{{ workforcePoolsId }}' --required;
Lifecycle Methods
- undelete
Undeletes a WorkforcePool, as long as it was deleted fewer than 30 days ago.
EXEC google.iam.workforce_pools.undelete
@locationsId='{{ locationsId }}' --required,
@workforcePoolsId='{{ workforcePoolsId }}' --required;