workload_identity_pools

Creates, updates, deletes, gets or lists a workload_identity_pools resource.

Overview

Name	`workload_identity_pools`
Type	Resource
Id	`google.iam.workload_identity_pools`

Fields

The following fields are returned by SELECT queries:

get
list

Successful response

Name	Datatype	Description
`name`	`string`	Output only. The resource name of the pool.
`description`	`string`	Optional. A description of the pool. Cannot exceed 256 characters.
`disabled`	`boolean`	Optional. Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
`displayName`	`string`	Optional. A display name for the pool. Cannot exceed 32 characters.
`expireTime`	`string (google-datetime)`	Output only. Time after which the workload identity pool will be permanently purged and cannot be recovered.
`inlineCertificateIssuanceConfig`	`object`	Optional. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. (id: InlineCertificateIssuanceConfig)
`inlineTrustConfig`	`object`	Optional. Represents config to add additional trusted trust domains. (id: InlineTrustConfig)
`mode`	`string`	Immutable. The mode the pool is operating in.
`state`	`string`	Output only. The state of the pool.

Successful response

Name	Datatype	Description
`name`	`string`	Output only. The resource name of the pool.
`description`	`string`	Optional. A description of the pool. Cannot exceed 256 characters.
`disabled`	`boolean`	Optional. Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
`displayName`	`string`	Optional. A display name for the pool. Cannot exceed 32 characters.
`expireTime`	`string (google-datetime)`	Output only. Time after which the workload identity pool will be permanently purged and cannot be recovered.
`inlineCertificateIssuanceConfig`	`object`	Optional. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. (id: InlineCertificateIssuanceConfig)
`inlineTrustConfig`	`object`	Optional. Represents config to add additional trusted trust domains. (id: InlineTrustConfig)
`mode`	`string`	Immutable. The mode the pool is operating in.
`state`	`string`	Output only. The state of the pool.

Methods

The following methods are available for this resource:

Name	Accessible by	Required Params	Optional Params	Description
`get`	`select`	`projectsId`, `locationsId`, `workloadIdentityPoolsId`		Gets an individual WorkloadIdentityPool.
`list`	`select`	`projectsId`, `locationsId`	`pageSize`, `pageToken`, `showDeleted`	Lists all non-deleted WorkloadIdentityPools in a project. If `show_deleted` is set to `true`, then deleted pools are also listed.
`create`	`insert`	`projectsId`, `locationsId`	`workloadIdentityPoolId`	Creates a new WorkloadIdentityPool. You cannot reuse the name of a deleted pool until 30 days after deletion.
`patch`	`update`	`projectsId`, `locationsId`, `workloadIdentityPoolsId`	`updateMask`	Updates an existing WorkloadIdentityPool.
`delete`	`delete`	`projectsId`, `locationsId`, `workloadIdentityPoolsId`		Deletes a WorkloadIdentityPool. You cannot use a deleted pool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them.
`undelete`	`exec`	`projectsId`, `locationsId`, `workloadIdentityPoolsId`		Undeletes a WorkloadIdentityPool, as long as it was deleted fewer than 30 days ago.

Parameters

Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.

Name	Datatype	Description
`locationsId`	`string`
`projectsId`	`string`
`workloadIdentityPoolsId`	`string`
`pageSize`	`integer (int32)`
`pageToken`	`string`
`showDeleted`	`boolean`
`updateMask`	`string (google-fieldmask)`
`workloadIdentityPoolId`	`string`

`SELECT` examples

get
list

Gets an individual WorkloadIdentityPool.

SELECT
name,
description,
disabled,
displayName,
expireTime,
inlineCertificateIssuanceConfig,
inlineTrustConfig,
mode,
state
FROM google.iam.workload_identity_pools
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND workloadIdentityPoolsId = '{{ workloadIdentityPoolsId }}' -- required;

Lists all non-deleted WorkloadIdentityPools in a project. If show_deleted is set to true, then deleted pools are also listed.

SELECT
name,
description,
disabled,
displayName,
expireTime,
inlineCertificateIssuanceConfig,
inlineTrustConfig,
mode,
state
FROM google.iam.workload_identity_pools
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}'
AND showDeleted = '{{ showDeleted }}';

`INSERT` examples

create
Manifest

Creates a new WorkloadIdentityPool. You cannot reuse the name of a deleted pool until 30 days after deletion.

INSERT INTO google.iam.workload_identity_pools (
data__displayName,
data__description,
data__disabled,
data__mode,
data__inlineCertificateIssuanceConfig,
data__inlineTrustConfig,
projectsId,
locationsId,
workloadIdentityPoolId
)
SELECT 
'{{ displayName }}',
'{{ description }}',
{{ disabled }},
'{{ mode }}',
'{{ inlineCertificateIssuanceConfig }}',
'{{ inlineTrustConfig }}',
'{{ projectsId }}',
'{{ locationsId }}',
'{{ workloadIdentityPoolId }}'
RETURNING
name,
done,
error,
metadata,
response
;

# Description fields are for documentation purposes
- name: workload_identity_pools
  props:
    - name: projectsId
      value: string
      description: Required parameter for the workload_identity_pools resource.
    - name: locationsId
      value: string
      description: Required parameter for the workload_identity_pools resource.
    - name: displayName
      value: string
      description: >
        Optional. A display name for the pool. Cannot exceed 32 characters.
        
    - name: description
      value: string
      description: >
        Optional. A description of the pool. Cannot exceed 256 characters.
        
    - name: disabled
      value: boolean
      description: >
        Optional. Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
        
    - name: mode
      value: string
      description: >
        Immutable. The mode the pool is operating in.
        
      valid_values: ['MODE_UNSPECIFIED', 'FEDERATION_ONLY', 'TRUST_DOMAIN']
    - name: inlineCertificateIssuanceConfig
      value: object
      description: >
        Optional. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates.
        
    - name: inlineTrustConfig
      value: object
      description: >
        Optional. Represents config to add additional trusted trust domains.
        
    - name: workloadIdentityPoolId
      value: string

`UPDATE` examples

patch

Updates an existing WorkloadIdentityPool.

UPDATE google.iam.workload_identity_pools
SET 
data__displayName = '{{ displayName }}',
data__description = '{{ description }}',
data__disabled = {{ disabled }},
data__mode = '{{ mode }}',
data__inlineCertificateIssuanceConfig = '{{ inlineCertificateIssuanceConfig }}',
data__inlineTrustConfig = '{{ inlineTrustConfig }}'
WHERE 
projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND workloadIdentityPoolsId = '{{ workloadIdentityPoolsId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
done,
error,
metadata,
response;

`DELETE` examples

delete

Deletes a WorkloadIdentityPool. You cannot use a deleted pool to exchange external credentials for Google Cloud credentials. However, deletion does not revoke credentials that have already been issued. Credentials issued for a deleted pool do not grant access to resources. If the pool is undeleted, and the credentials are not expired, they grant access again. You can undelete a pool for 30 days. After 30 days, deletion is permanent. You cannot update deleted pools. However, you can view and list them.

DELETE FROM google.iam.workload_identity_pools
WHERE projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND workloadIdentityPoolsId = '{{ workloadIdentityPoolsId }}' --required;

Lifecycle Methods

undelete

Undeletes a WorkloadIdentityPool, as long as it was deleted fewer than 30 days ago.

EXEC google.iam.workload_identity_pools.undelete 
@projectsId='{{ projectsId }}' --required, 
@locationsId='{{ locationsId }}' --required, 
@workloadIdentityPoolsId='{{ workloadIdentityPoolsId }}' --required;

Overview​

Fields​

Methods​

Parameters​

SELECT examples​

INSERT examples​

UPDATE examples​

DELETE examples​

Lifecycle Methods​