Skip to content

googleIamWorkloadIdentityPool

Represents a collection of external workload identities. You can define IAM policies to grant these identities access to Google Cloud resources.

To get more information about WorkloadIdentityPool, see:

Open in Cloud Shell

Example Usage - Iam Workload Identity Pool Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.iamWorkloadIdentityPool.IamWorkloadIdentityPool(this, "example", {
  workload_identity_pool_id: "example-pool",
});
Open in Cloud Shell

Example Usage - Iam Workload Identity Pool Full

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.iamWorkloadIdentityPool.IamWorkloadIdentityPool(this, "example", {
  description: "Identity pool for automated test",
  disabled: true,
  display_name: "Name of pool",
  workload_identity_pool_id: "example-pool",
});

Argument Reference

The following arguments are supported:

  • workloadIdentityPoolId - (Required) The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp is reserved for use by Google, and may not be specified.

  • displayName - (Optional) A display name for the pool. Cannot exceed 32 characters.

  • description - (Optional) A description of the pool. Cannot exceed 256 characters.

  • disabled - (Optional) Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/{{project}}/locations/global/workloadIdentityPools/{{workloadIdentityPoolId}}

  • state - The state of the pool.

    • STATE_UNSPECIFIED: State unspecified.
    • ACTIVE: The pool is active, and may be used in Google Cloud policies.
    • DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.

  • name - The resource name of the pool as projects/{projectNumber}/locations/global/workloadIdentityPools/{workloadIdentityPoolId}.

Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 20 minutes.
  • update - Default is 20 minutes.
  • delete - Default is 20 minutes.

Import

WorkloadIdentityPool can be imported using any of these accepted formats:

$ terraform import google_iam_workload_identity_pool.default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}
$ terraform import google_iam_workload_identity_pool.default {{project}}/{{workload_identity_pool_id}}
$ terraform import google_iam_workload_identity_pool.default {{workload_identity_pool_id}}

User Project Overrides

This resource supports User Project Overrides.