Class: Google::Apis::IamV1::WorkloadIdentityPoolProvider
- Inherits:
-
Object
- Object
- Google::Apis::IamV1::WorkloadIdentityPoolProvider
- Includes:
- Core::Hashable, Core::JsonObjectSupport
- Defined in:
- lib/google/apis/iam_v1/classes.rb,
lib/google/apis/iam_v1/representations.rb,
lib/google/apis/iam_v1/representations.rb
Overview
A configuration for an external identity provider.
Instance Attribute Summary collapse
-
#attribute_condition ⇒ String
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted.
-
#attribute_mapping ⇒ Hash<String,String>
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subjectandsegment. -
#aws ⇒ Google::Apis::IamV1::Aws
Represents an Amazon Web Services identity provider.
-
#description ⇒ String
A description for the provider.
-
#disabled ⇒ Boolean
(also: #disabled?)
Whether the provider is disabled.
-
#display_name ⇒ String
A display name for the provider.
-
#name ⇒ String
Output only.
-
#oidc ⇒ Google::Apis::IamV1::Oidc
Represents an OpenId Connect 1.0 identity provider.
-
#saml ⇒ Google::Apis::IamV1::Saml
Represents an SAML 2.0 identity provider.
-
#state ⇒ String
Output only.
Instance Method Summary collapse
-
#initialize(**args) ⇒ WorkloadIdentityPoolProvider
constructor
A new instance of WorkloadIdentityPoolProvider.
-
#update!(**args) ⇒ Object
Update properties of this object.
Constructor Details
#initialize(**args) ⇒ WorkloadIdentityPoolProvider
Returns a new instance of WorkloadIdentityPoolProvider.
2052 2053 2054 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2052 def initialize(**args) update!(**args) end |
Instance Attribute Details
#attribute_condition ⇒ String
A Common Expression Language
expression, in plain text, to restrict what otherwise valid authentication
credentials issued by the provider should not be accepted. The expression must
output a boolean representing whether to allow the federation. The following
keywords may be referenced in the expressions: * assertion: JSON
representing the authentication credential issued by the provider. * google:
The Google attributes mapped from the assertion in the attribute_mappings. *
attribute: The custom attributes mapped from the assertion in the
attribute_mappings. The maximum length of the attribute condition expression
is 4096 characters. If unspecified, all valid authentication credential are
accepted. The following example shows how to only allow credentials with a
mapped google.groups value of admins: "'admins' in google.groups"
Corresponds to the JSON property attributeCondition
1967 1968 1969 |
# File 'lib/google/apis/iam_v1/classes.rb', line 1967 def attribute_condition @attribute_condition end |
#attribute_mapping ⇒ Hash<String,String>
Maps attributes from authentication credentials issued by an external identity
provider to Google Cloud attributes, such as subject and segment. Each key
must be a string specifying the Google Cloud IAM attribute to map to. The
following keys are supported: * google.subject: The principal IAM is
authenticating. You can reference this value in IAM bindings. This is also the
subject that appears in Cloud Logging logs. Cannot exceed 127 bytes. * google.
groups: Groups the external identity belongs to. You can grant groups access
to resources using an IAM principalSet binding; access applies to all
members of the group. You can also provide custom attributes by specifying
attribute.custom_attribute, wherecustom_attributeis the name of the
custom attribute to be mapped. You can define a maximum of 50 custom
attributes. The maximum length of a mapped attribute key is 100 characters,
and the key may only contain the characters [a-z0-9_]. You can reference these
attributes in IAM policies to define fine-grained access for a workload to
Google Cloud resources. For example: * `google.subject`: `principal://iam.
googleapis.com/projects/`project`/locations/`location`/workloadIdentityPools/`
pool`/subject/`value * google.groups: principalSet://iam.googleapis.com/
projects/project/locations/location/workloadIdentityPools/pool/group/
value* `attribute.`custom_attribute: principalSet://iam.googleapis.com/
projects/project/locations/location/workloadIdentityPools/pool/attribute.
custom_attribute/valueEach value must be a [Common Expression Language] (
https://opensource.google/projects/cel) function that maps an identity
provider credential to the normalized attribute specified by the corresponding
map key. You can use the `assertion` keyword in the expression to access a
JSON representation of the authentication credential issued by the provider.
The maximum length of an attribute mapping expression is 2048 characters. When
evaluated, the total size of all mapped attributes must not exceed 8KB. For
AWS providers, if no attribute mapping is defined, the following default
mapping applies: "google.subject":"assertion.arn", "attribute.aws_role":
"assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('
account_arnassumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('
assumed-role/role_name/')" " : assertion.arn", If any custom attribute
mappings are defined, they must include a mapping to the `google.subject`
attribute. For OIDC providers, you must supply a custom mapping, which must
include the `google.subject` attribute. For example, the following maps the `
sub` claim of the incoming credential to the `subject` attribute on a Google
token:"google.subject": "assertion.sub"`
Corresponds to the JSON propertyattributeMapping`
2008 2009 2010 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2008 def attribute_mapping @attribute_mapping end |
#aws ⇒ Google::Apis::IamV1::Aws
Represents an Amazon Web Services identity provider.
Corresponds to the JSON property aws
2013 2014 2015 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2013 def aws @aws end |
#description ⇒ String
A description for the provider. Cannot exceed 256 characters.
Corresponds to the JSON property description
2018 2019 2020 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2018 def description @description end |
#disabled ⇒ Boolean Also known as: disabled?
Whether the provider is disabled. You cannot use a disabled provider to
exchange tokens. However, existing tokens still grant access.
Corresponds to the JSON property disabled
2024 2025 2026 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2024 def disabled @disabled end |
#display_name ⇒ String
A display name for the provider. Cannot exceed 32 characters.
Corresponds to the JSON property displayName
2030 2031 2032 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2030 def display_name @display_name end |
#name ⇒ String
Output only. The resource name of the provider.
Corresponds to the JSON property name
2035 2036 2037 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2035 def name @name end |
#oidc ⇒ Google::Apis::IamV1::Oidc
Represents an OpenId Connect 1.0 identity provider.
Corresponds to the JSON property oidc
2040 2041 2042 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2040 def oidc @oidc end |
#saml ⇒ Google::Apis::IamV1::Saml
Represents an SAML 2.0 identity provider.
Corresponds to the JSON property saml
2045 2046 2047 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2045 def saml @saml end |
#state ⇒ String
Output only. The state of the provider.
Corresponds to the JSON property state
2050 2051 2052 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2050 def state @state end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2057 def update!(**args) @attribute_condition = args[:attribute_condition] if args.key?(:attribute_condition) @attribute_mapping = args[:attribute_mapping] if args.key?(:attribute_mapping) @aws = args[:aws] if args.key?(:aws) @description = args[:description] if args.key?(:description) @disabled = args[:disabled] if args.key?(:disabled) @display_name = args[:display_name] if args.key?(:display_name) @name = args[:name] if args.key?(:name) @oidc = args[:oidc] if args.key?(:oidc) @saml = args[:saml] if args.key?(:saml) @state = args[:state] if args.key?(:state) end |