Class: Google::Apis::IamV1::WorkloadIdentityPoolProvider
- Inherits:
-
Object
- Object
- Google::Apis::IamV1::WorkloadIdentityPoolProvider
- Includes:
- Core::Hashable, Core::JsonObjectSupport
- Defined in:
- lib/google/apis/iam_v1/classes.rb,
lib/google/apis/iam_v1/representations.rb,
lib/google/apis/iam_v1/representations.rb
Overview
A configuration for an external identity provider.
Instance Attribute Summary collapse
-
#attribute_condition ⇒ String
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted.
-
#attribute_mapping ⇒ Hash<String,String>
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subjectandsegment. -
#aws ⇒ Google::Apis::IamV1::Aws
Represents an Amazon Web Services identity provider.
-
#description ⇒ String
A description for the provider.
-
#disabled ⇒ Boolean
(also: #disabled?)
Whether the provider is disabled.
-
#display_name ⇒ String
A display name for the provider.
-
#name ⇒ String
Output only.
-
#oidc ⇒ Google::Apis::IamV1::Oidc
Represents an OpenId Connect 1.0 identity provider.
-
#saml ⇒ Google::Apis::IamV1::Saml
Represents an SAML 2.0 identity provider.
-
#state ⇒ String
Output only.
Instance Method Summary collapse
-
#initialize(**args) ⇒ WorkloadIdentityPoolProvider
constructor
A new instance of WorkloadIdentityPoolProvider.
-
#update!(**args) ⇒ Object
Update properties of this object.
Constructor Details
#initialize(**args) ⇒ WorkloadIdentityPoolProvider
Returns a new instance of WorkloadIdentityPoolProvider.
2055 2056 2057 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2055 def initialize(**args) update!(**args) end |
Instance Attribute Details
#attribute_condition ⇒ String
A Common Expression Language
expression, in plain text, to restrict what otherwise valid authentication
credentials issued by the provider should not be accepted. The expression must
output a boolean representing whether to allow the federation. The following
keywords may be referenced in the expressions: * assertion: JSON
representing the authentication credential issued by the provider. * google:
The Google attributes mapped from the assertion in the attribute_mappings. *
attribute: The custom attributes mapped from the assertion in the
attribute_mappings. The maximum length of the attribute condition expression
is 4096 characters. If unspecified, all valid authentication credential are
accepted. The following example shows how to only allow credentials with a
mapped google.groups value of admins: "'admins' in google.groups"
Corresponds to the JSON property attributeCondition
1970 1971 1972 |
# File 'lib/google/apis/iam_v1/classes.rb', line 1970 def attribute_condition @attribute_condition end |
#attribute_mapping ⇒ Hash<String,String>
Maps attributes from authentication credentials issued by an external identity
provider to Google Cloud attributes, such as subject and segment. Each key
must be a string specifying the Google Cloud IAM attribute to map to. The
following keys are supported: * google.subject: The principal IAM is
authenticating. You can reference this value in IAM bindings. This is also the
subject that appears in Cloud Logging logs. Cannot exceed 127 bytes. * google.
groups: Groups the external identity belongs to. You can grant groups access
to resources using an IAM principalSet binding; access applies to all
members of the group. You can also provide custom attributes by specifying
attribute.custom_attribute, wherecustom_attributeis the name of the
custom attribute to be mapped. You can define a maximum of 50 custom
attributes. The maximum length of a mapped attribute key is 100 characters,
and the key may only contain the characters [a-z0-9_]. You can reference these
attributes in IAM policies to define fine-grained access for a workload to
Google Cloud resources. For example: * `google.subject`: `principal://iam.
googleapis.com/projects/`project`/locations/`location`/workloadIdentityPools/`
pool`/subject/`value * google.groups: principalSet://iam.googleapis.com/
projects/project/locations/location/workloadIdentityPools/pool/group/
value* `attribute.`custom_attribute: principalSet://iam.googleapis.com/
projects/project/locations/location/workloadIdentityPools/pool/attribute.
custom_attribute/valueEach value must be a [Common Expression Language] (
https://opensource.google/projects/cel) function that maps an identity
provider credential to the normalized attribute specified by the corresponding
map key. You can use the `assertion` keyword in the expression to access a
JSON representation of the authentication credential issued by the provider.
The maximum length of an attribute mapping expression is 2048 characters. When
evaluated, the total size of all mapped attributes must not exceed 8KB. For
AWS providers, if no attribute mapping is defined, the following default
mapping applies: "google.subject":"assertion.arn", "attribute.aws_role":
"assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('
account_arnassumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('
assumed-role/role_name/')" " : assertion.arn", If any custom attribute
mappings are defined, they must include a mapping to the `google.subject`
attribute. For OIDC providers, you must supply a custom mapping, which must
include the `google.subject` attribute. For example, the following maps the `
sub` claim of the incoming credential to the `subject` attribute on a Google
token:"google.subject": "assertion.sub"`
Corresponds to the JSON propertyattributeMapping`
2011 2012 2013 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2011 def attribute_mapping @attribute_mapping end |
#aws ⇒ Google::Apis::IamV1::Aws
Represents an Amazon Web Services identity provider.
Corresponds to the JSON property aws
2016 2017 2018 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2016 def aws @aws end |
#description ⇒ String
A description for the provider. Cannot exceed 256 characters.
Corresponds to the JSON property description
2021 2022 2023 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2021 def description @description end |
#disabled ⇒ Boolean Also known as: disabled?
Whether the provider is disabled. You cannot use a disabled provider to
exchange tokens. However, existing tokens still grant access.
Corresponds to the JSON property disabled
2027 2028 2029 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2027 def disabled @disabled end |
#display_name ⇒ String
A display name for the provider. Cannot exceed 32 characters.
Corresponds to the JSON property displayName
2033 2034 2035 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2033 def display_name @display_name end |
#name ⇒ String
Output only. The resource name of the provider.
Corresponds to the JSON property name
2038 2039 2040 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2038 def name @name end |
#oidc ⇒ Google::Apis::IamV1::Oidc
Represents an OpenId Connect 1.0 identity provider.
Corresponds to the JSON property oidc
2043 2044 2045 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2043 def oidc @oidc end |
#saml ⇒ Google::Apis::IamV1::Saml
Represents an SAML 2.0 identity provider.
Corresponds to the JSON property saml
2048 2049 2050 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2048 def saml @saml end |
#state ⇒ String
Output only. The state of the provider.
Corresponds to the JSON property state
2053 2054 2055 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2053 def state @state end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2060 def update!(**args) @attribute_condition = args[:attribute_condition] if args.key?(:attribute_condition) @attribute_mapping = args[:attribute_mapping] if args.key?(:attribute_mapping) @aws = args[:aws] if args.key?(:aws) @description = args[:description] if args.key?(:description) @disabled = args[:disabled] if args.key?(:disabled) @display_name = args[:display_name] if args.key?(:display_name) @name = args[:name] if args.key?(:name) @oidc = args[:oidc] if args.key?(:oidc) @saml = args[:saml] if args.key?(:saml) @state = args[:state] if args.key?(:state) end |