Class: Google::Apis::IamV1::WorkloadIdentityPoolProvider
- Inherits:
-
Object
- Object
- Google::Apis::IamV1::WorkloadIdentityPoolProvider
- Includes:
- Core::Hashable, Core::JsonObjectSupport
- Defined in:
- lib/google/apis/iam_v1/classes.rb,
lib/google/apis/iam_v1/representations.rb,
lib/google/apis/iam_v1/representations.rb
Overview
A configuration for an external identity provider.
Instance Attribute Summary collapse
-
#attribute_condition ⇒ String
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted.
-
#attribute_mapping ⇒ Hash<String,String>
Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as
subjectandsegment. -
#aws ⇒ Google::Apis::IamV1::Aws
Represents an Amazon Web Services identity provider.
-
#description ⇒ String
A description for the provider.
-
#disabled ⇒ Boolean
(also: #disabled?)
Whether the provider is disabled.
-
#display_name ⇒ String
A display name for the provider.
-
#name ⇒ String
Output only.
-
#oidc ⇒ Google::Apis::IamV1::Oidc
Represents an OpenId Connect 1.0 identity provider.
-
#saml ⇒ Google::Apis::IamV1::Saml
Represents an SAML 2.0 identity provider.
-
#state ⇒ String
Output only.
Instance Method Summary collapse
-
#initialize(**args) ⇒ WorkloadIdentityPoolProvider
constructor
A new instance of WorkloadIdentityPoolProvider.
-
#update!(**args) ⇒ Object
Update properties of this object.
Constructor Details
#initialize(**args) ⇒ WorkloadIdentityPoolProvider
Returns a new instance of WorkloadIdentityPoolProvider.
2435 2436 2437 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2435 def initialize(**args) update!(**args) end |
Instance Attribute Details
#attribute_condition ⇒ String
A Common Expression Language
expression, in plain text, to restrict what otherwise valid authentication
credentials issued by the provider should not be accepted. The expression must
output a boolean representing whether to allow the federation. The following
keywords may be referenced in the expressions: * assertion: JSON
representing the authentication credential issued by the provider. * google:
The Google attributes mapped from the assertion in the attribute_mappings. *
attribute: The custom attributes mapped from the assertion in the
attribute_mappings. The maximum length of the attribute condition expression
is 4096 characters. If unspecified, all valid authentication credential are
accepted. The following example shows how to only allow credentials with a
mapped google.groups value of admins: "'admins' in google.groups"
Corresponds to the JSON property attributeCondition
2350 2351 2352 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2350 def attribute_condition @attribute_condition end |
#attribute_mapping ⇒ Hash<String,String>
Maps attributes from authentication credentials issued by an external identity
provider to Google Cloud attributes, such as subject and segment. Each key
must be a string specifying the Google Cloud IAM attribute to map to. The
following keys are supported: * google.subject: The principal IAM is
authenticating. You can reference this value in IAM bindings. This is also the
subject that appears in Cloud Logging logs. Cannot exceed 127 bytes. * google.
groups: Groups the external identity belongs to. You can grant groups access
to resources using an IAM principalSet binding; access applies to all
members of the group. You can also provide custom attributes by specifying
attribute.custom_attribute, wherecustom_attributeis the name of the
custom attribute to be mapped. You can define a maximum of 50 custom
attributes. The maximum length of a mapped attribute key is 100 characters,
and the key may only contain the characters [a-z0-9_]. You can reference these
attributes in IAM policies to define fine-grained access for a workload to
Google Cloud resources. For example: * `google.subject`: `principal://iam.
googleapis.com/projects/`project`/locations/`location`/workloadIdentityPools/`
pool`/subject/`value * google.groups: principalSet://iam.googleapis.com/
projects/project/locations/location/workloadIdentityPools/pool/group/
value* `attribute.`custom_attribute: principalSet://iam.googleapis.com/
projects/project/locations/location/workloadIdentityPools/pool/attribute.
custom_attribute/valueEach value must be a [Common Expression Language] (
https://opensource.google/projects/cel) function that maps an identity
provider credential to the normalized attribute specified by the corresponding
map key. You can use the `assertion` keyword in the expression to access a
JSON representation of the authentication credential issued by the provider.
The maximum length of an attribute mapping expression is 2048 characters. When
evaluated, the total size of all mapped attributes must not exceed 8KB. For
AWS providers, if no attribute mapping is defined, the following default
mapping applies: "google.subject":"assertion.arn", "attribute.aws_role":
"assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('
account_arnassumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('
assumed-role/role_name/')" " : assertion.arn", If any custom attribute
mappings are defined, they must include a mapping to the `google.subject`
attribute. For OIDC providers, you must supply a custom mapping, which must
include the `google.subject` attribute. For example, the following maps the `
sub` claim of the incoming credential to the `subject` attribute on a Google
token:"google.subject": "assertion.sub"`
Corresponds to the JSON propertyattributeMapping`
2391 2392 2393 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2391 def attribute_mapping @attribute_mapping end |
#aws ⇒ Google::Apis::IamV1::Aws
Represents an Amazon Web Services identity provider.
Corresponds to the JSON property aws
2396 2397 2398 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2396 def aws @aws end |
#description ⇒ String
A description for the provider. Cannot exceed 256 characters.
Corresponds to the JSON property description
2401 2402 2403 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2401 def description @description end |
#disabled ⇒ Boolean Also known as: disabled?
Whether the provider is disabled. You cannot use a disabled provider to
exchange tokens. However, existing tokens still grant access.
Corresponds to the JSON property disabled
2407 2408 2409 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2407 def disabled @disabled end |
#display_name ⇒ String
A display name for the provider. Cannot exceed 32 characters.
Corresponds to the JSON property displayName
2413 2414 2415 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2413 def display_name @display_name end |
#name ⇒ String
Output only. The resource name of the provider.
Corresponds to the JSON property name
2418 2419 2420 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2418 def name @name end |
#oidc ⇒ Google::Apis::IamV1::Oidc
Represents an OpenId Connect 1.0 identity provider.
Corresponds to the JSON property oidc
2423 2424 2425 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2423 def oidc @oidc end |
#saml ⇒ Google::Apis::IamV1::Saml
Represents an SAML 2.0 identity provider.
Corresponds to the JSON property saml
2428 2429 2430 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2428 def saml @saml end |
#state ⇒ String
Output only. The state of the provider.
Corresponds to the JSON property state
2433 2434 2435 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2433 def state @state end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 |
# File 'lib/google/apis/iam_v1/classes.rb', line 2440 def update!(**args) @attribute_condition = args[:attribute_condition] if args.key?(:attribute_condition) @attribute_mapping = args[:attribute_mapping] if args.key?(:attribute_mapping) @aws = args[:aws] if args.key?(:aws) @description = args[:description] if args.key?(:description) @disabled = args[:disabled] if args.key?(:disabled) @display_name = args[:display_name] if args.key?(:display_name) @name = args[:name] if args.key?(:name) @oidc = args[:oidc] if args.key?(:oidc) @saml = args[:saml] if args.key?(:saml) @state = args[:state] if args.key?(:state) end |