AWorkforcePoolSubjectis automatically created the first time an external credential is exchanged for a Google Cloud credential using a mappedgoogle.subjectattribute. There is no endpoint to manually create aWorkforcePoolSubject.
For 30 days after aWorkforcePoolSubjectis deleted, using the samegoogle.subjectattribute in token exchanges with Google Cloud STS fails.
Callsubjects.undeleteto undelete aWorkforcePoolSubjectthat has been deleted, within within 30 days of deleting it.
After 30 days, theWorkforcePoolSubjectis permanently deleted. At this point, a token exchange with Google Cloud STS that uses the same mappedgoogle.subjectattribute automatically creates a newWorkforcePoolSubjectthat is unrelated to the previously deletedWorkforcePoolSubjectbut has the samegoogle.subjectvalue.
Required. The resource name of theWorkforcePoolSubject. Special characters, like/and:, must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section ofRFC3986.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-21 UTC."],[[["\u003cp\u003eThis endpoint deletes a \u003ccode\u003eWorkforcePoolSubject\u003c/code\u003e, which must not already be in a deleted state.\u003c/p\u003e\n"],["\u003cp\u003eA deleted \u003ccode\u003eWorkforcePoolSubject\u003c/code\u003e prevents token exchanges with the same \u003ccode\u003egoogle.subject\u003c/code\u003e attribute for 30 days.\u003c/p\u003e\n"],["\u003cp\u003eWithin 30 days of deletion, a \u003ccode\u003eWorkforcePoolSubject\u003c/code\u003e can be undeleted using the \u003ccode\u003esubjects.undelete\u003c/code\u003e call, after which, it is permanently deleted.\u003c/p\u003e\n"],["\u003cp\u003eThe HTTP request for deleting a \u003ccode\u003eWorkforcePoolSubject\u003c/code\u003e is a \u003ccode\u003eDELETE\u003c/code\u003e request to a specific URL with the format \u003ccode\u003ehttps://iam.googleapis.com/v1/{name=locations/*/workforcePools/*/subjects/*}\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe request body must be empty and it requires one of two OAuth scopes: \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e or \u003ccode\u003ehttps://www.googleapis.com/auth/iam\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Method: locations.workforcePools.subjects.delete\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Path parameters](#body.PATH_PARAMETERS)\n- [Request body](#body.request_body)\n- [Response body](#body.response_body)\n- [Authorization scopes](#body.aspect)\n- [Examples](#examples)\n- [Try it!](#try-it)\n\nDeletes a `WorkforcePoolSubject`.\n\nSubject must not already be in a deleted state.\n\nA `WorkforcePoolSubject` is automatically created the first time an external credential is exchanged for a Google Cloud credential using a mapped `google.subject` attribute. There is no endpoint to manually create a `WorkforcePoolSubject`.\n\nFor 30 days after a `WorkforcePoolSubject` is deleted, using the same `google.subject` attribute in token exchanges with Google Cloud STS fails.\n\nCall [subjects.undelete](/iam/docs/reference/rest/v1/locations.workforcePools.subjects/undelete#google.iam.admin.v1.WorkforcePools.UndeleteWorkforcePoolSubject) to undelete a `WorkforcePoolSubject` that has been deleted, within within 30 days of deleting it.\n\nAfter 30 days, the `WorkforcePoolSubject` is permanently deleted. At this point, a token exchange with Google Cloud STS that uses the same mapped `google.subject` attribute automatically creates a new `WorkforcePoolSubject` that is unrelated to the previously deleted `WorkforcePoolSubject` but has the same `google.subject` value.\n\n### HTTP request\n\n`DELETE https://iam.googleapis.com/v1/{name=locations/*/workforcePools/*/subjects/*}`\n\nThe URL uses [gRPC Transcoding](https://google.aip.dev/127) syntax.\n\n### Path parameters\n\n### Request body\n\nThe request body must be empty.\n\n### Response body\n\nIf successful, the response body contains an instance of [Operation](/iam/docs/reference/rest/Shared.Types/Operation).\n\n### Authorization scopes\n\nRequires one of the following OAuth scopes:\n\n- `https://www.googleapis.com/auth/cloud-platform`\n- `\n https://www.googleapis.com/auth/iam`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp)."]]
