Console
    Contact Us Start free

    Manage workforce identity pool providers

    This guide describes how you can perform common operations with Workforce Identity Federation. To set up Workforce Identity Federation, see the following guides:

    Before you begin

    1. You must have a Google Cloud organization set up.

    2. Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command:

      gcloud  
init

      If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

    Manage pools

    This section shows you how to manage workforce identity pools.

    Create a pool

    To create a workforce pool, execute the following command:

    gcloud

    To create the workforce identity pool, run the following command:

     gcloud  
iam  
workforce-pools  
create  
 WORKFORCE_POOL_ID 
  
 \ 
  
--organization = 
 ORGANIZATION_ID 
  
 \ 
  
--display-name = 
 " DISPLAY_NAME 
" 
  
 \ 
  
--description = 
 " DESCRIPTION 
" 
  
 \ 
  
--session-duration = 
 SESSION_DURATION 
  
 \ 
  
--location = 
global

    Replace the following:

    • WORKFORCE_POOL_ID : an ID that you choose to represent your Google Cloud workforce pool. For information on formatting the ID, see the Query parameters section in the API documentation.
    • ORGANIZATION_ID : the numeric organization ID of your Google Cloud organization for the workforce identity pool. Workforce identity pools are available across all projects and folders in the organization.
    • DISPLAY_NAME : Optional. A display name for your workforce identity pool.
    • DESCRIPTION : Optional. A workforce identity pool description.
    • SESSION_DURATION : Optional. The session duration, expressed as a number appended with s —for example, 3600s . Session duration determines how long the Google Cloud access tokens, console (federated) sign-in sessions, and gcloud CLI sign-in sessions from this workforce pool are valid. Session duration defaults to one hour (3600s). The session duration value must be between 15 minutes (900s) and 12 hours (43200s).

    Console

    To create the workforce identity pool, do the following:

    1. In the Google Cloud console, go to the Workforce Identity Poolspage:

      Go to Workforce Identity Pools

    2. Select the organization for your workforce identity pool. Workforce identity pools are available across all projects and folders in an organization.

    3. Click Create pooland do the following:

      1. In the Namefield, enter the display name of the pool. The pool ID is automatically derived from the name as you type, and it is displayed under the Namefield. You can update the pool ID by clicking Editnext to the pool ID.

      2. Optional: In Description, enter a description of the pool.

      3. To create the workforce identity pool, click Next.

    The workforce identity pool's session duration defaults to one hour (3600s). The session duration determines how long the Google Cloud access tokens, console (federated) , and gcloud CLI sign-in sessions from this workforce pool are valid. After you create the pool, you can update the pool to set a custom session duration. The session duration must be from 15 minutes (900s) to 12 hours (43200s).

    Describe a pool

    gcloud

    To describe a specific workforce pool using the gcloud CLI, execute the following command:

     gcloud  
iam  
workforce-pools  
describe  
 WORKFORCE_POOL_ID 
  
 \ 
  
--location = 
global

    Replace WORKFORCE_POOL_ID with the workforce pool ID that you chose when you created the pool.

    Console

    To describe a specific workforce pool using the Google Cloud console, do the following:

    1. Go to the Workforce Identity Poolspage:

      Go to Workforce Identity Pools

    2. In Workforce pools, select the pool

    List pools

    gcloud

    To list the workforce pools in the organization, execute the following command:

     gcloud  
iam  
workforce-pools  
list  
 \ 
  
--organization = 
 ORGANIZATION_ID 
  
 \ 
  
--location = 
global

    Replace ORGANIZATION_ID with your organization ID.

    Console

    To list workforce pools using the Google Cloud console, do the following:

    1. Go to the Workforce Identity Poolspage:

      Go to Workforce Identity Pools

    2. In the table, view the list of pools.

    Update a pool

    gcloud

    To update a specific workforce pool, execute the following command:

     gcloud  
iam  
workforce-pools  
update  
 WORKFORCE_POOL_ID 
  
 \ 
  
--description = 
 DESCRIPTION 
  
 \ 
  
--location = 
global

    Replace the following:

    • WORKFORCE_POOL_ID : the workforce pool ID
    • DESCRIPTION : the description of the pool

    Console

    To update a specific workforce pool using the Google Cloud console, do the following:

    1. Go to the Workforce Identity Poolspage:

      Go to Workforce Identity Pools

    2. In the table, select the pool.

    3. Update the pool parameters.

    4. Click Save Pool.

    Delete a pool

    gcloud

    To delete a workforce identity pool, execute the following command:

     gcloud  
iam  
workforce-pools  
delete  
 WORKFORCE_POOL_ID 
  
 \ 
  
--location = 
global

    Replace WORKFORCE_POOL_ID with the workforce pool ID.

    Console

    To delete a specific workforce pool using the Google Cloud console, do the following:

    1. Go to the Workforce Identity Poolspage:

      Go to Workforce Identity Pools

    2. In Workforce pools, click Delete on the pool you want to delete.

    3. Follow additional instructions.

    Undelete a pool

    You can undelete a workforce identity pool that was deleted within the last 30 days.

    To undelete a pool, execute the following command:

     gcloud  
iam  
workforce-pools  
undelete  
 WORKFORCE_POOL_ID 
  
 \ 
  
--location = 
global

    Replace WORKFORCE_POOL_ID with the workforce pool ID.

    Configure a provider within the workforce pool

    This section explains how you can use gcloud commands to configure workforce identity pool providers:

    Create an OIDC provider

    This section describes how to create a workforce identity pool provider for an OIDC IdP.

    gcloud

    Code flow

    To create an OIDC provider that uses authorization code flow for web sign-in, run the following command:

    gcloud iam workforce-pools providers create-oidc WORKFORCE_PROVIDER_ID 
\
    --workforce-pool= WORKFORCE_POOL_ID 
\
    --display-name=" DISPLAY_NAME 
" \
    --description=" DESCRIPTION 
" \
    --issuer-uri=" ISSUER_URI 
" \
    --client-id=" OIDC_CLIENT_ID 
" \
    --client-secret-value=" OIDC_CLIENT_SECRET 
" \
    --web-sso-response-type="code" \
    --web-sso-assertion-claims-behavior="merge-user-info-over-id-token-claims" \
    --web-sso-additional-scopes=" WEB_SSO_ADDITIONAL_SCOPES 
" \
    --attribute-mapping=" ATTRIBUTE_MAPPING 
" \
    --attribute-condition=" ATTRIBUTE_CONDITION 
" \
    --jwk-json-path=" JWK_JSON_PATH 
" \
    --detailed-audit-logging \
    --location=global

    Replace the following:

    • WORKFORCE_PROVIDER_ID : A unique workforce identity pool provider ID. The prefix gcp- is reserved and can't be used in a workforce identity pool or workforce identity pool provider ID.
    • WORKFORCE_POOL_ID : The workforce identity pool ID to connect your IdP to.
    • DISPLAY_NAME : An optional user-friendly display name for the provider; for example, idp-eu-employees .
    • DESCRIPTION : An optional workforce provider description; for example, IdP for Partner Example Organization employees .
    • ISSUER_URI : The OIDC issuer URI, in a valid URI format, that starts with https ; for example, https://example.com/oidc . Note: For security reasons, ISSUER_URI must use the HTTPS scheme.
    • OIDC_CLIENT_ID : The OIDC client ID that is registered with your OIDC IdP; the ID must match the aud claim of the JWT that is issued by your IdP.
    • OIDC_CLIENT_SECRET : The OIDC client secret.
    • WEB_SSO_ADDITIONAL_SCOPES : Optional additional scopes to send to the OIDC IdP for console (federated) or gcloud CLI browser-based sign-in.
    • ATTRIBUTE_MAPPING : An attribute mapping . The following is an example of an attribute mapping: 
       google.subject=assertion.sub,
google.groups=assertion.group1,
attribute.costcenter=assertion.costcenter
      This example maps the IdP attributes subject , group1 , and costcenter in the OIDC assertion to google.subject , google.groups , and attribute.costcenter attributes, respectively.
    • ATTRIBUTE_CONDITION : An attribute condition ; for example, assertion.role == 'gcp-users' . This example condition ensures that only users with the role gcp-users can sign in using this provider.
    • JWK_JSON_PATH : An optional path to a locally uploaded OIDC JWKs . If this parameter isn't supplied, Google Cloud instead uses your IdP's /.well-known/openid-configuration path to source the JWKs containing the public keys. For more information about locally uploaded OIDC JWKs, see manage OIDC JWKs .

    • Workforce Identity Federation detailed audit logging logs information received from your IdP to Logging. Detailed audit logging can help you troubleshoot your workforce identity pool provider configuration. To learn how to troubleshoot attribute mapping errors with detailed audit logging, see General attribute mapping errors . To learn about Logging pricing, see Google Cloud Observability pricing .

      To disable detailed audit logging for a workforce identity pool provider, omit the --detailed-audit-logging flag when you run gcloud iam workforce-pools providers create . To disable detailed audit logging, you can also update the provider .

    In the command response, POOL_RESOURCE_NAME is the name of the pool; for example, locations/global/workforcePools/enterprise-example-organization-employees .

    Implicit flow

    To create an OIDC workforce identity pool provider that uses the implicit flow for web sign-in, run the following command:

    gcloud iam workforce-pools providers create-oidc WORKFORCE_PROVIDER_ID 
\
    --workforce-pool= WORKFORCE_POOL_ID 
\
    --display-name=" DISPLAY_NAME 
" \
    --description=" DESCRIPTION 
" \
    --issuer-uri=" ISSUER_URI 
" \
    --client-id=" OIDC_CLIENT_ID 
" \
    --web-sso-response-type="id-token" \
    --web-sso-assertion-claims-behavior="only-id-token-claims" \
    --web-sso-additional-scopes=" WEB_SSO_ADDITIONAL_SCOPES 
" \
    --attribute-mapping=" ATTRIBUTE_MAPPING 
" \
    --attribute-condition=" ATTRIBUTE_CONDITION 
" \
    --jwk-json-path=" JWK_JSON_PATH 
" \
    --detailed-audit-logging \
    --location=global

    Replace the following:

    • WORKFORCE_PROVIDER_ID : A unique workforce identity pool provider ID. The prefix gcp- is reserved and can't be used in a workforce identity pool or workforce identity pool provider ID.
    • WORKFORCE_POOL_ID : The workforce identity pool ID to connect your IdP to.
    • DISPLAY_NAME : An optional user-friendly display name for the provider; for example, idp-eu-employees .
    • DESCRIPTION : An optional workforce provider description; for example, IdP for Partner Example Organization employees .
    • ISSUER_URI : The OIDC issuer URI, in a valid URI format, that starts with https ; for example, https://example.com/oidc . Note: For security reasons, ISSUER_URI must use the HTTPS scheme.
    • OIDC_CLIENT_ID : The OIDC client ID that is registered with your OIDC IdP; the ID must match the aud claim of the JWT that is issued by your IdP.
    • WEB_SSO_ADDITIONAL_SCOPES : Optional additional scopes to send to the OIDC IdP for console (federated) or gcloud CLI browser-based sign-in.
    • ATTRIBUTE_MAPPING : An attribute mapping . The following is an example of an attribute mapping: 
       google.subject=assertion.sub,
google.groups=assertion.group1,
attribute.costcenter=assertion.costcenter
      This example maps the IdP attributes subject , group1 , and costcenter in the OIDC assertion to google.subject , google.groups , and attribute.costcenter attributes, respectively.
    • ATTRIBUTE_CONDITION : An attribute condition ; for example, assertion.role == 'gcp-users' . This example condition ensures that only users with the role gcp-users can sign in using this provider.
    • JWK_JSON_PATH : An optional path to a locally uploaded OIDC JWKs . If this parameter isn't supplied, Google Cloud instead uses your IdP's /.well-known/openid-configuration path to source the JWKs containing the public keys. For more information about locally uploaded OIDC JWKs, see manage OIDC JWKs .

    • Workforce Identity Federation detailed audit logging logs information received from your IdP to Logging. Detailed audit logging can help you troubleshoot your workforce identity pool provider configuration. To learn how to troubleshoot attribute mapping errors with detailed audit logging, see General attribute mapping errors . To learn about Logging pricing, see Google Cloud Observability pricing .

      To disable detailed audit logging for a workforce identity pool provider, omit the --detailed-audit-logging flag when you run gcloud iam workforce-pools providers create . To disable detailed audit logging, you can also update the provider .

    In the command response, POOL_RESOURCE_NAME is the name of the pool; for example, locations/global/workforcePools/enterprise-example-organization-employees .

    Console

    Code flow

    1. In the Google Cloud console, go to the Workforce Identity Poolspage:

      Go to Workforce Identity Pools

    2. In the Workforce Identity Pools table, select the pool for which you want to create the provider.

    3. In the Providers table, click Add Provider .

    4. In Select a protocol , select Open ID Connect (OIDC) .

    5. In Create a pool provider , do the following:

      1. In Name , enter the name for the provider.
      2. In Issuer (URL) , enter the issuer URI. The OIDC issuer URI must be in a valid URI format and start with https ; for example, https://example.com/oidc .
      3. Enter the Client ID , the OIDC client ID that is registered with your OIDC IdP; the ID must match the aud claim of the JWT that is issued by your IdP.
      4. To create a provider that is enabled, make sure Enabled Provideris on.
      5. Click Continue .

    6. In Flow type , do the following. Flow type is used only for a web-based single-sign-on flow.

      1. In Flow type , select Code .
      2. In Client secret , enter the client secret from your IdP.

      3. In Assertion claims behavior , select either of the following:

        • User info and ID token
        • Only ID token

      4. Click Continue .

    7. In Configure provider , you can configure an attribute mapping and an attribute condition. To create an attribute mapping , do the following. You can provide either the IdP field name or a CEL-formatted expression that returns a string.

      1. Required: In OIDC 1 , enter the subject from the IdP; for example, assertion.sub .

      2. Optional: To add additional attribute mappings, do the following:

        1. Click Add mapping .
        2. In Google n , where n is a number, enter one of the Google Cloud-supported keys .
        3. In the corresponding OIDC n field, enter the name of the IdP-specific field to map, in CEL format.

      3. To create an attribute condition, do the following:

        1. Click Add condition .
        2. In Attribute Conditions , enter a condition in CEL format ; for example, assertion.role == 'gcp-users' . This example condition ensures that only users with the role gcp-users can sign in using this provider.

      4. To turn on detailed audit logging, in Detailed logging, click the Enable detailed attribute value loggingtoggle.

        Workforce Identity Federation detailed audit logging logs information received from your IdP to Logging. Detailed audit logging can help you troubleshoot your workforce identity pool provider configuration. To learn how to troubleshoot attribute mapping errors with detailed audit logging, see General attribute mapping errors . To learn about Logging pricing, see Google Cloud Observability pricing .

        To disable detailed audit logging for a workforce identity pool provider, omit the --detailed-audit-logging flag when you run gcloud iam workforce-pools providers create . To disable detailed audit logging, you can also update the provider .

    8. To create the provider, click Submit .

    Implicit flow

    1. In the Google Cloud console, go to the Workforce Identity Poolspage:

      Go to Workforce Identity Pools

    2. In the Workforce Identity Pools table, select the pool for which you want to create the provider.

    3. In the Providers table, click Add Provider .

    4. In Select a protocol , select Open ID Connect (OIDC) .

    5. In Create a pool provider , do the following:

      1. In Name , enter a name for the provider.
      2. In Issuer (URL) , enter the issuer URI. The OIDC issuer URI must be in a valid URI format and start with https ; for example, https://example.com/oidc .
      3. Enter the Client ID , the OIDC client ID that is registered with your OIDC IdP; the ID must match the aud claim of the JWT that is issued by your IdP.
      4. To create a provider that is enabled, make sure Enabled Provideris on.
      5. Click Continue .

    6. In Flow type , do the following. Flow type is used only for a web-based single-sign-on flow.

      1. In Flow type , select ID token .
      2. Click Continue .

    7. In Configure provider , you can configure an attribute mapping and an attribute condition. To create an attribute mapping , do the following. You can provide either the IdP field name or a CEL-formatted expression that returns a string.

      1. Required: In OIDC 1 , enter the subject from the IdP; for example, assertion.sub .

      2. Optional: To add additional attribute mappings, do the following:

        1. Click Add mapping .
        2. In Google n , where n is a number, enter one of the Google Cloud-supported keys .
        3. In the corresponding OIDC n field, enter the name of the IdP-specific field to map, in CEL format.

      3. To create an attribute condition, do the following:

        1. Click Add condition .

        2. In Attribute Conditions , enter a condition in CEL format ; for example, assertion.role == 'gcp-users' . This example condition ensures that only users with the role gcp-users can sign in using this provider.

      4. To turn on detailed audit logging, in Detailed logging, click the Enable detailed attribute value loggingtoggle.

        Workforce Identity Federation detailed audit logging logs information received from your IdP to Logging. Detailed audit logging can help you troubleshoot your workforce identity pool provider configuration. To learn how to troubleshoot attribute mapping errors with detailed audit logging, see General attribute mapping errors . To learn about Logging pricing, see Google Cloud Observability pricing .

        To disable detailed audit logging for a workforce identity pool provider, omit the --detailed-audit-logging flag when you run gcloud iam workforce-pools providers create . To disable detailed audit logging, you can also update the provider .

    8. To create the provider, click Submit .

    Create a SAML provider

    This section describes how to create a workforce identity pool provider for a SAML IdP.

    gcloud

    To create the provider, run the following command:

     gcloud  
iam  
workforce-pools  
providers  
create-saml  
 WORKFORCE_PROVIDER_ID 
  
 \ 
  
--workforce-pool = 
 " WORKFORCE_POOL_ID 
" 
  
 \ 
  
--attribute-mapping = 
 " ATTRIBUTE_MAPPING 
" 
  
 \ 
  
--attribute-condition = 
 " ATTRIBUTE_CONDITION 
" 
  
 \ 
  
--idp-metadata-path = 
 " XML_METADATA_PATH 
" 
  
 \ 
  
--detailed-audit-logging  
 \ 
  
--location = 
 "global"

    Replace the following:

    • WORKFORCE_PROVIDER_ID : the workforce provider ID
    • WORKFORCE_POOL_ID : the workforce pool ID

    • ATTRIBUTE_MAPPING : an attribute mapping ; for example, to map a subject, the attribute mapping is as follows:

       google.subject=assertion.subject,
google.groups=assertion.attributes['https://example.com/aliases'],
attribute.department=assertion.attributes.department[0]

    • ATTRIBUTE_CONDITION : an optional attribute condition ; for example, assertion.subject.endsWith("@example.com")

    • XML_METADATA_PATH : the path to the XML-formatted metadata file from your IdP

    The prefix gcp- is reserved and can't be used in a workforce identity pool or workforce identity pool provider ID.

    This command assigns the subject and department in the SAML assertion to google.subject and attribute.department attributes, respectively. Additionally, the attribute condition ensures that only users with a subject ending in @example.com can sign in using this workforce provider.

    Workforce Identity Federation detailed audit logging logs information received from your IdP to Logging. Detailed audit logging can help you troubleshoot your workforce identity pool provider configuration. To learn how to troubleshoot attribute mapping errors with detailed audit logging, see General attribute mapping errors . To learn about Logging pricing, see Google Cloud Observability pricing .

    To disable detailed audit logging for a workforce identity pool provider, omit the --detailed-audit-logging flag when you run gcloud iam workforce-pools providers create . To disable detailed audit logging, you can also update the provider .

    Console

    To configure the SAML provider using the Google Cloud console, do the following:

    1. In the Google Cloud console, go to the Workforce Identity Poolspage:

      Go to Workforce Identity Pools

    2. In the Workforce Identity Poolstable, select the pool for which you want to create the provider.

    3. In the Providerstable, click Add Provider.

    4. In Select a protocol, select SAML.

    5. In Create a pool providerdo the following:

      1. In Name, enter a name for the provider.

      2. Optional: In Description, enter a description for the provider.

      3. In IDP metadata file (XML), select the metadata XML file that you generated earlier in this guide.

      4. Ensure that Enabled provideris enabled.

      5. Click Continue.

    6. In Configure provider, do the following:

      1. In Attribute mapping, enter a CEL expression for google.subject .

      2. Optional: To enter other mappings, click Add mappingand enter other mappings—for example:

          google.subject=assertion.subject, 
 google.groups=assertion.attributes['https://example.com/aliases'], 
 attribute.costcenter=assertion.attributes.costcenter[0]
        This example maps the IdP attributes assertion.subject , assertion.attributes['https://example.com/aliases'] , and assertion.attributes.costcenter[0] to the Google Cloud attributes google.subject , google.groups , and google.costcenter , respectively.

      3. Optional: To add an attribute condition, click Add conditionand enter a CEL expression representing an attribute condition. For example, to limit the ipaddr attribute to a certain IP range you can set the condition assertion.attributes.ipaddr.startsWith('98.11.12.') . This example condition ensures that only users with an IP address that starts with 98.11.12. can sign in using this workforce provider.

      4. Click Continue.

      5. To turn on detailed audit logging, in Detailed logging, click the Enable detailed attribute value loggingtoggle.

        Workforce Identity Federation detailed audit logging logs information received from your IdP to Logging. Detailed audit logging can help you troubleshoot your workforce identity pool provider configuration. To learn how to troubleshoot attribute mapping errors with detailed audit logging, see General attribute mapping errors . To learn about Logging pricing, see Google Cloud Observability pricing .

        To disable detailed audit logging for a workforce identity pool provider, omit the --detailed-audit-logging flag when you run gcloud iam workforce-pools providers create . To disable detailed audit logging, you can also update the provider .

    7. To create the provider, click Submit.

    Describe a provider

    gcloud

    To describe a provider, run the following command:

     gcloud  
iam  
workforce-pools  
providers  
describe  
 PROVIDER_ID 
  
 \ 
  
--workforce-pool = 
 WORKFORCE_POOL_ID 
  
 \ 
  
--location = 
global

    Replace the following:

    • PROVIDER_ID : the provider ID
    • WORKFORCE_POOL_ID : the workforce pool ID

    Console

    To view a provider, do the following:

    1. Go to the Workforce Identity Poolspage:

    Go to Workforce Identity Pools

    1. In the table, select the pool for which you want to view the provider.

    2. In the Providerstable, select the provider.

    List providers

    gcloud

    To list providers, execute the following command:

     gcloud  
iam  
workforce-pools  
providers  
list  
 \ 
  
--workforce-pool = 
 WORKFORCE_POOL_ID 
  
 \ 
  
--location = 
global

    Replace WORKFORCE_POOL_ID with the workforce pool ID.

    Console

    To view a provider, do the following:

    1. Go to the Workforce Identity Poolspage:

    Go to Workforce Identity Pools

    1. In the table, select the pool for which you want to list the providers.

    2. In the Providerstable you can see a list of providers.

    Update a provider

    gcloud

    To update an OIDC provider after creation, execute the following command:

     gcloud  
iam  
workforce-pools  
providers  
update-oidc  
 PROVIDER_ID 
  
 \ 
  
--workforce-pool = 
 WORKFORCE_POOL_ID 
  
 \ 
  
--description = 
 " DESCRIPTION 
" 
  
 \ 
  
--detailed-audit-logging  
 \ 
  
--location = 
global

    Replace the following:

    • PROVIDER_ID : the provider ID
    • WORKFORCE_POOL_ID : the workforce pool ID
    • DESCRIPTION : the description
    • To enable detailed audit logging , add the --detailed-audit-logging flag to gcloud iam workforce-pools providers update . To disable detailed audit logging, add the --no-detailed-audit-logging flag to the update command.

    Console

    To view a provider, do the following:

    1. Go to the Workforce Identity Poolspage:

    Go to Workforce Identity Pools

    1. In the table, select the pool for which you want to view the provider.

    2. In the Providerstable, click Edit .

    3. Update the provider.

    4. To save the updated provider, click Save.

    Delete a provider

    To delete a provider, execute the following command:

     gcloud  
iam  
workforce-pools  
providers  
delete  
 PROVIDER_ID 
  
 \ 
  
--workforce-pool = 
 WORKFORCE_POOL_ID 
  
 \ 
  
--location = 
global

    Replace the following:

    • PROVIDER_ID : the provider ID
    • WORKFORCE_POOL_ID : the workforce pool ID

    Undelete a provider

    To undelete a provider deleted within the last 30 days, execute the following command:

     gcloud  
iam  
workforce-pools  
providers  
undelete  
 PROVIDER_ID 
  
 \ 
  
--workforce-pool = 
 WORKFORCE_POOL_ID 
  
 \ 
  
--location = 
global

    Replace the following:

    • PROVIDER_ID : the provider ID
    • WORKFORCE_POOL_ID : the workforce pool ID

    Manage OIDC JWKs

    This section shows you how to manage OIDC JWKs in workforce pool providers.

    Create a provider and upload OIDC JWKs

    To create OIDC JWKs, see JWT, JWS, JWE, JWK, and JWA Implementations .

    To upload an OIDC JWK file when you create a workforce pool provider, run the gcloud iam workforce-pools providers create-oidc command with --jwk-json-path=" JWK_JSON_PATH " . Replace JWK_JSON_PATH with the path to the JWKs JSON file.

    This operation uploads the keys from the file.

    Update OIDC JWKs

    To update OIDC JWKs, run the gcloud iam workforce-pools providers update-oidc command with --jwk-json-path=" JWK_JSON_PATH " . Replace JWK_JSON_PATH with the path to the JWKs JSON file.

    This operation replaces any existing uploaded keys with the ones in the file.

    Delete all uploaded OIDC JWKs

    To delete all of the uploaded OIDC JWKs and instead use the issuer URI to fetch the keys, run the gcloud iam workforce-pools providers update-oidc command with --jwk-json-path=" JWK_JSON_PATH " . Replace JWK_JSON_PATH with the path to an empty file. Use the --issuer-uri flag to set the issuer URI.

    This operation deletes all of your existing uploaded keys.

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: