Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. iam
  5. getWorkloadIdentityPoolProvider
Google Cloud v8.26.0 published on Thursday, Apr 10, 2025 by Pulumi
pulumi/pulumi-gcp

gcp.iam.getWorkloadIdentityPoolProvider

Explore with Pulumi AI

Google Cloud v8.26.0 published on Thursday, Apr 10, 2025 by Pulumi
pulumi/pulumi-gcp

Get a IAM workload identity provider from Google Cloud by its id.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const foo = gcp.iam.getWorkloadIdentityPoolProvider({
    workloadIdentityPoolId: "foo-pool",
    workloadIdentityPoolProviderId: "bar-provider",
});
Copy
import pulumi
import pulumi_gcp as gcp

foo = gcp.iam.get_workload_identity_pool_provider(workload_identity_pool_id="foo-pool",
    workload_identity_pool_provider_id="bar-provider")
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.LookupWorkloadIdentityPoolProvider(ctx, &iam.LookupWorkloadIdentityPoolProviderArgs{
			WorkloadIdentityPoolId:         "foo-pool",
			WorkloadIdentityPoolProviderId: "bar-provider",
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var foo = Gcp.Iam.GetWorkloadIdentityPoolProvider.Invoke(new()
    {
        WorkloadIdentityPoolId = "foo-pool",
        WorkloadIdentityPoolProviderId = "bar-provider",
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.IamFunctions;
import com.pulumi.gcp.iam.inputs.GetWorkloadIdentityPoolProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var foo = IamFunctions.getWorkloadIdentityPoolProvider(GetWorkloadIdentityPoolProviderArgs.builder()
            .workloadIdentityPoolId("foo-pool")
            .workloadIdentityPoolProviderId("bar-provider")
            .build());

    }
}
Copy
variables:
  foo:
    fn::invoke:
      function: gcp:iam:getWorkloadIdentityPoolProvider
      arguments:
        workloadIdentityPoolId: foo-pool
        workloadIdentityPoolProviderId: bar-provider
Copy

Using getWorkloadIdentityPoolProvider

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getWorkloadIdentityPoolProvider(args: GetWorkloadIdentityPoolProviderArgs, opts?: InvokeOptions): Promise<GetWorkloadIdentityPoolProviderResult>
function getWorkloadIdentityPoolProviderOutput(args: GetWorkloadIdentityPoolProviderOutputArgs, opts?: InvokeOptions): Output<GetWorkloadIdentityPoolProviderResult>
Copy
def get_workload_identity_pool_provider(project: Optional[str] = None,
                                        workload_identity_pool_id: Optional[str] = None,
                                        workload_identity_pool_provider_id: Optional[str] = None,
                                        opts: Optional[InvokeOptions] = None) -> GetWorkloadIdentityPoolProviderResult
def get_workload_identity_pool_provider_output(project: Optional[pulumi.Input[str]] = None,
                                        workload_identity_pool_id: Optional[pulumi.Input[str]] = None,
                                        workload_identity_pool_provider_id: Optional[pulumi.Input[str]] = None,
                                        opts: Optional[InvokeOptions] = None) -> Output[GetWorkloadIdentityPoolProviderResult]
Copy
func LookupWorkloadIdentityPoolProvider(ctx *Context, args *LookupWorkloadIdentityPoolProviderArgs, opts ...InvokeOption) (*LookupWorkloadIdentityPoolProviderResult, error)
func LookupWorkloadIdentityPoolProviderOutput(ctx *Context, args *LookupWorkloadIdentityPoolProviderOutputArgs, opts ...InvokeOption) LookupWorkloadIdentityPoolProviderResultOutput
Copy

> Note: This function is named LookupWorkloadIdentityPoolProvider in the Go SDK.

public static class GetWorkloadIdentityPoolProvider 
{
    public static Task<GetWorkloadIdentityPoolProviderResult> InvokeAsync(GetWorkloadIdentityPoolProviderArgs args, InvokeOptions? opts = null)
    public static Output<GetWorkloadIdentityPoolProviderResult> Invoke(GetWorkloadIdentityPoolProviderInvokeArgs args, InvokeOptions? opts = null)
}
Copy
public static CompletableFuture<GetWorkloadIdentityPoolProviderResult> getWorkloadIdentityPoolProvider(GetWorkloadIdentityPoolProviderArgs args, InvokeOptions options)
public static Output<GetWorkloadIdentityPoolProviderResult> getWorkloadIdentityPoolProvider(GetWorkloadIdentityPoolProviderArgs args, InvokeOptions options)
Copy
fn::invoke:
  function: gcp:iam/getWorkloadIdentityPoolProvider:getWorkloadIdentityPoolProvider
  arguments:
    # arguments dictionary
Copy

The following arguments are supported:

WorkloadIdentityPoolId This property is required. string
The id of the pool which is the final component of the pool resource name.
WorkloadIdentityPoolProviderId This property is required. string
The id of the provider which is the final component of the resource name.

Project string
The project in which the resource belongs. If it is not provided, the provider project is used.
WorkloadIdentityPoolId This property is required. string
The id of the pool which is the final component of the pool resource name.
WorkloadIdentityPoolProviderId This property is required. string
The id of the provider which is the final component of the resource name.

Project string
The project in which the resource belongs. If it is not provided, the provider project is used.
workloadIdentityPoolId This property is required. String
The id of the pool which is the final component of the pool resource name.
workloadIdentityPoolProviderId This property is required. String
The id of the provider which is the final component of the resource name.

project String
The project in which the resource belongs. If it is not provided, the provider project is used.
workloadIdentityPoolId This property is required. string
The id of the pool which is the final component of the pool resource name.
workloadIdentityPoolProviderId This property is required. string
The id of the provider which is the final component of the resource name.

project string
The project in which the resource belongs. If it is not provided, the provider project is used.
workload_identity_pool_id This property is required. str
The id of the pool which is the final component of the pool resource name.
workload_identity_pool_provider_id This property is required. str
The id of the provider which is the final component of the resource name.

project str
The project in which the resource belongs. If it is not provided, the provider project is used.
workloadIdentityPoolId This property is required. String
The id of the pool which is the final component of the pool resource name.
workloadIdentityPoolProviderId This property is required. String
The id of the provider which is the final component of the resource name.

project String
The project in which the resource belongs. If it is not provided, the provider project is used.

getWorkloadIdentityPoolProvider Result

The following output properties are available:

Supporting Types

GetWorkloadIdentityPoolProviderAw

AccountId This property is required. string
The AWS account ID.
AccountId This property is required. string
The AWS account ID.
accountId This property is required. String
The AWS account ID.
accountId This property is required. string
The AWS account ID.
account_id This property is required. str
The AWS account ID.
accountId This property is required. String
The AWS account ID.

GetWorkloadIdentityPoolProviderOidc

AllowedAudiences This property is required. List<string>

Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.

If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''

IssuerUri This property is required. string
The OIDC issuer URL.
JwksJson This property is required. string
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''
AllowedAudiences This property is required. []string

Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.

If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''

IssuerUri This property is required. string
The OIDC issuer URL.
JwksJson This property is required. string
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''
allowedAudiences This property is required. List<String>

Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.

If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''

issuerUri This property is required. String
The OIDC issuer URL.
jwksJson This property is required. String
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''
allowedAudiences This property is required. string[]

Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.

If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''

issuerUri This property is required. string
The OIDC issuer URL.
jwksJson This property is required. string
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''
allowed_audiences This property is required. Sequence[str]

Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.

If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''

issuer_uri This property is required. str
The OIDC issuer URL.
jwks_json This property is required. str
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''
allowedAudiences This property is required. List<String>

Acceptable values for the 'aud' field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured.

If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ''' //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ '''

issuerUri This property is required. String
The OIDC issuer URL.
jwksJson This property is required. String
OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the 'jwks_uri' from the discovery document fetched from the .well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ''' { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } '''

GetWorkloadIdentityPoolProviderSaml

IdpMetadataXml This property is required. string
SAML Identity provider configuration metadata xml doc.
IdpMetadataXml This property is required. string
SAML Identity provider configuration metadata xml doc.
idpMetadataXml This property is required. String
SAML Identity provider configuration metadata xml doc.
idpMetadataXml This property is required. string
SAML Identity provider configuration metadata xml doc.
idp_metadata_xml This property is required. str
SAML Identity provider configuration metadata xml doc.
idpMetadataXml This property is required. String
SAML Identity provider configuration metadata xml doc.

GetWorkloadIdentityPoolProviderX509

TrustStores This property is required. List<GetWorkloadIdentityPoolProviderX509TrustStore>
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
TrustStores This property is required. []GetWorkloadIdentityPoolProviderX509TrustStore
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
trustStores This property is required. List<GetWorkloadIdentityPoolProviderX509TrustStore>
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
trustStores This property is required. GetWorkloadIdentityPoolProviderX509TrustStore[]
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
trust_stores This property is required. Sequence[GetWorkloadIdentityPoolProviderX509TrustStore]
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
trustStores This property is required. List<Property Map>
A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.

GetWorkloadIdentityPoolProviderX509TrustStore

IntermediateCas This property is required. List<GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCa>
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
TrustAnchors This property is required. List<GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchor>
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
IntermediateCas This property is required. []GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCa
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
TrustAnchors This property is required. []GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchor
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
intermediateCas This property is required. List<GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCa>
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
trustAnchors This property is required. List<GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchor>
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
intermediateCas This property is required. GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCa[]
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
trustAnchors This property is required. GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchor[]
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
intermediate_cas This property is required. Sequence[GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCa]
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
trust_anchors This property is required. Sequence[GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchor]
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
intermediateCas This property is required. List<Property Map>
Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
trustAnchors This property is required. List<Property Map>
List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.

GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCa

PemCertificate This property is required. string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
PemCertificate This property is required. string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate This property is required. String
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate This property is required. string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pem_certificate This property is required. str
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate This property is required. String
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchor

PemCertificate This property is required. string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
PemCertificate This property is required. string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate This property is required. String
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate This property is required. string
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pem_certificate This property is required. str
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
pemCertificate This property is required. String
PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

Package Details

Repository
Google Cloud (GCP) Classic pulumi/pulumi-gcp
License
Apache-2.0
Notes
This Pulumi package is based on the google-beta Terraform Provider.
Google Cloud v8.26.0 published on Thursday, Apr 10, 2025 by Pulumi
pulumi/pulumi-gcp