You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/dyn/iam_v1.projects.locations.workloadIdentityPools.providers.html
+60-4
Original file line number
Diff line number
Diff line change
@@ -140,13 +140,27 @@ <h3>Method Details</h3>
140
140
"allowedAudiences": [ # Optional. Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ``` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ ```
141
141
"A String",
142
142
],
143
-
"issuerUri": "A String", # Required. The OIDC issuer URL. Must be an HTTPS endpoint.
143
+
"issuerUri": "A String", # Required. The OIDC issuer URL. Must be an HTTPS endpoint. Used per OpenID Connect Discovery 1.0 spec to locate the provider's public keys (via `jwks_uri`) for verifying tokens like the OIDC ID token. These public key types must be 'EC' or 'RSA'.
144
144
"jwksJson": "A String", # Optional. OIDC JWKs in JSON String format. For details on the definition of a JWK, see https://tools.ietf.org/html/rfc7517. If not set, the `jwks_uri` from the discovery document(fetched from the .well-known path of the `issuer_uri`) will be used. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
145
145
},
146
146
"saml": { # Represents an SAML 2.0 identity provider. # An SAML 2.0 identity provider.
147
147
"idpMetadataXml": "A String", # Required. SAML identity provider (IdP) configuration metadata XML doc. The XML document must comply with the [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The maximum size of an acceptable XML document is 128K characters. The SAML metadata XML document must satisfy the following constraints: * Must contain an IdP Entity ID. * Must contain at least one non-expired signing certificate. * For each signing certificate, the expiration must be: * From no more than 7 days in the future. * To no more than 20 years in the future. * Up to three IdP signing keys are allowed. When updating the provider's metadata XML, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
148
148
},
149
149
"state": "A String", # Output only. The state of the provider.
150
+
"x509": { # An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. # An X.509-type identity provider.
151
+
"trustStore": { # Trust store that contains trust anchors and optional intermediate CAs used in PKI to build trust chain and verify client's identity. # Required. A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
152
+
"intermediateCas": [ # Optional. Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: * Intermediate CAs are only supported when configuring x509 federation.
153
+
{ # Intermediate CA certificates used for building the trust chain to trust anchor
154
+
"pemCertificate": "A String", # PEM certificate of the PKI used for validation. Must only contain one ca certificate.
155
+
},
156
+
],
157
+
"trustAnchors": [ # Required. List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
158
+
{ # Represents a root of trust.
159
+
"pemCertificate": "A String", # PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
160
+
},
161
+
],
162
+
},
163
+
},
150
164
}
151
165
152
166
workloadIdentityPoolProviderId: string, Required. The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.
@@ -245,13 +259,27 @@ <h3>Method Details</h3>
245
259
"allowedAudiences": [ # Optional. Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ``` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ ```
246
260
"A String",
247
261
],
248
-
"issuerUri": "A String", # Required. The OIDC issuer URL. Must be an HTTPS endpoint.
262
+
"issuerUri": "A String", # Required. The OIDC issuer URL. Must be an HTTPS endpoint. Used per OpenID Connect Discovery 1.0 spec to locate the provider's public keys (via `jwks_uri`) for verifying tokens like the OIDC ID token. These public key types must be 'EC' or 'RSA'.
249
263
"jwksJson": "A String", # Optional. OIDC JWKs in JSON String format. For details on the definition of a JWK, see https://tools.ietf.org/html/rfc7517. If not set, the `jwks_uri` from the discovery document(fetched from the .well-known path of the `issuer_uri`) will be used. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
250
264
},
251
265
"saml": { # Represents an SAML 2.0 identity provider. # An SAML 2.0 identity provider.
252
266
"idpMetadataXml": "A String", # Required. SAML identity provider (IdP) configuration metadata XML doc. The XML document must comply with the [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The maximum size of an acceptable XML document is 128K characters. The SAML metadata XML document must satisfy the following constraints: * Must contain an IdP Entity ID. * Must contain at least one non-expired signing certificate. * For each signing certificate, the expiration must be: * From no more than 7 days in the future. * To no more than 20 years in the future. * Up to three IdP signing keys are allowed. When updating the provider's metadata XML, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
253
267
},
254
268
"state": "A String", # Output only. The state of the provider.
269
+
"x509": { # An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. # An X.509-type identity provider.
270
+
"trustStore": { # Trust store that contains trust anchors and optional intermediate CAs used in PKI to build trust chain and verify client's identity. # Required. A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
271
+
"intermediateCas": [ # Optional. Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: * Intermediate CAs are only supported when configuring x509 federation.
272
+
{ # Intermediate CA certificates used for building the trust chain to trust anchor
273
+
"pemCertificate": "A String", # PEM certificate of the PKI used for validation. Must only contain one ca certificate.
274
+
},
275
+
],
276
+
"trustAnchors": [ # Required. List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
277
+
{ # Represents a root of trust.
278
+
"pemCertificate": "A String", # PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
279
+
},
280
+
],
281
+
},
282
+
},
255
283
}</pre>
256
284
</div>
257
285
@@ -292,13 +320,27 @@ <h3>Method Details</h3>
292
320
"allowedAudiences": [ # Optional. Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ``` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ ```
293
321
"A String",
294
322
],
295
-
"issuerUri": "A String", # Required. The OIDC issuer URL. Must be an HTTPS endpoint.
323
+
"issuerUri": "A String", # Required. The OIDC issuer URL. Must be an HTTPS endpoint. Used per OpenID Connect Discovery 1.0 spec to locate the provider's public keys (via `jwks_uri`) for verifying tokens like the OIDC ID token. These public key types must be 'EC' or 'RSA'.
296
324
"jwksJson": "A String", # Optional. OIDC JWKs in JSON String format. For details on the definition of a JWK, see https://tools.ietf.org/html/rfc7517. If not set, the `jwks_uri` from the discovery document(fetched from the .well-known path of the `issuer_uri`) will be used. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
297
325
},
298
326
"saml": { # Represents an SAML 2.0 identity provider. # An SAML 2.0 identity provider.
299
327
"idpMetadataXml": "A String", # Required. SAML identity provider (IdP) configuration metadata XML doc. The XML document must comply with the [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The maximum size of an acceptable XML document is 128K characters. The SAML metadata XML document must satisfy the following constraints: * Must contain an IdP Entity ID. * Must contain at least one non-expired signing certificate. * For each signing certificate, the expiration must be: * From no more than 7 days in the future. * To no more than 20 years in the future. * Up to three IdP signing keys are allowed. When updating the provider's metadata XML, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
300
328
},
301
329
"state": "A String", # Output only. The state of the provider.
330
+
"x509": { # An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. # An X.509-type identity provider.
331
+
"trustStore": { # Trust store that contains trust anchors and optional intermediate CAs used in PKI to build trust chain and verify client's identity. # Required. A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
332
+
"intermediateCas": [ # Optional. Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: * Intermediate CAs are only supported when configuring x509 federation.
333
+
{ # Intermediate CA certificates used for building the trust chain to trust anchor
334
+
"pemCertificate": "A String", # PEM certificate of the PKI used for validation. Must only contain one ca certificate.
335
+
},
336
+
],
337
+
"trustAnchors": [ # Required. List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
338
+
{ # Represents a root of trust.
339
+
"pemCertificate": "A String", # PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
340
+
},
341
+
],
342
+
},
343
+
},
302
344
},
303
345
],
304
346
}</pre>
@@ -344,13 +386,27 @@ <h3>Method Details</h3>
344
386
"allowedAudiences": [ # Optional. Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ``` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ ```
345
387
"A String",
346
388
],
347
-
"issuerUri": "A String", # Required. The OIDC issuer URL. Must be an HTTPS endpoint.
389
+
"issuerUri": "A String", # Required. The OIDC issuer URL. Must be an HTTPS endpoint. Used per OpenID Connect Discovery 1.0 spec to locate the provider's public keys (via `jwks_uri`) for verifying tokens like the OIDC ID token. These public key types must be 'EC' or 'RSA'.
348
390
"jwksJson": "A String", # Optional. OIDC JWKs in JSON String format. For details on the definition of a JWK, see https://tools.ietf.org/html/rfc7517. If not set, the `jwks_uri` from the discovery document(fetched from the .well-known path of the `issuer_uri`) will be used. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] }
349
391
},
350
392
"saml": { # Represents an SAML 2.0 identity provider. # An SAML 2.0 identity provider.
351
393
"idpMetadataXml": "A String", # Required. SAML identity provider (IdP) configuration metadata XML doc. The XML document must comply with the [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The maximum size of an acceptable XML document is 128K characters. The SAML metadata XML document must satisfy the following constraints: * Must contain an IdP Entity ID. * Must contain at least one non-expired signing certificate. * For each signing certificate, the expiration must be: * From no more than 7 days in the future. * To no more than 20 years in the future. * Up to three IdP signing keys are allowed. When updating the provider's metadata XML, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata.
352
394
},
353
395
"state": "A String", # Output only. The state of the provider.
396
+
"x509": { # An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. # An X.509-type identity provider.
397
+
"trustStore": { # Trust store that contains trust anchors and optional intermediate CAs used in PKI to build trust chain and verify client's identity. # Required. A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported.
398
+
"intermediateCas": [ # Optional. Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: * Intermediate CAs are only supported when configuring x509 federation.
399
+
{ # Intermediate CA certificates used for building the trust chain to trust anchor
400
+
"pemCertificate": "A String", # PEM certificate of the PKI used for validation. Must only contain one ca certificate.
401
+
},
402
+
],
403
+
"trustAnchors": [ # Required. List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here.
404
+
{ # Represents a root of trust.
405
+
"pemCertificate": "A String", # PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
406
+
},
407
+
],
408
+
},
409
+
},
354
410
}
355
411
356
412
updateMask: string, Required. The list of fields to update.
Copy file name to clipboardExpand all lines: googleapiclient/discovery_cache/documents/iam.v1.json
+19-4
Original file line number
Diff line number
Diff line change
@@ -3773,7 +3773,7 @@
3773
3773
}
3774
3774
}
3775
3775
},
3776
-
"revision": "20250320",
3776
+
"revision": "20250411",
3777
3777
"rootUrl": "https://iam.googleapis.com/",
3778
3778
"schemas": {
3779
3779
"AccessRestrictions": {
@@ -4163,8 +4163,8 @@
4163
4163
],
4164
4164
"enumDescriptions": [
4165
4165
"No AttributesType specified.",
4166
-
"Used to get the user's group claims from the Microsoft Entra ID identity provider using configuration provided in ExtraAttributesOAuth2Client and `mail` property of the `microsoft.graph.group` object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on `microsoft.graph.group` properties. The attributes obtained from idntity provider are mapped to `assertion.groups`.",
4167
-
"Used to get the user's group claims from the Microsoft Entra ID identity provider using configuration provided in ExtraAttributesOAuth2Client and `id` property of the `microsoft.graph.group` object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on `microsoft.graph.group` properties. The group IDs obtained from Microsoft Entra ID are present in `assertion. groups` for OIDC providers and `assertion.attributes.groups` for SAML providers for attribute mapping."
4166
+
"Used to get the user's group claims from the Microsoft Entra ID identity provider using the configuration provided in ExtraAttributesOAuth2Client. The `mail` property of the `microsoft.graph.group` object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on `microsoft.graph.group` properties. The group mail addresses of the user's groups that are returned from Microsoft Entra ID can be mapped by using the following attributes: * OIDC: `assertion.groups` * SAML: `assertion.attributes.groups`",
4167
+
"Used to get the user's group claims from the Microsoft Entra ID identity provider using the configuration provided in ExtraAttributesOAuth2Client. The `id` property of the `microsoft.graph.group` object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on `microsoft.graph.group` properties. The group IDs of the user's groups that are returned from Microsoft Entra ID can be mapped by using the following attributes: * OIDC: `assertion.groups` * SAML: `assertion.attributes.groups`"
4168
4168
],
4169
4169
"type": "string"
4170
4170
},
@@ -4886,7 +4886,7 @@
4886
4886
"type": "array"
4887
4887
},
4888
4888
"issuerUri": {
4889
-
"description": "Required. The OIDC issuer URL. Must be an HTTPS endpoint.",
4889
+
"description": "Required. The OIDC issuer URL. Must be an HTTPS endpoint. Used per OpenID Connect Discovery 1.0 spec to locate the provider's public keys (via `jwks_uri`) for verifying tokens like the OIDC ID token. These public key types must be 'EC' or 'RSA'.",
4890
4890
"type": "string"
4891
4891
},
4892
4892
"jwksJson": {
@@ -6197,6 +6197,10 @@ false
6197
6197
],
6198
6198
"readOnly": true,
6199
6199
"type": "string"
6200
+
},
6201
+
"x509": {
6202
+
"$ref": "X509",
6203
+
"description": "An X.509-type identity provider."
6200
6204
}
6201
6205
},
6202
6206
"type": "object"
@@ -6249,6 +6253,17 @@ false
6249
6253
}
6250
6254
},
6251
6255
"type": "object"
6256
+
},
6257
+
"X509": {
6258
+
"description": "An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA.",
6259
+
"id": "X509",
6260
+
"properties": {
6261
+
"trustStore": {
6262
+
"$ref": "TrustStore",
6263
+
"description": "Required. A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported."
0 commit comments