gcloud beta iam workforce-pools create-cred-config

NAME
gcloud beta iam workforce-pools create-cred-config - create a configuration file for generated credentials
SYNOPSIS
gcloud beta iam workforce-pools create-cred-configAUDIENCE--output-file=OUTPUT_FILE--workforce-pool-user-project=WORKFORCE_POOL_USER_PROJECT(--credential-source-file=CREDENTIAL_SOURCE_FILE    |--credential-source-url=CREDENTIAL_SOURCE_URL    |--executable-command=EXECUTABLE_COMMAND)[--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME][--credential-source-headers=[key=value,…]][--credential-source-type=CREDENTIAL_SOURCE_TYPE][--subject-token-type=SUBJECT_TOKEN_TYPE][--executable-interactive-timeout-millis=EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS--executable-output-file=EXECUTABLE_OUTPUT_FILE--executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS][--service-account=SERVICE_ACCOUNT :--service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS][GCLOUD_WIDE_FLAG]
DESCRIPTION
(BETA) This command creates a configuration file to allow access toauthenticated Google Cloud actions from a variety of external user accounts.
EXAMPLES
To create a file-sourced credential configuration for your project, run:
gcloudbetaiamworkforce-poolscreate-cred-configlocations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID--credential-source-file=$PATH_TO_OIDC_ID_TOKEN--workforce-pool-user-project=$PROJECT_NUMBER--output-file=credentials.json

To create a URL-sourced credential configuration for your project, run:

gcloudbetaiamworkforce-poolscreate-cred-configlocations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID--credential-source-url=$URL_FOR_OIDC_TOKEN--credential-source-headers=Key=Value--workforce-pool-user-project=$PROJECT_NUMBER--output-file=credentials.json

To create an executable-source credential configuration for your project, runthe following command:

gcloudbetaiamworkforce-poolscreate-cred-configlocations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID--executable-command=$EXECUTABLE_COMMAND--executable-timeout-millis=30000--executable-output-file=$CACHE_FILE--workforce-pool-user-project=$PROJECT_NUMBER--output-file=credentials.json

To use the resulting file for any of these commands, set theGOOGLE_APPLICATION_CREDENTIALS environment variable to point to the generatedfile.

POSITIONAL ARGUMENTS
AUDIENCE
The workforce pool provider resource name.
REQUIRED FLAGS
--output-file=OUTPUT_FILE
Location to store the generated credential configuration file.
--workforce-pool-user-project=WORKFORCE_POOL_USER_PROJECT
The client project number used to identify the application (client project) tothe server when calling Google APIs. The user principal must haveserviceusage.services.use IAM permission to use the specified project.
Credential types.

Exactly one of these must be specified:

--credential-source-file=CREDENTIAL_SOURCE_FILE
The location of the file which stores the credential.
--credential-source-url=CREDENTIAL_SOURCE_URL
The URL to obtain the credential from.
--executable-command=EXECUTABLE_COMMAND
The full command to run to retrieve the credential. Must be an absolute path forthe program including arguments.
OPTIONAL FLAGS
--credential-source-field-name=CREDENTIAL_SOURCE_FIELD_NAME
Subject token field name (key) in a JSON credential source.
--credential-source-headers=[key=value,…]
Headers to use when querying the credential-source-url.
--credential-source-type=CREDENTIAL_SOURCE_TYPE
Format of the credential source (JSON or text).
--subject-token-type=SUBJECT_TOKEN_TYPE
The type of token being used for authorization. This defaults tourn:ietf:params:oauth:token-type:id_token.
Arguments for an executable type credential source.
--executable-interactive-timeout-millis=EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS
Timeout duration, in milliseconds, to wait for the executable to finish when thecommand is running in interactive mode.
--executable-output-file=EXECUTABLE_OUTPUT_FILE
Absolute path to the file storing the executable response.
--executable-timeout-millis=EXECUTABLE_TIMEOUT_MILLIS
Timeout duration, in milliseconds, to wait for the executable to finish.
Service account impersonation options.
--service-account=SERVICE_ACCOUNT
Email of the service account to impersonate.

This flag argument must be specified if any of the other arguments in this groupare specified.

--service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME_SECONDS
Lifetime duration of the service account access token in seconds. Defaults toone hour if not specified. If a lifetime greater than one hour is required, theservice account must be added as an allowed value in an Organization Policy thatenforces theconstraints/iam.allowServiceAccountCredentialLifetimeExtensionconstraint.
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
This command is currently in beta and might change without notice. Thesevariants are also available:
gcloudiamworkforce-poolscreate-cred-config
gcloudalphaiamworkforce-poolscreate-cred-config

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-07 UTC.