gcloud beta iam workforce-pools providers update-oidc - update an OIDC workforce pool provider

gcloud beta iam workforce-pools providers update-oidc(PROVIDER :--location=LOCATION--workforce-pool=WORKFORCE_POOL)[--async][--attribute-condition=ATTRIBUTE_CONDITION][--attribute-mapping=[KEY=VALUE,…]][--client-id=CLIENT_ID][--description=DESCRIPTION][--detailed-audit-logging][--disabled][--display-name=DISPLAY_NAME][--issuer-uri=ISSUER_URI][--jwk-json-path=PATH_TO_FILE][--scim-usage=SCIM_USAGE][--web-sso-additional-scopes=[WEB_SSO_ADDITIONAL_SCOPES,…]][--web-sso-assertion-claims-behavior=WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR][--web-sso-response-type=WEB_SSO_RESPONSE_TYPE][--clear-client-secret    |--client-secret-value=CLIENT_SECRET_VALUE][--clear-extended-attributes-config    |--extended-attributes-client-id=EXTENDED_ATTRIBUTES_CLIENT_ID--extended-attributes-client-secret-value=EXTENDED_ATTRIBUTES_CLIENT_SECRET_VALUE--extended-attributes-filter=EXTENDED_ATTRIBUTES_FILTER--extended-attributes-issuer-uri=EXTENDED_ATTRIBUTES_ISSUER_URI--extended-attributes-type=EXTENDED_ATTRIBUTES_TYPE][--clear-extra-attributes-config    |--extra-attributes-client-id=EXTRA_ATTRIBUTES_CLIENT_ID--extra-attributes-client-secret-value=EXTRA_ATTRIBUTES_CLIENT_SECRET_VALUE--extra-attributes-filter=EXTRA_ATTRIBUTES_FILTER--extra-attributes-issuer-uri=EXTRA_ATTRIBUTES_ISSUER_URI--extra-attributes-type=EXTRA_ATTRIBUTES_TYPE][GCLOUD_WIDE_FLAG …]

Workforce pool provider resource - The workforce pool provider to update. Thearguments in this group can be used to specify the attributes of this resource.

This must be specified.

PROVIDER

ID of the workforce pool provider or fully qualified identifier for theworkforce pool provider.

To set theprovider attribute:

• provide the argumentprovider on the command line.

This positional argument must be specified if any of the other arguments in thisgroup are specified.

--location=LOCATION

The location for the workforce pool.

To set thelocation attribute:

• provide the argumentprovider on the command line with a fullyspecified name;
• provide the argument--location on the command line.

--workforce-pool=WORKFORCE_POOL

The ID to use for the workforce pool, which becomes the final component of theresource name. This value must be a globally unique string of 6 to 63 lowercaseletters, digits, or hyphens. It must start with a letter, and cannot have atrailing hyphen. The prefixgcp- is reserved for use by Google, andmay not be specified.To set theworkforce-pool attribute:

• provide the argumentprovider on the command line with a fullyspecified name;
• provide the argument--workforce-pool on the command line.

--async

Return immediately, without waiting for the operation in progress to complete.

--attribute-condition=ATTRIBUTE_CONDITION

ACommon ExpressionLanguage expression, in plain text, to restrict which otherwise validauthentication credentials issued by the provider should be accepted.

The expression must output a boolean representing whether to allow thefederation.

The following keywords may be referenced in the expressions:

• assertion: JSON representing the authentication credential issuedby the Provider.
• google: The Google attributes mapped from the assertion in theattribute_mappings.google.profile_photo andgoogle.display_name are not supported.
• attribute: The custom attributes mapped from the assertion in theattribute_mappings.

The maximum length of the attribute condition expression is 4096 characters. Ifunspecified, all valid authentication credential will be accepted.

Example: Only allow credentials with a mappedgoogle.groups valueofadmins.

"'admins' in google.groups"

--attribute-mapping=[KEY=VALUE,…]

Maps claims from the authentication credentials issued by the Identity Providerinto Google Cloud IAM attributes, e.g. subject, segment.

Each key must be a string specifying the Google Cloud IAM attribute to beproduced.

The following predefined keys are currently supported:

• google.subject: required field that indicates the principal that isbeing authenticated to IAM, and will be logged in all API accesses for whichCloud Audit Logging is configured.

• google.groups: optional field that indicates asserted groups thatthe user should be considered to belong to. You can create IAM bindings usingthe groups attribute and access to a resource will be granted if any of thegroups asserted here match a group in the respective binding.

• google.display_name: optional field that overrides the name of theuser. If not set,google.subject will be displayed instead. Thisattribute cannot be used in IAM policies. The maximum length of this field is100 characters.

• google.profile_photo: optional fields that may be set to a validURL specifying the user's thumbnail photo. When set, the image will be visibleas the user's profile picture. If not set, a generic user icon will be displayedinstead. This attribute cannot be used in IAM policies.

Custom attributes can also be mapped by specifyingattribute.{custom_attribute}, replacing{custom_attribute} with the name of the custom attribute to bemapped. A maximum of 50 custom attribute mappings can be defined. The maximumlength of a mapped attribute key is 2048 characters and may only contain thecharacters [a-z0-9].

These attributes can then be referenced in IAM policies to define fine-grainedaccess for the workforce pool to Google Cloud resources by specifying:

• google.subject:principal://iam.googleapis.com/locations/global/workforcePools/{pool}/subject/{value}

• google.groups:principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/group/{value}

• attribute.{custom_attribute}:principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}

Each value must be aCommonExpression Language function that maps an Identity Provider credential tothe normalized attribute specified by the corresponding map key.

The following keywords may be referenced in the expressions:

• assertion: JSON representing the authentication credential issuedby the Identity Provider.

The maximum length of an attribute mapping expression is 2048 characters. Whenevaluated, the total size of all mapped attributes must not exceed 8KB.

Example: Map thesub claim of the incoming credential to thesubject Google Cloud IAM attribute.

{"google.subject":"assertion.sub"}

--client-id=CLIENT_ID

The OIDC client ID. This must match the audience claim of the JWT issued by theidentity provider.

--description=DESCRIPTION

A description for the workforce pool provider. Cannot exceed 256 characters inlength.

--detailed-audit-logging

Enables detailed audit logging for this provider, which populates additionaldebug information in STS Cloud Audit Logs. Specify--no-detailed-audit-logging to disable it.

--disabled

Disables the workforce pool provider. You cannot use a disabled provider toperform new token exchanges or sign-ins. However, existing tokens still grantaccess. Specify--no-disabled to enable a disabled pool.

--display-name=DISPLAY_NAME

A display name for the workforce pool provider. Cannot exceed 32 characters inlength.

--issuer-uri=ISSUER_URI

The OIDC issuer URI. Must be a valid URI using the 'https' scheme.

--jwk-json-path=PATH_TO_FILE

Optional file containing JSON Web Key (JWK) public keys. The file format mustfollowJWKspecifications. Example file format:

{"keys":[{"kty":"RSA/EC","alg":"<algorithm>","use":"sig","kid":"<key-id>","n":"","e":"","x":"","y":"","crv":""}]}.Useafullorrelativepathtoalocalfilecontainingthevalueofjwk_json_path.

--scim-usage=SCIM_USAGE

Specifies whether the workforce identity pool provider uses SCIM-managed groupsinstead of thegoogle.groups attribute mapping for authorizationchecks.

Thescim_usage andextended_attributes_oauth2_clientfields are mutually exclusive. A request that enables both fields on the sameworkforce identity pool provider will produce an error.

Useenabled-for-groups to enable SCIM-managed groups. Usescim-usage-unspecified to disable SCIM-managed groups.

SCIM_USAGE must be one of:enabled-for-groups,scim-usage-unspecified.

--web-sso-additional-scopes=[WEB_SSO_ADDITIONAL_SCOPES,…]

Additional scopes to request for the OIDC authentication on top of scopesrequested by default. By default, theopenid,profileandemail scopes that are supported by the identity provider arerequested.

Each additional scope may be at most 256 characters. A maximum of 10 additionalscopes may be configured.

--web-sso-assertion-claims-behavior=WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR

The behavior for how OIDC Claims are included in theassertionobject used for attribute mapping and attribute condition. Usemerge-user-info-over-id-token-claims to merge the UserInfo EndpointClaims with ID Token Claims, preferring UserInfo Claim Values for the same ClaimName. Currently this option is only available for Authorization Code flow. Useonly-id-token-claims to include only ID token claims.WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR must be one of:assertion-claims-behavior-unspecified,merge-user-info-over-id-token-claims,only-id-token-claims.

--web-sso-response-type=WEB_SSO_RESPONSE_TYPE

Response Type to request for in the OIDC Authorization Request for web sign-in.Usecode to select theauthorizationcode flow Useid-token to select theimplicitflow.WEB_SSO_RESPONSE_TYPE must be one of:code,id-token,response-type-unspecified.

At most one of these can be specified:

--clear-client-secret

Clear the OIDC client secret.

--client-secret-value=CLIENT_SECRET_VALUE

The OIDC client secret. Required to enable Authorization Code flow for websign-in.

At most one of these can be specified:

--clear-extended-attributes-config

Clear the extended attributes configuration.

--extended-attributes-client-id=EXTENDED_ATTRIBUTES_CLIENT_ID

The OAuth 2.0 client ID for retrieving extended attributes from the identityprovider. Required to get extended group memberships for a subset of GoogleCloud products.

--extended-attributes-client-secret-value=EXTENDED_ATTRIBUTES_CLIENT_SECRET_VALUE

The OAuth 2.0 client secret for retrieving extended attributes from the identityprovider. Required to get extended group memberships for a subset of GoogleCloud products.

--extended-attributes-filter=EXTENDED_ATTRIBUTES_FILTER

The filter used to request specific records from the IdP. By default, all of thegroups that are associated with a user are fetched. For Microsoft Entra ID, youcan add$search query parameters using [Keyword Query Language](https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference).To learn more about$search querying in Microsoft Entra ID, see[Use the$search query parameter](https://learn.microsoft.com/en-us/graph/search-query-parameter).

Additionally, Workforce Identity Federation automatically adds the following[$filter query parameters](https://learn.microsoft.com/en-us/graph/filter-query-parameter), based on thevalue ofattributes_type. Values passed tofilter areconverted to$search query parameters. Additional$filter query parameters cannot be added using this field.

• AZURE_AD_GROUPS_ID:securityEnabled filter is applied.

--extended-attributes-issuer-uri=EXTENDED_ATTRIBUTES_ISSUER_URI

OIDC identity provider's issuer URI. Must be a valid URI using thehttps scheme. Required to get the OIDC discovery document.

--extended-attributes-type=EXTENDED_ATTRIBUTES_TYPE

Represents the identity provider and type of claims that should be fetched.EXTENDED_ATTRIBUTES_TYPE must be (only one value issupported):azure-ad-groups-id.

At most one of these can be specified:

--clear-extra-attributes-config

Clear the extra attributes configuration.

--extra-attributes-client-id=EXTRA_ATTRIBUTES_CLIENT_ID

The OAuth 2.0 client ID for retrieving extra attributes from the identityprovider. Required to get the access token using client credentials grant flow.

--extra-attributes-client-secret-value=EXTRA_ATTRIBUTES_CLIENT_SECRET_VALUE

The OAuth 2.0 client secret for retrieving extra attributes from the identityprovider. Required to get the access token using client credentials grant flow.

--extra-attributes-filter=EXTRA_ATTRIBUTES_FILTER

The filter used to request specific records from the IdP. By default, all of thegroups that are associated with a user are fetched. For Microsoft Entra ID, youcan add$search query parameters using [Keyword Query Language](https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference).To learn more about$search querying in Microsoft Entra ID, see[Use the$search query parameter](https://learn.microsoft.com/en-us/graph/search-query-parameter).

Additionally, Workforce Identity Federation automatically adds the following[$filter query parameters](https://learn.microsoft.com/en-us/graph/filter-query-parameter), based on thevalue ofattributes_type. Values passed tofilter areconverted to$search query parameters. Additional$filter query parameters cannot be added using this field.

• AZURE_AD_GROUPS_MAIL:mailEnabled andsecurityEnabled filters are applied.
• AZURE_AD_GROUPS_ID:securityEnabled filter is applied.

--extra-attributes-issuer-uri=EXTRA_ATTRIBUTES_ISSUER_URI

OIDC identity provider's issuer URI. Must be a valid URI using thehttps scheme. Required to get the OIDC discovery document.

--extra-attributes-type=EXTRA_ATTRIBUTES_TYPE

Represents the identity provider and type of claims that should be fetched.EXTRA_ATTRIBUTES_TYPE must be one of:azure-ad-groups-mail,azure-ad-groups-id.

Run$gcloud help for details.