gcloud iam workload-identity-pools providers keys create

NAME

gcloud iam workload-identity-pools providers keys create - create a new workload identity pool provider key

SYNOPSIS

gcloud iam workload-identity-pools providers keys create (KEY : --location=LOCATION --provider=PROVIDER --workload-identity-pool=WORKLOAD_IDENTITY_POOL) --spec=SPEC --use=USE [--async] [GCLOUD_WIDE_FLAG …]

DESCRIPTION

Create a new workload identity pool provider key.

EXAMPLES

The following command creates a workload identity pool provider key in the default project with the ID my-key. Explicit values for all required and optional parameters are provided.

gcloud iam workload-identity-pools providers keys create my-key --location="global" --workload-identity-pool="my-workload-identity-pool" --provider="my-provider" --use="ENCRYPTION" --spec="RSA_4096"

POSITIONAL ARGUMENTS

Workload identity pool provider key resource - The workload identity pool provider key to create. The arguments in this group can be used to specify the attributes of this resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways.

To set the project attribute:

provide the argument key on the command line with a fully specified name;
provide the argument --project on the command line;
set the property core/project.

This must be specified.

KEY

ID of the workload identity pool provider key or fully qualified identifier for the workload identity pool provider key.

To set the key attribute:

provide the argument key on the command line.

This positional argument must be specified if any of the other arguments in this group are specified.

--location=LOCATION

The location name. To set the location attribute:

provide the argument key on the command line with a fully specified name;
provide the argument --location on the command line.

--provider=PROVIDER

The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified. To set the provider attribute:

provide the argument key on the command line with a fully specified name;
provide the argument --provider on the command line.

--workload-identity-pool=WORKLOAD_IDENTITY_POOL

The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix gcp- is reserved for use by Google, and may not be specified. To set the workload-identity-pool attribute:

provide the argument key on the command line with a fully specified name;
provide the argument --workload-identity-pool on the command line.

REQUIRED FLAGS

--spec=SPEC: The specifications for the key. SPEC must be one of: key-spec-unspecified, rsa-2048, rsa-3072, rsa-4096.
--use=USE: The purpose of the key. USE must be one of: encryption, key-use-unspecified.

OPTIONAL FLAGS

--async: Return immediately, without waiting for the operation in progress to complete.

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

API REFERENCE

This command uses the iam/v1 API. The full documentation for this API can be found at: https://cloud.google.com/iam/

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-05-27 UTC.

gcloud iam workload-identity-pools providers keys create Stay organized with collections Save and categorize content based on your preferences.

gcloud iam workload-identity-pools providers keys create