gcloud beta iam workforce-pools providers create-oidc

NAME

gcloud beta iam workforce-pools providers create-oidc - create a new OIDC workforce pool provider

SYNOPSIS

gcloud beta iam workforce-pools providers create-oidc (PROVIDER : --location=LOCATION --workforce-pool=WORKFORCE_POOL) --attribute-mapping=[KEY=VALUE,…] --client-id=CLIENT_ID --issuer-uri=ISSUER_URI (--web-sso-assertion-claims-behavior=WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR --web-sso-response-type=WEB_SSO_RESPONSE_TYPE : --web-sso-additional-scopes=[WEB_SSO_ADDITIONAL_SCOPES,…]) [--async] [--attribute-condition=ATTRIBUTE_CONDITION] [--client-secret-value=CLIENT_SECRET_VALUE] [--description=DESCRIPTION] [--detailed-audit-logging] [--disabled] [--display-name=DISPLAY_NAME] [--jwk-json-path=PATH_TO_FILE] [--scim-usage=SCIM_USAGE] [--extended-attributes-client-id=EXTENDED_ATTRIBUTES_CLIENT_ID --extended-attributes-client-secret-value=EXTENDED_ATTRIBUTES_CLIENT_SECRET_VALUE --extended-attributes-issuer-uri=EXTENDED_ATTRIBUTES_ISSUER_URI --extended-attributes-type=EXTENDED_ATTRIBUTES_TYPE : --extended-attributes-filter=EXTENDED_ATTRIBUTES_FILTER] [--extra-attributes-client-id=EXTRA_ATTRIBUTES_CLIENT_ID --extra-attributes-client-secret-value=EXTRA_ATTRIBUTES_CLIENT_SECRET_VALUE --extra-attributes-issuer-uri=EXTRA_ATTRIBUTES_ISSUER_URI --extra-attributes-type=EXTRA_ATTRIBUTES_TYPE : --extra-attributes-filter=EXTRA_ATTRIBUTES_FILTER] [GCLOUD_WIDE_FLAG …]

DESCRIPTION

(BETA) Create a new OIDC workforce pool provider.

EXAMPLES

The following command creates a disabled OIDC workforce pool provider with the ID my-workforce-pool-provider. Explicit values for all required and optional parameters are provided.

gcloud beta iam workforce-pools providers create-oidc my-workforce-pool-provider --workforce-pool="my-workforce-pool" --location="global" --display-name="My Workforce Pool Provider" --description="My workforce pool provider description." --disabled --detailed-audit-logging --attribute-mapping="google.subject=assertion.sub" --attribute-condition="true" --client-id="client-id" --client-secret-value="client-secret" --issuer-uri="https://test-idp.com" --web-sso-response-type="code" --web-sso-assertion-claims-behavior="merge-user-info-over-id-token-claims" --web-sso-additional-scopes="groups,photos" --jwk-json-path="path/to/jwk.json"

POSITIONAL ARGUMENTS

Workforce pool provider resource - The workforce pool provider to create. The arguments in this group can be used to specify the attributes of this resource. This must be specified.

PROVIDER

ID of the workforce pool provider or fully qualified identifier for the workforce pool provider.

To set the provider attribute:

provide the argument provider on the command line.

This positional argument must be specified if any of the other arguments in this group are specified.

--location=LOCATION

The location for the workforce pool. To set the location attribute:

provide the argument provider on the command line with a fully specified name;
provide the argument --location on the command line.

--workforce-pool=WORKFORCE_POOL

The ID to use for the workforce pool, which becomes the final component of the resource name. This value must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix gcp- is reserved for use by Google, and may not be specified. To set the workforce-pool attribute:

provide the argument provider on the command line with a fully specified name;
provide the argument --workforce-pool on the command line.

REQUIRED FLAGS

--attribute-mapping=[KEY=VALUE,…]

Maps claims from the authentication credentials issued by the Identity Provider into Google Cloud IAM attributes, e.g. subject, segment.

Each key must be a string specifying the Google Cloud IAM attribute to be produced.

The following predefined keys are currently supported:

google.subject: required field that indicates the principal that is being authenticated to IAM, and will be logged in all API accesses for which Cloud Audit Logging is configured.

google.groups: optional field that indicates asserted groups that the user should be considered to belong to. You can create IAM bindings using the groups attribute and access to a resource will be granted if any of the groups asserted here match a group in the respective binding.

google.display_name: optional field that overrides the name of the user. If not set, google.subject will be displayed instead. This attribute cannot be used in IAM policies. The maximum length of this field is 100 characters.

google.profile_photo: optional fields that may be set to a valid URL specifying the user's thumbnail photo. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be used in IAM policies.

Custom attributes can also be mapped by specifying attribute.{custom_attribute}, replacing {custom_attribute} with the name of the custom attribute to be mapped. A maximum of 50 custom attribute mappings can be defined. The maximum length of a mapped attribute key is 2048 characters and can only contain the characters [a-z0-9_].

These attributes can then be referenced in IAM policies to define fine-grained access for the workforce pool to Google Cloud resources by specifying:

google.subject: principal://iam.googleapis.com/locations/global/workforcePools/{pool}/subject/{value}

google.groups: principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/group/{value}

attribute.{custom_attribute}: principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}

Each value must be a Common Expression Language function that maps an Identity Provider credential to the normalized attribute specified by the corresponding map key.

The following keywords may be referenced in the expressions:

assertion: JSON representing the authentication credential issued by the Identity Provider.

The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB.

Example: Map the sub claim of the incoming credential to the subject Google Cloud IAM attribute.

{"google.subject": "assertion.sub"}

--client-id=CLIENT_ID

The OIDC client ID. This must match the audience claim of the JWT issued by the identity provider.

--issuer-uri=ISSUER_URI

The OIDC issuer URI. Must be a valid URI using the 'https' scheme.

This must be specified.

--web-sso-assertion-claims-behavior=WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR

The behavior for how OIDC Claims are included in the assertion object used for attribute mapping and attribute condition.

Use merge-user-info-over-id-token-claims to merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. Currently this option is only available for Authorization Code flow.

Use only-id-token-claims to include only ID token claims.

WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR must be one of: assertion-claims-behavior-unspecified, merge-user-info-over-id-token-claims, only-id-token-claims.

This flag argument must be specified if any of the other arguments in this group are specified.

--web-sso-response-type=WEB_SSO_RESPONSE_TYPE

Response Type to request for in the OIDC Authorization Request for web sign-in.

Use code to select the authorization code flow

Use id-token to select the implicit flow.

WEB_SSO_RESPONSE_TYPE must be one of: code, id-token, response-type-unspecified.

This flag argument must be specified if any of the other arguments in this group are specified.

--web-sso-additional-scopes=[WEB_SSO_ADDITIONAL_SCOPES,…]

Additional scopes to request for the OIDC authentication on top of scopes requested by default. By default, the openid, profile and email scopes that are supported by the identity provider are requested.

Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.

Updating this field replaces any existing values. Include the full list of additional scopes to avoid losing existing values.

OPTIONAL FLAGS

--async

Return immediately, without waiting for the operation in progress to complete.

--attribute-condition=ATTRIBUTE_CONDITION

A Common Expression Language expression, in plain text, to restrict which otherwise valid authentication credentials issued by the provider should be accepted.

The expression must output a boolean representing whether to allow the federation.

The following keywords may be referenced in the expressions:

assertion: JSON representing the authentication credential issued by the Provider.
google: The Google attributes mapped from the assertion in the attribute_mappings. google.profile_photo and google.display_name are not supported.
attribute: The custom attributes mapped from the assertion in the attribute_mappings.

The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential will be accepted.

Example: Only allow credentials with a mapped google.groups value of admins.

"'admins' in google.groups"

--client-secret-value=CLIENT_SECRET_VALUE

The OIDC client secret. Required to enable Authorization Code flow for web sign-in.

--description=DESCRIPTION

A description for the workforce pool provider. Cannot exceed 256 characters in length.

--detailed-audit-logging

Enables detailed audit logging for this provider, which populates additional debug information in STS Cloud Audit Logs. Specify --no-detailed-audit-logging to disable it.

--disabled

Disables the workforce pool provider. You cannot use a disabled provider to perform new token exchanges or sign-ins. However, existing tokens still grant access. Specify --no-disabled to enable a disabled pool.

--display-name=DISPLAY_NAME

A display name for the workforce pool provider. Cannot exceed 32 characters in length.

--jwk-json-path=PATH_TO_FILE

Optional file containing JSON Web Key (JWK) public keys. The file format must follow JWK specifications. Example file format:

{
  "keys": [
     {
          "kty": "RSA/EC",
          "alg": "<algorithm>",
          "use": "sig",
          "kid": "<key-id>",
          "n": "",
          "e": "",
          "x": "",
          "y": "",
          "crv": ""
     }
  ]
}
 . Use a full or relative path to a local file containing the value of
jwk_json_path.

--scim-usage=SCIM_USAGE

Specifies whether the workforce identity pool provider uses SCIM-managed groups instead of the google.groups attribute mapping for authorization checks.

The scim_usage and extended_attributes_oauth2_client fields are mutually exclusive. A request that enables both fields on the same workforce identity pool provider will produce an error.

Use enabled-for-groups to enable SCIM-managed groups. Use scim-usage-unspecified to disable SCIM-managed groups.

SCIM_USAGE must be one of: enabled-for-groups, scim-usage-unspecified.

--extended-attributes-client-id=EXTENDED_ATTRIBUTES_CLIENT_ID

The OAuth 2.0 client ID for retrieving extended attributes from the identity provider. Required to get extended group memberships for a subset of Google Cloud products. The --extended-attributes-client-id flag is restricted. We suggest you use SCIM instead.

--extended-attributes-client-secret-value=EXTENDED_ATTRIBUTES_CLIENT_SECRET_VALUE

The OAuth 2.0 client secret for retrieving extended attributes from the identity provider. Required to get extended group memberships for a subset of Google Cloud products. The --extended-attributes-client-secret-value flag is restricted. We suggest you use SCIM instead.

--extended-attributes-issuer-uri=EXTENDED_ATTRIBUTES_ISSUER_URI

OIDC identity provider's issuer URI. Must be a valid URI using the https scheme. Required to get the OIDC discovery document. The --extended-attributes-issuer-uri flag is restricted. We suggest you use SCIM instead.

--extended-attributes-type=EXTENDED_ATTRIBUTES_TYPE

Represents the identity provider and type of claims that should be fetched. The --extended-attributes-type flag is restricted. We suggest you use SCIM instead. EXTENDED_ATTRIBUTES_TYPE must be (only one value is supported): azure-ad-groups-id.

--extended-attributes-filter=EXTENDED_ATTRIBUTES_FILTER

The filter used to request specific records from the IdP. By default, all of the groups that are associated with a user are fetched. For Microsoft Entra ID, you can add $search query parameters using [Keyword Query Language] (https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference). To learn more about $search querying in Microsoft Entra ID, see [Use the $search query parameter] (https://learn.microsoft.com/en-us/graph/search-query-parameter). Additionally, Workforce Identity Federation automatically adds the following [$filter query parameters] (https://learn.microsoft.com/en-us/graph/filter-query-parameter), based on the value of attributes_type. Values passed to filter are converted to $search query parameters. Additional $filter query parameters cannot be added using this field.

AZURE_AD_GROUPS_ID: securityEnabled filter is applied. The --extended-attributes-filter flag is restricted. We suggest you use SCIM instead.

--extra-attributes-client-id=EXTRA_ATTRIBUTES_CLIENT_ID

The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the access token using client credentials grant flow.

--extra-attributes-client-secret-value=EXTRA_ATTRIBUTES_CLIENT_SECRET_VALUE

The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the access token using client credentials grant flow.

--extra-attributes-issuer-uri=EXTRA_ATTRIBUTES_ISSUER_URI

OIDC identity provider's issuer URI. Must be a valid URI using the https scheme. Required to get the OIDC discovery document.

--extra-attributes-type=EXTRA_ATTRIBUTES_TYPE

Represents the identity provider and type of claims that should be fetched. EXTRA_ATTRIBUTES_TYPE must be one of: attributes-type-unspecified, azure-ad-groups-display-name, azure-ad-groups-id, azure-ad-groups-mail.

--extra-attributes-filter=EXTRA_ATTRIBUTES_FILTER

AZURE_AD_GROUPS_MAIL: mailEnabled and securityEnabled filters are applied.
AZURE_AD_GROUPS_ID: securityEnabled filter is applied.
AZURE_AD_GROUPS_DISPLAY_NAME: securityEnabled filter is applied.

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

API REFERENCE

This command uses the iam/v1 API. The full documentation for this API can be found at: https://cloud.google.com/iam/

NOTES

This command is currently in beta and might change without notice. These variants are also available:

gcloud iam workforce-pools providers create-oidc

gcloud alpha iam workforce-pools providers create-oidc

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-06-09 UTC.

gcloud beta iam workforce-pools providers create-oidc Stay organized with collections Save and categorize content based on your preferences.

gcloud beta iam workforce-pools providers create-oidc