Identity and Access Management API overview

The Identity and Access Management (IAM) API uses Kubernetes custom resources to manage the control access for identity providers.

To use the IAM API, use the GDC console. If your application uses your own libraries to call the API, adopt the example service endpoint in the following section, and the full API definitions to build your requests:

Service endpoint and discovery document

The IAM APIs are provided in two packages depending on zonal deployment or global deployment.

The API endpoints for the zonal and global IAM APIs are the following, respectively:

  • https://MANAGEMENT_API_SERVER_ENDPOINT/apis/iam.gdc.goog/v1
  • https://MANAGEMENT_API_SERVER_ENDPOINT/apis/iam.global.gdc.goog/v1

The MANAGEMENT_API_SERVER_ENDPOINT variable is the endpoint of the Management API server.

Using the kubectl proxy command, access the URL in your browser to obtain the discovery document for the IAM API. The kubectl proxy command opens up a proxy on 127.0.0.1:8001 to the Kubernetes API server on your local machine. After that command is running, access the documents at the following URLs:

  • http://127.0.0.1:8001/apis/iam.gdc.goog/v1
  • http://127.0.0.1:8001/apis/iam.global.gdc.goog/v1

Example resources

The following is a sample IdentityProviderConfig resource:

apiVersion: iam.gdc.goog/v1
kind: IdentityProviderConfig
metadata:
  name: example-provider
  namespace: platform
spec:
  - oidc:
    clientID: clientID
    clientSecret: clientSecret
    groupPrefix: example-
    groupsClaim: groups
    issuerURI: https://test-oidc-provider.example.com
    scopes: openid email profile
    userClaim: user-email@example.com
    userPrefix: example-