A WorkforcePoolSubject is automatically created the first time an external credential is exchanged for a Google Cloud credential using a mapped google.subject attribute. There is no endpoint to manually create a WorkforcePoolSubject.
For 30 days after a WorkforcePoolSubject is deleted, using the same google.subject attribute in token exchanges with Google Cloud STS fails.
Call subjects.undelete to undelete a WorkforcePoolSubject that has been deleted, within within 30 days of deleting it.
After 30 days, the WorkforcePoolSubject is permanently deleted. At this point, a token exchange with Google Cloud STS that uses the same mapped google.subject attribute automatically creates a new WorkforcePoolSubject that is unrelated to the previously deleted WorkforcePoolSubject but has the same google.subject value.
Required. The resource name of the WorkforcePoolSubject. Special characters, like / and :, must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of RFC3986.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-21 UTC."],[[["This endpoint deletes a `WorkforcePoolSubject`, which must not already be in a deleted state."],["A deleted `WorkforcePoolSubject` prevents token exchanges with the same `google.subject` attribute for 30 days."],["Within 30 days of deletion, a `WorkforcePoolSubject` can be undeleted using the `subjects.undelete` call, after which, it is permanently deleted."],["The HTTP request for deleting a `WorkforcePoolSubject` is a `DELETE` request to a specific URL with the format `https://iam.googleapis.com/v1/{name=locations/*/workforcePools/*/subjects/*}`."],["The request body must be empty and it requires one of two OAuth scopes: `https://www.googleapis.com/auth/cloud-platform` or `https://www.googleapis.com/auth/iam`."]]],[]]
