Kubernetes Service Account (KSA) tokens are JWT tokens signed by the
cluster API server. This fields indicates how Google Cloud Platform
services validate KSA tokens in order to allow system workloads
(such as GKE Connect and telemetry agents) to authenticate back to
Google Cloud Platform.
Both clusters with public and private issuer URLs are supported.
Clusters with public issuers only need to specify the issuer_url
field while clusters with private issuers need to provide both
issuer_url and oidc_jwks.
Attributes
Name
Description
issuer_url
str
A JSON Web Token (JWT) issuer URI. issuer must start
with https://.
jwks
bytes
Optional. OIDC verification keys in JWKS
format (RFC 7517). It contains a list of OIDC
verification keys that can be used to verify
OIDC JWTs.
This field is required for cluster that doesn't
have a publicly available discovery endpoint.
When provided, it will be directly used to
verify the OIDC JWT asserted by the IDP.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Class AttachedOidcConfig (0.6.21)\n\nVersion latestkeyboard_arrow_down\n\n- [0.6.21 (latest)](/python/docs/reference/gkemulticloud/latest/google.cloud.gke_multicloud_v1.types.AttachedOidcConfig)\n- [0.6.19](/python/docs/reference/gkemulticloud/0.6.19/google.cloud.gke_multicloud_v1.types.AttachedOidcConfig)\n- [0.5.1](/python/docs/reference/gkemulticloud/0.5.1/google.cloud.gke_multicloud_v1.types.AttachedOidcConfig)\n- [0.4.0](/python/docs/reference/gkemulticloud/0.4.0/google.cloud.gke_multicloud_v1.types.AttachedOidcConfig)\n- [0.3.0](/python/docs/reference/gkemulticloud/0.3.0/google.cloud.gke_multicloud_v1.types.AttachedOidcConfig)\n- [0.2.2](/python/docs/reference/gkemulticloud/0.2.2/google.cloud.gke_multicloud_v1.types.AttachedOidcConfig)\n- [0.1.1](/python/docs/reference/gkemulticloud/0.1.1/google.cloud.gke_multicloud_v1.types.AttachedOidcConfig) \n\n AttachedOidcConfig(mapping=None, *, ignore_unknown_fields=False, **kwargs)\n\nOIDC discovery information of the target cluster.\n\nKubernetes Service Account (KSA) tokens are JWT tokens signed by the\ncluster API server. This fields indicates how Google Cloud Platform\nservices validate KSA tokens in order to allow system workloads\n(such as GKE Connect and telemetry agents) to authenticate back to\nGoogle Cloud Platform.\n\nBoth clusters with public and private issuer URLs are supported.\nClusters with public issuers only need to specify the `issuer_url`\nfield while clusters with private issuers need to provide both\n`issuer_url` and `oidc_jwks`."]]
