Authority encodes how Google will recognize identities from this Membership. See the workload identity documentation for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
Inherits
- Object
Extended By
- Google::Protobuf::MessageExts::ClassMethods
Includes
- Google::Protobuf::MessageExts
Methods
#identity_provider
def identity_provider() -> ::String
-
(::String) — Output only. An identity provider that reflects the
issuer
in the workload identity pool.
#issuer
def issuer() -> ::String
-
(::String) — Optional. A JSON Web Token (JWT) issuer URI.
issuer
must start withhttps://
and be a valid URL with length <2000 characters.If set, then Google will allow valid OIDC tokens from this issuer to authenticate within the workload_identity_pool. OIDC discovery will be performed on this URI to validate tokens from the issuer.
Clearing
issuer
disables Workload Identity.issuer
cannot be directly modified; it must be cleared (and Workload Identity disabled) before using a new issuer (and re-enabling Workload Identity).
#issuer=
def issuer=(value) -> ::String
-
value (::String) — Optional. A JSON Web Token (JWT) issuer URI.
issuer
must start withhttps://
and be a valid URL with length <2000 characters.If set, then Google will allow valid OIDC tokens from this issuer to authenticate within the workload_identity_pool. OIDC discovery will be performed on this URI to validate tokens from the issuer.
Clearing
issuer
disables Workload Identity.issuer
cannot be directly modified; it must be cleared (and Workload Identity disabled) before using a new issuer (and re-enabling Workload Identity).
-
(::String) — Optional. A JSON Web Token (JWT) issuer URI.
issuer
must start withhttps://
and be a valid URL with length <2000 characters.If set, then Google will allow valid OIDC tokens from this issuer to authenticate within the workload_identity_pool. OIDC discovery will be performed on this URI to validate tokens from the issuer.
Clearing
issuer
disables Workload Identity.issuer
cannot be directly modified; it must be cleared (and Workload Identity disabled) before using a new issuer (and re-enabling Workload Identity).
#oidc_jwks
def oidc_jwks() -> ::String
-
(::String) — Optional. OIDC verification keys for this Membership in JWKS format (RFC 7517).
When this field is set, OIDC discovery will NOT be performed on
issuer
, and instead OIDC tokens will be validated using this field.
#oidc_jwks=
def oidc_jwks=(value) -> ::String
-
value (::String) — Optional. OIDC verification keys for this Membership in JWKS format (RFC 7517).
When this field is set, OIDC discovery will NOT be performed on
issuer
, and instead OIDC tokens will be validated using this field.
-
(::String) — Optional. OIDC verification keys for this Membership in JWKS format (RFC 7517).
When this field is set, OIDC discovery will NOT be performed on
issuer
, and instead OIDC tokens will be validated using this field.
#workload_identity_pool
def workload_identity_pool() -> ::String
-
(::String) — Output only. The name of the workload identity pool in which
issuer
will be recognized.There is a single Workload Identity Pool per Hub that is shared between all Memberships that belong to that Hub. For a Hub hosted in {PROJECT_ID}, the workload pool format is
{PROJECT_ID}.hub.id.goog
, although this is subject to change in newer versions of this API.