- NAME
-
- gcloud iam workforce-pools providers update-saml - update a new SAML workforce pool provider
- SYNOPSIS
-
-
gcloud iam workforce-pools providers update-saml
(PROVIDER
:--location
=LOCATION
--workforce-pool
=WORKFORCE_POOL
) [--async
] [--attribute-condition
=ATTRIBUTE_CONDITION
] [--attribute-mapping
=[KEY
=VALUE
,…]] [--description
=DESCRIPTION
] [--detailed-audit-logging
] [--disabled
] [--display-name
=DISPLAY_NAME
] [--idp-metadata-path
=PATH_TO_FILE
] [--scim-usage
=SCIM_USAGE
] [--clear-extended-attributes-config
|--extended-attributes-client-id
=EXTENDED_ATTRIBUTES_CLIENT_ID
--extended-attributes-client-secret-value
=EXTENDED_ATTRIBUTES_CLIENT_SECRET_VALUE
--extended-attributes-filter
=EXTENDED_ATTRIBUTES_FILTER
--extended-attributes-issuer-uri
=EXTENDED_ATTRIBUTES_ISSUER_URI
--extended-attributes-type
=EXTENDED_ATTRIBUTES_TYPE
] [--clear-extra-attributes-config
|--extra-attributes-client-id
=EXTRA_ATTRIBUTES_CLIENT_ID
--extra-attributes-client-secret-value
=EXTRA_ATTRIBUTES_CLIENT_SECRET_VALUE
--extra-attributes-filter
=EXTRA_ATTRIBUTES_FILTER
--extra-attributes-issuer-uri
=EXTRA_ATTRIBUTES_ISSUER_URI
--extra-attributes-type
=EXTRA_ATTRIBUTES_TYPE
] [GCLOUD_WIDE_FLAG …
]
-
- DESCRIPTION
- Update a new SAML workforce pool provider.
- EXAMPLES
-
The following command updates the SAML workforce pool provider with the ID
my-workforce-pool-provider
. Explicit values for all required and optional parameters are provided.gcloud iam workforce-pools providers update-saml my-workforce-pool-provider --workforce-pool="my-workforce-pool" --location="global" --display-name="My Workforce Pool Provider" --description="My workforce pool provider description." --disabled --detailed-audit-logging --attribute-mapping="google.subject=assertion.sub" --attribute-condition="true" --idp-metadata-path="path/to/metdata/file.xml"
- POSITIONAL ARGUMENTS
-
-
Workforce pool provider resource - The workforce pool provider to update. The
arguments in this group can be used to specify the attributes of this resource.
This must be specified.
PROVIDER
-
ID of the workforce pool provider or fully qualified identifier for the
workforce pool provider.
To set the
provider
attribute:-
provide the argument
provider
on the command line.
This positional argument must be specified if any of the other arguments in this group are specified.
-
provide the argument
--location
=LOCATION
-
The location for the workforce pool.
To set the
location
attribute:-
provide the argument
provider
on the command line with a fully specified name; -
provide the argument
--location
on the command line.
-
provide the argument
--workforce-pool
=WORKFORCE_POOL
-
The ID to use for the workforce pool, which becomes the final component of the
resource name. This value must be a globally unique string of 6 to 63 lowercase
letters, digits, or hyphens. It must start with a letter, and cannot have a
trailing hyphen. The prefix
gcp-
is reserved for use by Google, and may not be specified. To set theworkforce-pool
attribute:-
provide the argument
provider
on the command line with a fully specified name; -
provide the argument
--workforce-pool
on the command line.
-
provide the argument
-
Workforce pool provider resource - The workforce pool provider to update. The
arguments in this group can be used to specify the attributes of this resource.
- FLAGS
-
--async
- Return immediately, without waiting for the operation in progress to complete.
--attribute-condition
=ATTRIBUTE_CONDITION
-
A Common Expression
Language expression, in plain text, to restrict which otherwise valid
authentication credentials issued by the provider should be accepted.
The expression must output a boolean representing whether to allow the federation.
The following keywords may be referenced in the expressions:
-
assertion
: JSON representing the authentication credential issued by the Provider. -
google
: The Google attributes mapped from the assertion in theattribute_mappings
.google.profile_photo
andgoogle.display_name
are not supported. -
attribute
: The custom attributes mapped from the assertion in theattribute_mappings
.
The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential will be accepted.
Example: Only allow credentials with a mapped
google.groups
value ofadmins
."'admins' in google.groups"
-
--attribute-mapping
=[KEY
=VALUE
,…]-
Maps claims from the authentication credentials issued by the Identity Provider
into Google Cloud IAM attributes, e.g. subject, segment.
Each key must be a string specifying the Google Cloud IAM attribute to be produced.
The following predefined keys are currently supported:
-
google.subject
: required field that indicates the principal that is being authenticated to IAM, and will be logged in all API accesses for which Cloud Audit Logging is configured.
-
google.groups
: optional field that indicates asserted groups that the user should be considered to belong to. You can create IAM bindings using the groups attribute and access to a resource will be granted if any of the groups asserted here match a group in the respective binding.
-
google.display_name
: optional field that overrides the name of the user. If not set,google.subject
will be displayed instead. This attribute cannot be used in IAM policies. The maximum length of this field is 100 characters.
-
google.profile_photo
: optional fields that may be set to a valid URL specifying the user's thumbnail photo. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be used in IAM policies.
Custom attributes can also be mapped by specifying
attribute.{custom_attribute}
, replacing{custom_attribute}
with the name of the custom attribute to be mapped. A maximum of 50 custom attribute mappings can be defined. The maximum length of a mapped attribute key is 2048 characters and may only contain the characters [a-z0-9].
These attributes can then be referenced in IAM policies to define fine-grained access for the workforce pool to Google Cloud resources by specifying:
-
google.subject
:principal://iam.googleapis.com/locations/global/workforcePools/{pool}/subject/{value}
-
google.groups
:principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/group/{value}
-
attribute.{custom_attribute}
:principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}
Each value must be a Common Expression Language function that maps an Identity Provider credential to the normalized attribute specified by the corresponding map key.
The following keywords may be referenced in the expressions:
-
assertion
: JSON representing the authentication credential issued by the Identity Provider.
The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB.
Example: Map the
sub
claim of the incoming credential to thesubject
Google Cloud IAM attribute.{"google.subject": "assertion.sub"}
-
--description
=DESCRIPTION- A description for the workforce pool provider. Cannot exceed 256 characters in length.
--detailed-audit-logging
-
Enables detailed audit logging for this provider, which populates additional
debug information in STS Cloud Audit Logs. Specify
--no-detailed-audit-logging
to disable it. --disabled
-
Disables the workforce pool provider. You cannot use a disabled provider to
perform new token exchanges or sign-ins. However, existing tokens still grant
access. Specify
--no-disabled
to enable a disabled pool. --display-name
=DISPLAY_NAME- A display name for the workforce pool provider. Cannot exceed 32 characters in length.
--idp-metadata-path
=PATH_TO_FILE- XML file with configuration metadata for the SAML identity provider. The metadata file must follow the SAML 2.0 metadata specification. Use a full or relative path to a local file containing the value of idp_metadata_path.
--scim-usage
=SCIM_USAGE-
Specifies whether the workforce identity pool provider uses SCIM-managed groups
instead of the
google.groups
attribute mapping for authorization checks.The
scim_usage
andextended_attributes_oauth2_client
fields are mutually exclusive. A request that enables both fields on the same workforce identity pool provider will produce an error.Use
enabled-for-groups
to enable SCIM-managed groups. Usescim-usage-unspecified
to disable SCIM-managed groups.SCIM_USAGE
must be one of:
enabled-for-groups
,scim-usage-unspecified
. -
At most one of these can be specified:
--clear-extended-attributes-config
- Clear the extended attributes configuration.
--extended-attributes-client-id
=EXTENDED_ATTRIBUTES_CLIENT_ID- The OAuth 2.0 client ID for retrieving extended attributes from the identity provider. Required to get extended group memberships for a subset of Google Cloud products.
--extended-attributes-client-secret-value
=EXTENDED_ATTRIBUTES_CLIENT_SECRET_VALUE- The OAuth 2.0 client secret for retrieving extended attributes from the identity provider. Required to get extended group memberships for a subset of Google Cloud products.
--extended-attributes-filter
=EXTENDED_ATTRIBUTES_FILTER-
The filter used to request specific records from the IdP. By default, all of the
groups that are associated with a user are fetched. For Microsoft Entra ID, you
can add
$search
query parameters using [Keyword Query Language] (https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference). To learn more about$search
querying in Microsoft Entra ID, see [Use the$search
query parameter] (https://learn.microsoft.com/en-us/graph/search-query-parameter).Additionally, Workforce Identity Federation automatically adds the following [
$filter
query parameters] (https://learn.microsoft.com/en-us/graph/filter-query-parameter), based on the value ofattributes_type
. Values passed tofilter
are converted to$search
query parameters. Additional$filter
query parameters cannot be added using this field.-
AZURE_AD_GROUPS_ID
:securityEnabled
filter is applied.
-
--extended-attributes-issuer-uri
=EXTENDED_ATTRIBUTES_ISSUER_URI-
OIDC identity provider's issuer URI. Must be a valid URI using the
https
scheme. Required to get the OIDC discovery document. --extended-attributes-type
=EXTENDED_ATTRIBUTES_TYPE-
Represents the identity provider and type of claims that should be fetched.
EXTENDED_ATTRIBUTES_TYPE
must be (only one value is supported):
azure-ad-groups-id
.
-
At most one of these can be specified:
--clear-extra-attributes-config
- Clear the extra attributes configuration.
--extra-attributes-client-id
=EXTRA_ATTRIBUTES_CLIENT_ID- The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the access token using client credentials grant flow.
--extra-attributes-client-secret-value
=EXTRA_ATTRIBUTES_CLIENT_SECRET_VALUE- The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the access token using client credentials grant flow.
--extra-attributes-filter
=EXTRA_ATTRIBUTES_FILTER-
The filter used to request specific records from the IdP. By default, all of the
groups that are associated with a user are fetched. For Microsoft Entra ID, you
can add
$search
query parameters using [Keyword Query Language] (https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference). To learn more about$search
querying in Microsoft Entra ID, see [Use the$search
query parameter] (https://learn.microsoft.com/en-us/graph/search-query-parameter).Additionally, Workforce Identity Federation automatically adds the following [
$filter
query parameters] (https://learn.microsoft.com/en-us/graph/filter-query-parameter), based on the value ofattributes_type
. Values passed tofilter
are converted to$search
query parameters. Additional$filter
query parameters cannot be added using this field.-
AZURE_AD_GROUPS_MAIL
:mailEnabled
andsecurityEnabled
filters are applied. -
AZURE_AD_GROUPS_ID
:securityEnabled
filter is applied.
-
--extra-attributes-issuer-uri
=EXTRA_ATTRIBUTES_ISSUER_URI-
OIDC identity provider's issuer URI. Must be a valid URI using the
https
scheme. Required to get the OIDC discovery document. --extra-attributes-type
=EXTRA_ATTRIBUTES_TYPE-
Represents the identity provider and type of claims that should be fetched.
EXTRA_ATTRIBUTES_TYPE
must be one of:
azure-ad-groups-mail
,azure-ad-groups-id
.
- GCLOUD WIDE FLAGS
-
These flags are available to all commands:
--access-token-file
,--account
,--billing-project
,--configuration
,--flags-file
,--flatten
,--format
,--help
,--impersonate-service-account
,--log-http
,--project
,--quiet
,--trace-token
,--user-output-enabled
,--verbosity
.Run
$ gcloud help
for details. - API REFERENCE
-
This command uses the
iam/v1
API. The full documentation for this API can be found at: https://cloud.google.com/iam/
gcloud iam workforce-pools providers update-saml
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-21 UTC.