update

Name

nebius iam federated-credentials update

Synopsis

nebius iam federated-credentials update [id]
  --federated-subject-id
  --id
  --labels
  --labels-add
  --labels-remove
  --name
  --oidc-provider-issuer-url
  --oidc-provider-jwk-set-json
  --parent-id
  --resource-version
  --subject-id
  --async
  --clear-mask
  --diff
  --full
  --patch

Positional Arguments

id

Identifier for the resource, unique for its resource type.

Options

--federated-subject-id (string)

Federated subject ID.For oidc_provider subject will be calculated based on the “sub” claim of the JWT federation token.

--id (string)

Identifier for the resource, unique for its resource type.

--labels (string->string)

Labels associated with the resource.

--labels-add (string->string)

Add values to Labels associated with the resource.

--labels-remove (string array)

Remove values from Labels associated with the resource.

--name (string)

Human readable name for the resource.

--oidc-provider-issuer-url (string)

It’s not required provider OIDC issuer should be real OIDC provider, but should expose OIDC configuration
with “/.well-known/openid-configuration” endpoint. Configuration should contains the “jwks_uri” endpoint
where the JSON Web Key Set (JWKS) can be found; this set contains public keys used to verify
JSON Web Tokens (JWTs) issued by an identity provider.

Limitations for external OIDC providers:

token service limits the number of handled keys by 50. If your JWKS return more than 50,
the only first 50 will be used for signature verifying.
response size for jwks_uri and “/.well-known/openid-configuration limited by 100KB.

--oidc-provider-jwk-set-json (string)

Literally json, which represents JWKS with public keys for JWT verification.
It worth mentioned that in a case of adding/rotating keys the jwk_set_json also should be updated here.
Besides, the “issuer” parameter should be set even if the JWKS will be resolved locally.

--parent-id (string)

Identifier of the parent resource to which the resource belongs.

--resource-version (int64)

Version of the resource for safe concurrent modifications and consistent reads.
Positive and monotonically increases on each resource spec change (but not on each change of the
resource’s container(s) or status).
Service allows zero value or current.

--subject-id (string)

IAM subject, in which federated subject will be impersonated to. E.g. for workload identities it will be IAM service account.

--async (bool)

If set, returns operation id. Otherwise, waits for the operation to complete and returns its resource.

--clear-mask (string array)

Reset-mask field paths to clear in patch mode. Can be repeated.

--diff (bool)

Show diff of resource before commiting update.

--full (bool)

Update full resource state. Automatically set to true if the —file or argument provided.

--patch (bool)

Update only specified fields.

Global Options

-h, --help (bool)

Show this message.

-p, --profile (string)

Set a profile for interacting with the cloud.

--format (string)

Output format. Supported values: yaml|json|jsonpath|table|text.

-f, --file (string)

Input file. For ‘update’ commands automatically set —full=true.

-c, --config (string)

Provide path to config file.

--debug (bool)

Enable debug logs.

--color (bool)

Enable colored output.

--no-browser (bool)

Do not open browser automatically on auth.

--insecure (bool)

Disable transport security.

--auth-timeout (duration: 2h30m10s)

Set the timeout for the request including authentication process, default is 15m0s.

--per-retry-timeout (duration: 2h30m10s)

Set the timeout for each retry attempt, default is 20s.

--retries (uint)

Set the number of retry attempts, 1 is disable retries, default is 3.

--timeout (duration: 2h30m10s)

Set the timeout for the main request, default is 1m0s.

--no-check-update (bool)

Suppress check for updates.

Show Input argument JSON Schema

Full
CopyPaste Friendly

{              
  "metadata": {               
    "id": string,              // [identifier]
                               // Identifier for the resource, unique for its resource type.
    "labels": {                // [map]
                               // Labels associated with the resource.
      string: string                  
    },
    "name": string,            // Human readable name for the resource.
    "parent_id": string,       // [required]
                               // Identifier of the parent resource to which the resource belongs.
    "resource_version": int64  // Version of the resource for safe concurrent modifications and consistent reads.
                               // Positive and monotonically increases on each resource spec change (but *not* on each change of the
                               // resource's container(s) or status).
                               // Service allows zero value or current.
  },
  "spec": {                        
    "federated_subject_id": string, // Federated subject ID.For oidc_provider subject will be calculated based on the “sub” claim of the JWT federation token.
    "oidc_provider": {       
      "issuer_url": string,   // [required]
                              // It's not required provider OIDC issuer should be real OIDC provider, but should expose OIDC configuration
                              // with "/.well-known/openid-configuration" endpoint. Configuration should contains the "jwks_uri" endpoint
                              // where the JSON Web Key Set (JWKS) can be found; this set contains public keys used to verify
                              // JSON Web Tokens (JWTs) issued by an identity provider.
                              // 
                              // Limitations for external OIDC providers:
                              // - token service limits the number of handled keys by 50. If your JWKS return more than 50,
                              // the only first 50 will be used for signature verifying.
                              // - response size for jwks_uri and "/.well-known/openid-configuration limited by 100KB.
      "jwk_set_json": string  // Literally json, which represents JWKS with public keys for JWT verification.
                              // It worth mentioned that in a case of adding/rotating keys the jwk_set_json also should be updated here.
                              // Besides, the "issuer" parameter should be set even if the JWKS will be resolved locally.
    },
    "subject_id": string            // [required]
                                    // IAM subject, in which federated subject will be impersonated to. E.g. for workload identities it will be IAM service account.
  }
}

nebius iam federated-credentials update '
{              
  "metadata": {           
    "id": "",             
    "labels": {           
      "": ""                  
    },
    "name": "",           
    "parent_id": "",      
    "resource_version": 0 
  },
  "spec": {                    
    "federated_subject_id": "",
    "oidc_provider": {   
      "issuer_url": "",  
      "jwk_set_json": "" 
    },
    "subject_id": ""           
  }
}
'

Nebius AI Cloud CLI

Nebius AI Cloud provider for Terraform

Nebius AI Cloud API

Name

Synopsis

Positional Arguments

Options

Global Options

Nebius AI Cloud CLI

Nebius AI Cloud provider for Terraform

Nebius AI Cloud API

​Name

​Synopsis

​Positional Arguments

​Options

​Global Options

Name

Synopsis

Positional Arguments

Options

Global Options