Skip to main content

Schema

Required

  • parent_id (String) Identifier of the parent resource to which the resource belongs.
  • subject_id (String) IAM subject, in which federated subject will be impersonated to. E.g. for workload identities it will be IAM service account.

Optional

  • federated_subject_id (String) Federated subject ID.For oidc_provider subject will be calculated based on the “sub” claim of the JWT federation token.
  • labels (Map of String) : Labels associated with the resource.
  • metadata (Attributes) :

    Inner value description

    Common resource metadata. (see below for nested schema)
  • name (String) Human readable name for the resource.
  • oidc_provider (Attributes) (see below for nested schema)

Read-Only

  • created_at (String) : Timestamp indicating when the resource was created. A string representing a timestamp in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ or YYYY-MM-DDTHH:MM:SS.SSS±HH:MM
  • id (String) Identifier for the resource, unique for its resource type.
  • resource_version (Number) : Version of the resource for safe concurrent modifications and consistent reads. Positive and monotonically increases on each resource spec change (but not on each change of the resource’s container(s) or status). Service allows zero value or current.
  • status (Attributes) (see below for nested schema)
  • updated_at (String) : Timestamp indicating when the resource was last updated. A string representing a timestamp in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ or YYYY-MM-DDTHH:MM:SS.SSS±HH:MM

Nested Schema for metadata

Nested Schema for oidc_provider

Required:
  • issuer_url (String) : It’s not required provider OIDC issuer should be real OIDC provider, but should expose OIDC configuration with “/.well-known/openid-configuration” endpoint. Configuration should contains the “jwks_uri” endpoint where the JSON Web Key Set (JWKS) can be found; this set contains public keys used to verify JSON Web Tokens (JWTs) issued by an identity provider. Limitations for external OIDC providers:
    • token service limits the number of handled keys by 50. If your JWKS return more than 50, the only first 50 will be used for signature verifying.
    • response size for jwks_uri and “/.well-known/openid-configuration limited by 100KB.
Optional:
  • jwk_set_json (String) : Literally json, which represents JWKS with public keys for JWT verification. It worth mentioned that in a case of adding/rotating keys the jwk_set_json also should be updated here. Besides, the “issuer” parameter should be set even if the JWKS will be resolved locally.

Nested Schema for status