Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi IDP Pulumi Cloud Packages Tutorials
  1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. iam
  5. getWorkloadIdentityPool
Google Cloud v8.33.0 published on Wednesday, Jun 4, 2025 by Pulumi
pulumi/pulumi-gcp

gcp.iam.getWorkloadIdentityPool

Explore with Pulumi AI

gcp logo
Google Cloud v8.33.0 published on Wednesday, Jun 4, 2025 by Pulumi
pulumi/pulumi-gcp

    Get a IAM workload identity pool from Google Cloud by its id.

    Note: The following resource requires the Beta IAM role roles/iam.workloadIdentityPoolAdmin in order to succeed. OWNER and EDITOR roles do not include the necessary permissions.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const foo = gcp.iam.getWorkloadIdentityPool({
    workloadIdentityPoolId: "foo-pool",
});

    import pulumi
import pulumi_gcp as gcp

foo = gcp.iam.get_workload_identity_pool(workload_identity_pool_id="foo-pool")

    package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.LookupWorkloadIdentityPool(ctx, &iam.LookupWorkloadIdentityPoolArgs{
			WorkloadIdentityPoolId: "foo-pool",
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var foo = Gcp.Iam.GetWorkloadIdentityPool.Invoke(new()
    {
        WorkloadIdentityPoolId = "foo-pool",
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iam.IamFunctions;
import com.pulumi.gcp.iam.inputs.GetWorkloadIdentityPoolArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var foo = IamFunctions.getWorkloadIdentityPool(GetWorkloadIdentityPoolArgs.builder()
            .workloadIdentityPoolId("foo-pool")
            .build());

    }
}

    variables:
  foo:
    fn::invoke:
      function: gcp:iam:getWorkloadIdentityPool
      arguments:
        workloadIdentityPoolId: foo-pool

    Using getWorkloadIdentityPool

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getWorkloadIdentityPool(args: GetWorkloadIdentityPoolArgs, opts?: InvokeOptions): Promise<GetWorkloadIdentityPoolResult>
function getWorkloadIdentityPoolOutput(args: GetWorkloadIdentityPoolOutputArgs, opts?: InvokeOptions): Output<GetWorkloadIdentityPoolResult>
    def get_workload_identity_pool(project: Optional[str] = None,
                               workload_identity_pool_id: Optional[str] = None,
                               opts: Optional[InvokeOptions] = None) -> GetWorkloadIdentityPoolResult
def get_workload_identity_pool_output(project: Optional[pulumi.Input[str]] = None,
                               workload_identity_pool_id: Optional[pulumi.Input[str]] = None,
                               opts: Optional[InvokeOptions] = None) -> Output[GetWorkloadIdentityPoolResult]
    func LookupWorkloadIdentityPool(ctx *Context, args *LookupWorkloadIdentityPoolArgs, opts ...InvokeOption) (*LookupWorkloadIdentityPoolResult, error)
func LookupWorkloadIdentityPoolOutput(ctx *Context, args *LookupWorkloadIdentityPoolOutputArgs, opts ...InvokeOption) LookupWorkloadIdentityPoolResultOutput

    > Note: This function is named LookupWorkloadIdentityPool in the Go SDK.

    public static class GetWorkloadIdentityPool 
{
    public static Task<GetWorkloadIdentityPoolResult> InvokeAsync(GetWorkloadIdentityPoolArgs args, InvokeOptions? opts = null)
    public static Output<GetWorkloadIdentityPoolResult> Invoke(GetWorkloadIdentityPoolInvokeArgs args, InvokeOptions? opts = null)
}
    public static CompletableFuture<GetWorkloadIdentityPoolResult> getWorkloadIdentityPool(GetWorkloadIdentityPoolArgs args, InvokeOptions options)
public static Output<GetWorkloadIdentityPoolResult> getWorkloadIdentityPool(GetWorkloadIdentityPoolArgs args, InvokeOptions options)

    fn::invoke:
  function: gcp:iam/getWorkloadIdentityPool:getWorkloadIdentityPool
  arguments:
    # arguments dictionary

    The following arguments are supported:

    WorkloadIdentityPoolId string
    The id of the pool which is the final component of the resource name.

    Project string
    The project in which the resource belongs. If it is not provided, the provider project is used.
    WorkloadIdentityPoolId string
    The id of the pool which is the final component of the resource name.

    Project string
    The project in which the resource belongs. If it is not provided, the provider project is used.
    workloadIdentityPoolId String
    The id of the pool which is the final component of the resource name.

    project String
    The project in which the resource belongs. If it is not provided, the provider project is used.
    workloadIdentityPoolId string
    The id of the pool which is the final component of the resource name.

    project string
    The project in which the resource belongs. If it is not provided, the provider project is used.
    workload_identity_pool_id str
    The id of the pool which is the final component of the resource name.

    project str
    The project in which the resource belongs. If it is not provided, the provider project is used.
    workloadIdentityPoolId String
    The id of the pool which is the final component of the resource name.

    project String
    The project in which the resource belongs. If it is not provided, the provider project is used.

    getWorkloadIdentityPool Result

    The following output properties are available:

    description String
    disabled Boolean
    displayName String
    id String
    The provider-assigned unique ID for this managed resource.
    inlineCertificateIssuanceConfigs List<Property Map>
    inlineTrustConfigs List<Property Map>
    mode String
    name String
    state String
    workloadIdentityPoolId String
    project String

    Supporting Types

    GetWorkloadIdentityPoolInlineCertificateIssuanceConfig

    CaPools Dictionary<string, string>
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: 'projects/{project}/locations/{location}/caPools/{ca_pool}'
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    KeyAlgorithm string
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to 'ECDSA_P256'.

    • 'RSA_2048': Specifies RSA with a 2048-bit modulus.
    • 'RSA_3072': Specifies RSA with a 3072-bit modulus.
    • 'RSA_4096': Specifies RSA with a 4096-bit modulus.
    • 'ECDSA_P256': Specifies ECDSA with curve P256.
    • 'ECDSA_P384': Specifies ECDSA with curve P384. Possible values: ["RSA_2048", "RSA_3072", "RSA_4096", "ECDSA_P256", "ECDSA_P384"]
    Lifetime string
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between '86400s' (24 hours) to '2592000s' (30 days), ends in the suffix "'s'" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to '86400s' (24 hours).
    RotationWindowPercentage int
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between '50' - '80'. If unspecified, this will be defaulted to '50'.
    CaPools map[string]string
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: 'projects/{project}/locations/{location}/caPools/{ca_pool}'
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    KeyAlgorithm string
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to 'ECDSA_P256'.

    • 'RSA_2048': Specifies RSA with a 2048-bit modulus.
    • 'RSA_3072': Specifies RSA with a 3072-bit modulus.
    • 'RSA_4096': Specifies RSA with a 4096-bit modulus.
    • 'ECDSA_P256': Specifies ECDSA with curve P256.
    • 'ECDSA_P384': Specifies ECDSA with curve P384. Possible values: ["RSA_2048", "RSA_3072", "RSA_4096", "ECDSA_P256", "ECDSA_P384"]
    Lifetime string
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between '86400s' (24 hours) to '2592000s' (30 days), ends in the suffix "'s'" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to '86400s' (24 hours).
    RotationWindowPercentage int
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between '50' - '80'. If unspecified, this will be defaulted to '50'.
    caPools Map<String,String>
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: 'projects/{project}/locations/{location}/caPools/{ca_pool}'
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    keyAlgorithm String
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to 'ECDSA_P256'.

    • 'RSA_2048': Specifies RSA with a 2048-bit modulus.
    • 'RSA_3072': Specifies RSA with a 3072-bit modulus.
    • 'RSA_4096': Specifies RSA with a 4096-bit modulus.
    • 'ECDSA_P256': Specifies ECDSA with curve P256.
    • 'ECDSA_P384': Specifies ECDSA with curve P384. Possible values: ["RSA_2048", "RSA_3072", "RSA_4096", "ECDSA_P256", "ECDSA_P384"]
    lifetime String
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between '86400s' (24 hours) to '2592000s' (30 days), ends in the suffix "'s'" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to '86400s' (24 hours).
    rotationWindowPercentage Integer
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between '50' - '80'. If unspecified, this will be defaulted to '50'.
    caPools {[key: string]: string}
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: 'projects/{project}/locations/{location}/caPools/{ca_pool}'
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    keyAlgorithm string
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to 'ECDSA_P256'.

    • 'RSA_2048': Specifies RSA with a 2048-bit modulus.
    • 'RSA_3072': Specifies RSA with a 3072-bit modulus.
    • 'RSA_4096': Specifies RSA with a 4096-bit modulus.
    • 'ECDSA_P256': Specifies ECDSA with curve P256.
    • 'ECDSA_P384': Specifies ECDSA with curve P384. Possible values: ["RSA_2048", "RSA_3072", "RSA_4096", "ECDSA_P256", "ECDSA_P384"]
    lifetime string
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between '86400s' (24 hours) to '2592000s' (30 days), ends in the suffix "'s'" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to '86400s' (24 hours).
    rotationWindowPercentage number
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between '50' - '80'. If unspecified, this will be defaulted to '50'.
    ca_pools Mapping[str, str]
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: 'projects/{project}/locations/{location}/caPools/{ca_pool}'
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    key_algorithm str
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to 'ECDSA_P256'.

    • 'RSA_2048': Specifies RSA with a 2048-bit modulus.
    • 'RSA_3072': Specifies RSA with a 3072-bit modulus.
    • 'RSA_4096': Specifies RSA with a 4096-bit modulus.
    • 'ECDSA_P256': Specifies ECDSA with curve P256.
    • 'ECDSA_P384': Specifies ECDSA with curve P384. Possible values: ["RSA_2048", "RSA_3072", "RSA_4096", "ECDSA_P256", "ECDSA_P384"]
    lifetime str
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between '86400s' (24 hours) to '2592000s' (30 days), ends in the suffix "'s'" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to '86400s' (24 hours).
    rotation_window_percentage int
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between '50' - '80'. If unspecified, this will be defaulted to '50'.
    caPools Map<String>
    A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints:

    • Key format: A supported cloud region name equivalent to the location identifier in the corresponding map entry's value.
    • Value format: A valid CA pool resource path format like: 'projects/{project}/locations/{location}/caPools/{ca_pool}'
    • Region Matching: Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key).
    keyAlgorithm String
    Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to 'ECDSA_P256'.

    • 'RSA_2048': Specifies RSA with a 2048-bit modulus.
    • 'RSA_3072': Specifies RSA with a 3072-bit modulus.
    • 'RSA_4096': Specifies RSA with a 4096-bit modulus.
    • 'ECDSA_P256': Specifies ECDSA with curve P256.
    • 'ECDSA_P384': Specifies ECDSA with curve P384. Possible values: ["RSA_2048", "RSA_3072", "RSA_4096", "ECDSA_P256", "ECDSA_P384"]
    lifetime String
    Lifetime of the workload certificates issued by the CA pool in seconds. Must be between '86400s' (24 hours) to '2592000s' (30 days), ends in the suffix "'s'" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to '86400s' (24 hours).
    rotationWindowPercentage Number
    Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between '50' - '80'. If unspecified, this will be defaulted to '50'.

    GetWorkloadIdentityPoolInlineTrustConfig

    AdditionalTrustBundles List<GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle>

    Maps specific trust domains (e.g., "example.com") to their corresponding 'TrustStore' objects, which contain the trusted root certificates for that domain. There can be a maximum of '10' trust domain entries in this map.

    Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this 'WorkloadIdentityPool''s trust domain contains any trust anchors in the 'additional_trust_bundles' map, those trust anchors will be appended to the Trust Bundle automatically derived from your 'InlineCertificateIssuanceConfig''s 'ca_pools'.

    AdditionalTrustBundles []GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle

    Maps specific trust domains (e.g., "example.com") to their corresponding 'TrustStore' objects, which contain the trusted root certificates for that domain. There can be a maximum of '10' trust domain entries in this map.

    Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this 'WorkloadIdentityPool''s trust domain contains any trust anchors in the 'additional_trust_bundles' map, those trust anchors will be appended to the Trust Bundle automatically derived from your 'InlineCertificateIssuanceConfig''s 'ca_pools'.

    additionalTrustBundles List<GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle>

    Maps specific trust domains (e.g., "example.com") to their corresponding 'TrustStore' objects, which contain the trusted root certificates for that domain. There can be a maximum of '10' trust domain entries in this map.

    Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this 'WorkloadIdentityPool''s trust domain contains any trust anchors in the 'additional_trust_bundles' map, those trust anchors will be appended to the Trust Bundle automatically derived from your 'InlineCertificateIssuanceConfig''s 'ca_pools'.

    additionalTrustBundles GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle[]

    Maps specific trust domains (e.g., "example.com") to their corresponding 'TrustStore' objects, which contain the trusted root certificates for that domain. There can be a maximum of '10' trust domain entries in this map.

    Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this 'WorkloadIdentityPool''s trust domain contains any trust anchors in the 'additional_trust_bundles' map, those trust anchors will be appended to the Trust Bundle automatically derived from your 'InlineCertificateIssuanceConfig''s 'ca_pools'.

    additional_trust_bundles Sequence[GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle]

    Maps specific trust domains (e.g., "example.com") to their corresponding 'TrustStore' objects, which contain the trusted root certificates for that domain. There can be a maximum of '10' trust domain entries in this map.

    Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this 'WorkloadIdentityPool''s trust domain contains any trust anchors in the 'additional_trust_bundles' map, those trust anchors will be appended to the Trust Bundle automatically derived from your 'InlineCertificateIssuanceConfig''s 'ca_pools'.

    additionalTrustBundles List<Property Map>

    Maps specific trust domains (e.g., "example.com") to their corresponding 'TrustStore' objects, which contain the trusted root certificates for that domain. There can be a maximum of '10' trust domain entries in this map.

    Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this 'WorkloadIdentityPool''s trust domain contains any trust anchors in the 'additional_trust_bundles' map, those trust anchors will be appended to the Trust Bundle automatically derived from your 'InlineCertificateIssuanceConfig''s 'ca_pools'.

    GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundle

    TrustAnchors List<GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor>
    List of Trust Anchors to be used while performing validation against a given 'TrustStore'. The incoming end entity's certificate must be chained up to one of the trust anchors here.
    TrustDomain string
    TrustAnchors []GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor
    List of Trust Anchors to be used while performing validation against a given 'TrustStore'. The incoming end entity's certificate must be chained up to one of the trust anchors here.
    TrustDomain string
    trustAnchors List<GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor>
    List of Trust Anchors to be used while performing validation against a given 'TrustStore'. The incoming end entity's certificate must be chained up to one of the trust anchors here.
    trustDomain String
    trustAnchors GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor[]
    List of Trust Anchors to be used while performing validation against a given 'TrustStore'. The incoming end entity's certificate must be chained up to one of the trust anchors here.
    trustDomain string
    trust_anchors Sequence[GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor]
    List of Trust Anchors to be used while performing validation against a given 'TrustStore'. The incoming end entity's certificate must be chained up to one of the trust anchors here.
    trust_domain str
    trustAnchors List<Property Map>
    List of Trust Anchors to be used while performing validation against a given 'TrustStore'. The incoming end entity's certificate must be chained up to one of the trust anchors here.
    trustDomain String

    GetWorkloadIdentityPoolInlineTrustConfigAdditionalTrustBundleTrustAnchor

    PemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    PemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate String
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate string
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pem_certificate str
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).
    pemCertificate String
    PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert).

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud v8.33.0 published on Wednesday, Jun 4, 2025 by Pulumi
    pulumi/pulumi-gcp