Creating a Workload Identity Pool and Provider

Prev Next

  1. Log in to the GCP Console using administrative privileges.

  2. Select IAM & Admin -> Workload Identity Federation from the navigation menu.

  3. From the selector on the top, select the project where you want to create a workload identity pool.

  4. Click + CREATE POOL.

  5. Enter the following values in the Workload Identity Pool details on the Create Workload Identity Pool page:

    1. Enter the workload identity pool name and description and click CONTINUE.

    2. To add a provider to the pool, select OpenID Connect (OIDC) from the drop-down list and add the following provider details:

      1. Provider Name. This is the Provider ID.

      2. Issuer URL based on your tenant and must start with https:// , i.e. <TENANT_BASE_URL>/api/auth/sso/oauth2

      3. Default Audience must be selected.

      4. Click CONTINUE.

    3. Add the following provider attributes:

      1. google.subject → assertion.sub

      2. click + Add Mapping

      3. attribute.email → assertion.email

    4. Click SAVE.