SrSSKJr SSKJr SSKJr SSKrSSKJr SSKJr SSK J r SS K J r \R"S S \R55rg) zVCommand to create a configuration file to allow authentication from 3rd party sources.)absolute_import)division)unicode_literalsN)base) exceptions)flags) cred_configc\\rSrSrSrS\R "S50r\S5r Sr Sr Sr g ) CreateCredConfigzCreate a configuration file for generated credentials. This command creates a configuration file to allow access to authenticated Google Cloud actions from a variety of external accounts. EXAMPLESa To create a file-sourced credential configuration for your project, run: $ {command} projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-source-file=$PATH_TO_OIDC_ID_TOKEN --output-file=credentials.json To create a URL-sourced credential configuration for your project, run: $ {command} projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-source-url=$URL_FOR_OIDC_TOKEN --credential-source-headers=Key=Value --output-file=credentials.json To create an executable-source credential configuration for your project, run the following command: $ {command} locations/$REGION/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID --executable-command=$EXECUTABLE_COMMAND --executable-timeout-millis=30000 --executable-output-file=$CACHE_FILE --output-file=credentials.json To create an AWS-based credential configuration for your project, run: $ {command} projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --aws --enable-imdsv2 --output-file=credentials.json To create an Azure-based credential configuration for your project, run: $ {command} projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --azure --app-id-uri=$URI_FOR_AZURE_APP_ID --output-file=credentials.json To create an X.509 certificate-based credential configuration for your project, run: $ {command} projects/$PROJECT_NUMBER/locations/$REGION/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID --service-account=$EMAIL --credential-cert-path=$PATH_TO_CERTIFICATE_FILE --credential-cert-private-key-path=$PATH_TO_PRIVATE_KEY_FILE --output-file=credentials.json To use the resulting file for any of these commands, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the generated file cj[R"U[RR5 UR SSS9 UR SSSS9nUR SSS9 UR S S S9 UR S S S9 UR S SSS9 UR SSSS9 UR SSS9 UR SSS9 UR SSS9 UR SSSS9 UR SS9nUR SSSS9 UR SS S9 UR S!S"S9 UR S#S$S9 g)%Naudiencez?The workload identity pool provider fully qualified identifier.)helpTzCredential types.)mutexrequiredrz--credential-source-filez'Location of the credential source file.z--credential-source-urlz"URL to obtain the credential from.z--executable-commandzqThe full command to run to retrieve the credential. Must be an absolute path for the program including arguments.z--awszUse AWS. store_true)ractionz--azurez Use Azure.z--credential-cert-pathz#Path of the X.509 certificate file.z--subject-token-typezfThe type of token being used for authorization. This defaults to urn:ietf:params:oauth:token-type:jwt.z --app-id-uriz9The custom Application ID URI for the Azure access token.z--enable-imdsv2z^Adds the AWS IMDSv2 session token Url to the credential source to enforce the AWS IMDSv2 flow.z:Arguments for an X.509 certificate type credential source.z"--credential-cert-private-key-pathz#Path of the X.509 private key file.)rrz+--credential-cert-configuration-output-filezPath for the certificate configuration file. If specified, a certificate configuration file will be created at the specified path. If not specified, the certificate configuration will be created at the default gcloud location.z"--credential-cert-trust-chain-patha:Path for the trust chain file. A trust chain file is required if there are intermediate certificates in the certificate chain in between the root certificate stored in the workload identity pool provider trust store. This trust chain file should be a list of PEM certificates, with the leaf certificate at the top.z--sts-locationa The location to use for the Security Token Service token endpoint. For example, specifying `us-central1` will configure the client to use the regional endpoint `sts.us-central1.rep.googleapis.com`. If not specified, the global endpoint `sts.googleapis.com` is used.)rAddCommonByoidCreateConfigFlagsr ConfigTypeWORKLOAD_IDENTITY_POOLS add_argument add_group)clsparsercredential_typescertificate_argss =lib/surface/iam/workload_identity_pools/create_cred_config.pyArgsCreateCredConfig.ArgsCs )) &&>>@  N ''T(;(!!" 6"!!!(L"!! B"!!' <!P!! \"!! 'L"  C   H  , '' I(!!, 2" !!5 7"!!, J"   < cUR(a'UR(d[R"S5eUR(a'UR (d[R"S5eUR (a[UR S:waJUR (d"UR(dUR(a[R"S5eggg)Nz9--enable-imdsv2 can be used only for AWS credential typeszZ--credential-cert-private-key-path can be used only for X.509 certificate credential typesglobalzuWorkload Identity Federation with X.509 certificates is not supported on locational Security Token Service endpoints.) enable_imdsv2awsrConflictingArgumentsException credential_cert_private_key_pathcredential_cert_path sts_location credential_cert_trust_chain_pathselfargss r _ValidateArgsCreateCredConfig._ValidateArgss $((  4 4 E  ,,T5N5N  4 4 *  d//8; !!  0 0  0 0  4 4 G  1<r!cURU5 [R"U[RR5 g)N)r.r create_credential_configrrr+s rRunCreateCredConfig.Runs/t(( k$$<<r!N) __name__ __module__ __qualname____firstlineno____doc__textwrapdedent detailed_help classmethodrr.r2__static_attributes__r4r!rr r sD(//#-<[[z*r!r )r9 __future__rrrr:googlecloudsdk.callioperrgooglecloudsdk.command_lib.iamr.googlecloudsdk.command_lib.iam.byoid_utilitiesr UniverseCompatible CreateCommandr r4r!rrEsM]&'(.0F\t))\\r!