Complete the code to create a Workload Identity Pool in Google Cloud.
gcloud iam workload-identity-pools create [1] --location="global" --display-name="My Pool"
The command requires the name of the Workload Identity Pool to create. "my-pool-123" is a valid pool name.
Complete the code to create a Workload Identity Provider inside the pool.
gcloud iam workload-identity-pools providers create-oidc [1] --workload-identity-pool="my-pool-123" --issuer-uri="https://accounts.google.com" --location="global" --display-name="Google OIDC Provider"
The provider name must be specified when creating a Workload Identity Provider. "google-provider" is a valid name.
Fix the error in the command to bind a service account to the workload identity pool provider.
gcloud iam service-accounts add-iam-policy-binding my-service-account@my-project.iam.gserviceaccount.com --role="roles/iam.workloadIdentityUser" --member="principalSet://iam.googleapis.com/projects/[1]/locations/global/workloadIdentityPools/my-pool-123/attribute.repository/my-repo"
The project number or ID must be used in the member string to correctly identify the project context.
Fill both blanks to configure the attribute mapping for the workload identity provider.
gcloud iam workload-identity-pools providers update-oidc google-provider --workload-identity-pool=my-pool-123 --location=global --attribute-mapping="google.subject=[1],attribute.repository=[2]"
The attribute mapping uses OIDC token claims. "assertion.sub" maps to google.subject and "assertion.repository" maps to attribute.repository.
Fill all three blanks to create a service account key and configure the environment variable for authentication.
gcloud iam service-accounts keys create [1] --iam-account=[2]@my-project.iam.gserviceaccount.com export GOOGLE_APPLICATION_CREDENTIALS=[3]
The key file is created as 'key.json', the service account is 'my-service-account', and the environment variable points to the key file path '/home/user/key.json'.