IdentityPlatformConfig
| Property | Value |
|---|---|
| Google Cloud Service Name | Identity Platform |
| Google Cloud Service Documentation | /identity-platform/docs/ |
| Google Cloud REST Resource Name | v2.projects |
| Google Cloud REST Resource Documentation | /identity-platform/docs/reference/rest/v2/Config |
| Config Connector Resource Short Names | IdentityPlatformConfig gcpidentityplatformconfig gcpidentityplatformconfigs identityplatformconfig |
| Config Connector Service Name | identitytoolkit.googleapis.com |
| Config Connector Resource Fully Qualified Name | identityplatformconfigs.identityplatform.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Spec
Schema
authorizedDomains:
- string
blockingFunctions:
triggers:
string: object
client:
permissions:
disabledUserDeletion: boolean
disabledUserSignup: boolean
mfa:
state: string
monitoring:
requestLogging:
enabled: boolean
multiTenant:
allowTenants: boolean
defaultTenantLocationRef:
external: string
kind: string
name: string
namespace: string
notification:
defaultLocale: string
sendEmail:
callbackUri: string
changeEmailTemplate:
body: string
bodyFormat: string
replyTo: string
senderDisplayName: string
senderLocalPart: string
subject: string
dnsInfo:
useCustomDomain: boolean
method: string
resetPasswordTemplate:
body: string
bodyFormat: string
replyTo: string
senderDisplayName: string
senderLocalPart: string
subject: string
revertSecondFactorAdditionTemplate:
body: string
bodyFormat: string
replyTo: string
senderDisplayName: string
senderLocalPart: string
subject: string
smtp:
host: string
password:
value: string
valueFrom:
secretKeyRef:
key: string
name: string
port: integer
securityMode: string
senderEmail: string
username: string
verifyEmailTemplate:
body: string
bodyFormat: string
replyTo: string
senderDisplayName: string
senderLocalPart: string
subject: string
sendSms:
useDeviceLocale: boolean
projectRef:
external: string
name: string
namespace: string
quota:
signUpQuotaConfig:
quota: integer
quotaDuration: string
startTime: string
signIn:
allowDuplicateEmails: boolean
anonymous:
enabled: boolean
email:
enabled: boolean
passwordRequired: boolean
phoneNumber:
enabled: boolean
testPhoneNumbers:
string: string
| Fields | |
|---|---|
|
Optional |
List of domains authorized for OAuth redirects |
|
Optional |
|
|
Optional |
Configuration related to blocking functions. |
|
Optional |
Map of Trigger to event type. Key should be one of the supported event types: "beforeCreate", "beforeSignIn" |
|
Optional |
Options related to how clients making requests on behalf of a project should be configured. |
|
Optional |
Configuration related to restricting a user's ability to affect their account. |
|
Optional |
When true, end users cannot delete their account on the associated project through any of our API methods |
|
Optional |
When true, end users cannot sign up for a new account on the associated project through any of our API methods |
|
Optional |
Configuration for this project's multi-factor authentication, including whether it is active and what factors can be used for the second factor |
|
Optional |
Whether MultiFactor Authentication has been enabled for this project. Possible values: STATE_UNSPECIFIED, DISABLED, ENABLED, MANDATORY |
|
Optional |
Configuration related to monitoring project activity. |
|
Optional |
Configuration for logging requests made to this project to Stackdriver Logging |
|
Optional |
Whether logging is enabled for this project or not. |
|
Optional |
Configuration related to multi-tenant functionality. |
|
Optional |
Whether this project can have tenants or not. |
|
Optional |
|
|
Optional |
The default cloud parent org or folder that the tenant project should be created under. The parent resource name should be in the format of " |
|
Optional |
Kind of the referent. Allowed values: Folder |
|
Optional |
[WARNING] Organization not yet supported in Config Connector, use 'external' field to reference existing resources. Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
Configuration related to sending notifications to users. |
|
Optional |
Default locale used for email and SMS in IETF BCP 47 format. |
|
Optional |
Options for email sending. |
|
Optional |
action url in email template. |
|
Optional |
Email template for change email |
|
Optional |
Immutable. Email body |
|
Optional |
Email body format Possible values: BODY_FORMAT_UNSPECIFIED, PLAIN_TEXT, HTML |
|
Optional |
Reply-to address |
|
Optional |
Sender display name |
|
Optional |
Local part of From address |
|
Optional |
Subject of the email |
|
Optional |
Information of custom domain DNS verification. |
|
Optional |
Whether to use custom domain. |
|
Optional |
The method used for sending an email. Possible values: METHOD_UNSPECIFIED, DEFAULT, CUSTOM_SMTP |
|
Optional |
Email template for reset password |
|
Optional |
Email body |
|
Optional |
Email body format Possible values: BODY_FORMAT_UNSPECIFIED, PLAIN_TEXT, HTML |
|
Optional |
Reply-to address |
|
Optional |
Sender display name |
|
Optional |
Local part of From address |
|
Optional |
Subject of the email |
|
Optional |
Email template for reverting second factor addition emails |
|
Optional |
Immutable. Email body |
|
Optional |
Email body format Possible values: BODY_FORMAT_UNSPECIFIED, PLAIN_TEXT, HTML |
|
Optional |
Reply-to address |
|
Optional |
Sender display name |
|
Optional |
Local part of From address |
|
Optional |
Subject of the email |
|
Optional |
Use a custom SMTP relay |
|
Optional |
SMTP relay host |
|
Optional |
SMTP relay password |
|
Optional |
Value of the field. Cannot be used if 'valueFrom' is specified. |
|
Optional |
Source for the field's value. Cannot be used if 'value' is specified. |
|
Optional |
Reference to a value with the given key in the given Secret in the resource's namespace. |
|
Required* |
Key that identifies the value to be extracted. |
|
Required* |
Name of the Secret to extract a value from. |
|
Optional |
SMTP relay port |
|
Optional |
SMTP security mode. Possible values: SECURITY_MODE_UNSPECIFIED, SSL, START_TLS |
|
Optional |
Sender email for the SMTP relay |
|
Optional |
SMTP relay username |
|
Optional |
Email template for verify email |
|
Optional |
Immutable. Email body |
|
Optional |
Email body format Possible values: BODY_FORMAT_UNSPECIFIED, PLAIN_TEXT, HTML |
|
Optional |
Reply-to address |
|
Optional |
Sender display name |
|
Optional |
Local part of From address |
|
Optional |
Subject of the email |
|
Optional |
Options for SMS sending. |
|
Optional |
Whether to use the accept_language header for SMS. |
|
Required |
Immutable. The Project that this resource belongs to. |
|
Optional |
The project of the resource Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`). |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
Configuration related to quotas. |
|
Optional |
Quota for the Signup endpoint, if overwritten. Signup quota is measured in sign ups per project per hour per IP. |
|
Optional |
Corresponds to the 'refill_token_count' field in QuotaServer config |
|
Optional |
How long this quota will be active for |
|
Optional |
When this quota will take affect |
|
Optional |
Configuration related to local sign in methods. |
|
Optional |
Whether to allow more than one account to have the same email. |
|
Optional |
Configuration options related to authenticating an anonymous user. |
|
Optional |
Whether anonymous user auth is enabled for the project or not. |
|
Optional |
Configuration options related to authenticating a user by their email address. |
|
Optional |
Whether email auth is enabled for the project or not. |
|
Optional |
Whether a password is required for email auth or not. If true, both an email and password must be provided to sign in. If false, a user may sign in via either email/password or email link. |
|
Optional |
Configuration options related to authenticated a user by their phone number. |
|
Optional |
Whether phone number auth is enabled for the project or not. |
|
Optional |
A map of that can be used for phone auth testing. |
* Field is required when parent field is specified
Status
Schema
client:
apiKey: string
firebaseSubdomain: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
notification:
sendEmail:
changeEmailTemplate:
customized: boolean
dnsInfo:
customDomain: string
customDomainState: string
domainVerificationRequestTime: string
pendingCustomDomain: string
resetPasswordTemplate:
customized: boolean
revertSecondFactorAdditionTemplate:
customized: boolean
verifyEmailTemplate:
customized: boolean
sendSms:
smsTemplate:
content: string
observedGeneration: integer
signIn:
email:
hashConfig:
algorithm: string
memoryCost: integer
rounds: integer
saltSeparator: string
signerKey: string
hashConfig:
algorithm: string
memoryCost: integer
rounds: integer
saltSeparator: string
signerKey: string
subtype: string
| Fields | |
|---|---|
client |
|
client.apiKey |
Output only. API key that can be used when making requests for this project. |
client.firebaseSubdomain |
Output only. Firebase subdomain. |
conditions |
Conditions represent the latest available observation of the resource's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
notification |
|
notification.sendEmail |
|
notification.sendEmail.changeEmailTemplate |
|
notification.sendEmail.changeEmailTemplate.customized |
Output only. Whether the body or subject of the email is customized. |
notification.sendEmail.dnsInfo |
|
notification.sendEmail.dnsInfo.customDomain |
Output only. The applied verified custom domain. |
notification.sendEmail.dnsInfo.customDomainState |
Output only. The current verification state of the custom domain. The custom domain will only be used once the domain verification is successful. Possible values: VERIFICATION_STATE_UNSPECIFIED, NOT_STARTED, IN_PROGRESS, FAILED, SUCCEEDED |
notification.sendEmail.dnsInfo.domainVerificationRequestTime |
Output only. The timestamp of initial request for the current domain verification. |
notification.sendEmail.dnsInfo.pendingCustomDomain |
Output only. The custom domain that's to be verified. |
notification.sendEmail.resetPasswordTemplate |
|
notification.sendEmail.resetPasswordTemplate.customized |
Output only. Whether the body or subject of the email is customized. |
notification.sendEmail.revertSecondFactorAdditionTemplate |
|
notification.sendEmail.revertSecondFactorAdditionTemplate.customized |
Output only. Whether the body or subject of the email is customized. |
notification.sendEmail.verifyEmailTemplate |
|
notification.sendEmail.verifyEmailTemplate.customized |
Output only. Whether the body or subject of the email is customized. |
notification.sendSms |
|
notification.sendSms.smsTemplate |
Output only. The template to use when sending an SMS. |
notification.sendSms.smsTemplate.content |
Output only. The SMS's content. Can contain the following placeholders which will be replaced with the appropriate values: %APP_NAME% - For Android or iOS apps, the app's display name. For web apps, the domain hosting the application. %LOGIN_CODE% - The OOB code being sent in the SMS. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
signIn |
|
signIn.email |
|
signIn.email.hashConfig |
Output only. Hash config information. |
signIn.email.hashConfig.algorithm |
Output only. Different password hash algorithms used in Identity Toolkit. Possible values: HASH_ALGORITHM_UNSPECIFIED, HMAC_SHA256, HMAC_SHA1, HMAC_MD5, SCRYPT, PBKDF_SHA1, MD5, HMAC_SHA512, SHA1, BCRYPT, PBKDF2_SHA256, SHA256, SHA512, STANDARD_SCRYPT |
signIn.email.hashConfig.memoryCost |
Output only. Memory cost for hash calculation. Used by scrypt and other similar password derivation algorithms. See https://tools.ietf.org/html/rfc7914 for explanation of field. |
signIn.email.hashConfig.rounds |
Output only. How many rounds for hash calculation. Used by scrypt and other similar password derivation algorithms. |
signIn.email.hashConfig.saltSeparator |
Output only. Non-printable character to be inserted between the salt and plain text password in base64. |
signIn.email.hashConfig.signerKey |
Output only. Signer key in base64. |
signIn.hashConfig |
Output only. Hash config information. |
signIn.hashConfig.algorithm |
Output only. Different password hash algorithms used in Identity Toolkit. Possible values: HASH_ALGORITHM_UNSPECIFIED, HMAC_SHA256, HMAC_SHA1, HMAC_MD5, SCRYPT, PBKDF_SHA1, MD5, HMAC_SHA512, SHA1, BCRYPT, PBKDF2_SHA256, SHA256, SHA512, STANDARD_SCRYPT |
signIn.hashConfig.memoryCost |
Output only. Memory cost for hash calculation. Used by scrypt and other similar password derivation algorithms. See https://tools.ietf.org/html/rfc7914 for explanation of field. |
signIn.hashConfig.rounds |
Output only. How many rounds for hash calculation. Used by scrypt and other similar password derivation algorithms. |
signIn.hashConfig.saltSeparator |
Output only. Non-printable character to be inserted between the salt and plain text password in base64. |
signIn.hashConfig.signerKey |
Output only. Signer key in base64. |
subtype |
Output only. The subtype of this config. Possible values: SUBTYPE_UNSPECIFIED, IDENTITY_PLATFORM, FIREBASE_AUTH |
Sample YAML(s)
Typical Use Case
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: identityplatform.cnrm.cloud.google.com/v1beta1
kind: IdentityPlatformConfig
metadata:
name: identityplatformconfig-sample
spec:
projectRef:
# Replace "${PROJECT_ID?}" with your project ID
external: "projects/${PROJECT_ID?}"
signIn:
email:
enabled: true
passwordRequired: true
phoneNumber:
enabled: true
testPhoneNumbers:
+1 555-555-5555: "000000"
anonymous:
enabled: true
allowDuplicateEmails: true
notification:
sendEmail:
method: "CUSTOM_SMTP"
smtp:
senderEmail: "magic-modules-guitar-testing@system.gserviceaccount.com"
host: "system.gserviceaccount.com"
port: 8080
username: "sample-username"
password:
value: "sample-password"
securityMode: "SSL"
resetPasswordTemplate:
senderLocalPart: "noreply"
subject: "Reset your password for %APP_NAME%"
senderDisplayName: "DCL Team"
body: "<p>Hello,</p>\n<p>Follow this link to reset your %APP_NAME% password\
\ for your %EMAIL% account.</p>\n<p><a href='%LINK%'>%LINK%</a></p>\n<p>If\
\ you didn’t ask to reset your password, you can ignore this email.</p>\n\
<p>Thanks,</p>\n<p>Your %APP_NAME% team</p>"
bodyFormat: "PLAIN_TEXT"
replyTo: "noreply"
verifyEmailTemplate:
senderLocalPart: "noreply"
subject: "Verify your email for %APP_NAME%"
senderDisplayName: "DCL Team"
body: "<p>Hello %DISPLAY_NAME%,</p>\n<p>Follow this link to verify your email\
\ address.</p>\n<p><a href='%LINK%'>%LINK%</a></p>\n<p>If you didn’t ask\
\ to verify this address, you can ignore this email.</p>\n<p>Thanks,</p>\n\
<p>Your %APP_NAME% team</p>"
bodyFormat: "PLAIN_TEXT"
replyTo: "noreply"
changeEmailTemplate:
senderLocalPart: "noreply"
subject: "Your sign-in email was changed for %APP_NAME%"
senderDisplayName: "DCL Team"
body: "<p>Hello %DISPLAY_NAME%,</p>\n<p>Your sign-in email for %APP_NAME%\
\ was changed to %NEW_EMAIL%.</p>\n<p>If you didn’t ask to change your email,\
\ follow this link to reset your sign-in email.</p>\n<p><a href='%LINK%'>%LINK%</a></p>\n\
<p>Thanks,</p>\n<p>Your %APP_NAME% team</p>"
bodyFormat: "PLAIN_TEXT"
replyTo: "noreply"
callbackUri: "https://config-connector-sample.firebaseapp.com/__/auth/action"
dnsInfo:
useCustomDomain: true
revertSecondFactorAdditionTemplate:
senderLocalPart: "noreply"
subject: "You've added 2 step verification to your %APP_NAME% account."
senderDisplayName: "DCL Team"
body: "<p>Hello %DISPLAY_NAME%,</p>\n<p>Your account in %APP_NAME% has been\
\ updated with a phone number %SECOND_FACTOR% for 2-step verification.</p>\n\
<p>If you didn't add this phone number for 2-step verification, click the\
\ link below to remove it.</p>\n<p><a href='%LINK%'>%LINK%</a></p>\n<p>Thanks,</p>\n\
<p>Your %APP_NAME% team</p>"
bodyFormat: "PLAIN_TEXT"
replyTo: "noreply"
sendSms:
useDeviceLocale: true
defaultLocale: "en"
quota:
signUpQuotaConfig:
quota: 1
startTime: "2022-08-10T00:22:56.247547Z"
quotaDuration: "604800s"
monitoring:
requestLogging:
enabled: true
multiTenant:
allowTenants: true
defaultTenantLocationRef:
kind: Folder
name: "identityplatformconfig-dep"
authorizedDomains:
- "localhost"
- "config-connector-sample.firebaseapp.com"
subtype: "IDENTITY_PLATFORM"
client:
permissions:
disabledUserSignup: true
disabledUserDeletion: true
mfa:
state: "ENABLED"
blockingFunctions:
triggers:
beforeCreate:
functionUriRef:
name: "identityplatformconfig-dep"
forwardInboundCredentials:
idToken: true
accessToken: true
refereshToken: true
---
apiVersion: cloudfunctions.cnrm.cloud.google.com/v1beta1
kind: CloudFunctionsFunction
metadata:
name: identityplatformconfig-dep
spec:
region: "us-west2"
runtime: "nodejs10"
availableMemoryMb: 128
sourceArchiveUrl: "gs://aaa-dont-delete-dcl-cloud-functions-testing/http_trigger.zip"
timeout: "60s"
entryPoint: "helloGET"
ingressSettings: "ALLOW_INTERNAL_ONLY"
maxInstances: 10
httpsTrigger:
securityLevel: "SECURE_OPTIONAL"
projectRef:
# Replace "${PROJECT_ID?}" with your project ID
external: "projects/${PROJECT_ID?}"
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Folder
metadata:
name: identityplatformconfig-dep
spec:
displayName: Default Tenant Location
organizationRef:
# Replace "${ORG_ID?}" with the numeric ID for your organization
external: "${ORG_ID?}"