okay, i finally figured it out: • the

Project ID

field must have the numeric project ID • The "Workload Pool ID" and "Identity provider ID" fields must each have just the short ID, not the fully-qualified

<//iam.googleapis.com/>...

or even

/projects/<project-number>/...

. that's definitely what this comment says, i just didn't follow it. some help text on this would be super helpful....

Glad you were able to get it working! If you have ideas for how we could improve our GCP OIDC docs, contributions are welcome! https://github.com/pulumi/pulumi-hugo/blob/b21f99c1bb2a4e476226514ac477243d41b0286[…]fault/content/docs/pulumi-cloud/deployments/oidc/gcp.md?plain=1

sure! off the top of my head: 1. Clarify the format of the IDs in step 6: 'Enter the workload pool ID, identity provider ID, and service account email address in the “Workload Pool ID”, “Identity Provider ID”, and “Service Account Email Address” fields.' 2. perhaps bold "numerical" in step 5, just for those of us who can't read 🙂 3. this sentence is largely useless: "Recall the format of the subject claim when adding attribute conditions that check the value of the

google.subject

attribute." IOW: "figure it out bro." getting claims right is touchy and important, especially when you're probably dealing with full cloud admin; there should at least be some examples, not just a pointer to the reference docs 4. the fact that the instructions are all point-and-click console instructions to set up an IaC system is a little silly. these are useful and should exist but a set of pulumi scripts (even just sample scripts that require customization) would be far, far more useful. for instance, even once i'd figured out which workload provider ID to use, figuring out which ID and/or name attribute of the object to use in Pulumi was another trial-and-error process. (in part this is GCP's fault, for having so many different identifiers, but the docs could make it easier.) having an example to start from for plumbing together the various OIDC bits with Deployment Settings would have saved me a bunch of time and frustration. 5. literally every code snippet at https://www.pulumi.com/registry/packages/gcp/api-docs/iam/workloadidentitypoolprovider/#workloadidentitypoolprovideroidc appears to be copy-pasted from the same unrelated source. none of them are even vaguely related to the documentation, some are just

{}

, and they're a mix of at least three or four different languages. 6. the docs should actually exist, unlike here for instance this took me a few days to get right so there are probably other things, but these are the bits that stand out in my memory