Skip to main content
POST
/
api
/
v1
/
workload_federation
/
providers
CreateProvider
package main

import(
	"context"
	"github.com/conductorone/conductorone-sdk-go/pkg/models/shared"
	conductoronesdkgo "github.com/conductorone/conductorone-sdk-go"
	"log"
)

func main() {
    ctx := context.Background()

    s := conductoronesdkgo.New(
        conductoronesdkgo.WithSecurity(shared.Security{
            BearerAuth: "<YOUR_BEARER_TOKEN_HERE>",
            Oauth: "<YOUR_OAUTH_HERE>",
        }),
    )

    res, err := s.WorkloadFederation.CreateProvider(ctx, nil)
    if err != nil {
        log.Fatal(err)
    }
    if res.WorkloadFederationServiceCreateProviderResponse != nil {
        // handle response
    }
}
{
  "provider": {
    "createdAt": "2023-11-07T05:31:56Z",
    "description": "<string>",
    "disabled": true,
    "displayName": "<string>",
    "id": "<string>",
    "issuerUrl": "<string>",
    "oidc": {},
    "spiffe": {
      "bundleEndpointUrl": "<string>"
    },
    "updatedAt": "2023-11-07T05:31:56Z"
  }
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Authorization
string
header
required

This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the c1TokenSource.Token() function.

Body

application/json

The WorkloadFederationServiceCreateProviderRequest message.

This message contains a oneof named settings. Only a single field of the following list may be set at a time:

  • oidc
  • spiffe
description
string | null

A description of what this provider is for.

displayName
string | null

The display name for the new provider.

issuerUrl
string | null

The issuer URL. For OIDC providers, this is an HTTPS URL validated via OIDC discovery. For SPIFFE providers, this is the SPIFFE trust-domain URI (e.g., spiffe://prod.example.com). Normalized on write: lowercase scheme/host, no trailing slash. Unique within tenant.

oidc
Oidc Settings · object

OIDCSettings is the kind-specific configuration block for classic OIDC providers (GitHub Actions, GitLab CI, HCP Terraform, AWS IAM Outbound, any CUSTOM provider). Empty for now; future fields like custom_jwks_url, audience overrides, and required_claims land here.

spiffe
Spiffe Settings · object

SPIFFESettings is the kind-specific configuration block for SPIFFE trust-domain providers (issuer_url = spiffe://).

wellKnownProvider
enum<string> | null

Well-known provider type. Required -- UNSPECIFIED is rejected. When set to a named source, the backend validates issuer_url consistency. SPIFFE wkp requires settings.spiffe; all other wkp values require settings.oidc.

Available options:
WELL_KNOWN_WORKLOAD_PROVIDER_UNSPECIFIED,
WELL_KNOWN_WORKLOAD_PROVIDER_CUSTOM,
WELL_KNOWN_WORKLOAD_PROVIDER_GITHUB_ACTIONS,
WELL_KNOWN_WORKLOAD_PROVIDER_GITLAB_CI,
WELL_KNOWN_WORKLOAD_PROVIDER_HCP_TERRAFORM,
WELL_KNOWN_WORKLOAD_PROVIDER_AWS_IAM_OUTBOUND,
WELL_KNOWN_WORKLOAD_PROVIDER_SPIFFE

Response

200 - application/json

Successful response

The WorkloadFederationServiceCreateProviderResponse message.

provider
Workload Federation Provider · object

WorkloadFederationProvider represents a tenant-level workload identity issuer registration. Two issuer schemes are supported:

  • https://... classic OIDC issuer; settings.oidc MUST be set.
  • spiffe://... SPIFFE trust-domain URI; settings.spiffe MUST be set.

The (well_known_provider, issuer_url scheme, settings oneof) tuple is a tri-invariant: SPIFFE wkp ⟺ spiffe:// issuer ⟺ settings.spiffe set; any other wkp ⟺ https:// issuer ⟺ settings.oidc set. Issuer URLs are unique within tenant.

This message contains a oneof named settings. Only a single field of the following list may be set at a time:

  • oidc
  • spiffe