Optional. A JSON Web Token (JWT) issuer URI. issuer must start with
https:// and be a valid URL with length <2000 characters.
If set, then Google will allow valid OIDC tokens from this issuer to
authenticate within the workload_identity_pool. OIDC discovery will be
performed on this URI to validate tokens from the issuer.
Clearing issuer disables Workload Identity. issuer cannot be directly
modified; it must be cleared (and Workload Identity disabled) before using
a new issuer (and re-enabling Workload Identity).
Output only. The name of the workload identity pool in which issuer will
be recognized.
There is a single Workload Identity Pool per Hub that is shared
between all Memberships that belong to that Hub. For a Hub hosted in
{PROJECT_ID}, the workload pool format is {PROJECT_ID}.hub.id.goog,
although this is subject to change in newer versions of this API.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThe \u003ccode\u003eAuthority\u003c/code\u003e class in the GKE Hub v1beta1 API is used to define how Google recognizes identities from a Membership, according to the workload identity documentation.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eAuthority\u003c/code\u003e implements multiple interfaces including \u003ccode\u003eIMessage\u003c/code\u003e, \u003ccode\u003eIEquatable\u003c/code\u003e, \u003ccode\u003eIDeepCloneable\u003c/code\u003e, and \u003ccode\u003eIBufferMessage\u003c/code\u003e, and inherits from \u003ccode\u003eobject\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe class includes properties like \u003ccode\u003eIdentityProvider\u003c/code\u003e, \u003ccode\u003eIssuer\u003c/code\u003e, \u003ccode\u003eOidcJwks\u003c/code\u003e, and \u003ccode\u003eWorkloadIdentityPool\u003c/code\u003e, which manage aspects of identity recognition and OIDC token validation.\u003c/p\u003e\n"],["\u003cp\u003eThe Authority \u003ccode\u003eIssuer\u003c/code\u003e property, a critical component for authentication, must start with "https://" and be a valid URL with less than 2000 characters, it cannot be directly modified once set, and needs to be cleared before another one can be used.\u003c/p\u003e\n"],["\u003cp\u003eThe class has two constructors, one default \u003ccode\u003eAuthority()\u003c/code\u003e and another that accepts an \u003ccode\u003eAuthority\u003c/code\u003e parameter \u003ccode\u003eAuthority(Authority other)\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# GKE Hub v1beta1 API - Class Authority (2.0.0-beta07)\n\nVersion latestkeyboard_arrow_down\n\n- [2.0.0-beta07 (latest)](/dotnet/docs/reference/Google.Cloud.GkeHub.V1Beta1/latest/Google.Cloud.GkeHub.V1Beta1.Authority)\n- [2.0.0-beta06](/dotnet/docs/reference/Google.Cloud.GkeHub.V1Beta1/2.0.0-beta06/Google.Cloud.GkeHub.V1Beta1.Authority)\n- [1.0.0-beta04](/dotnet/docs/reference/Google.Cloud.GkeHub.V1Beta1/1.0.0-beta04/Google.Cloud.GkeHub.V1Beta1.Authority) \n\n public sealed class Authority : IMessage\u003cAuthority\u003e, IEquatable\u003cAuthority\u003e, IDeepCloneable\u003cAuthority\u003e, IBufferMessage, IMessage\n\nReference documentation and code samples for the GKE Hub v1beta1 API class Authority.\n\nAuthority encodes how Google will recognize identities from this Membership.\nSee the workload identity documentation for more details:\n\u003chttps://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity\u003e \n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e Authority \n\nImplements\n----------\n\n[IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage-1.html)[Authority](/dotnet/docs/reference/Google.Cloud.GkeHub.V1Beta1/latest/Google.Cloud.GkeHub.V1Beta1.Authority), [IEquatable](https://learn.microsoft.com/dotnet/api/system.iequatable-1)[Authority](/dotnet/docs/reference/Google.Cloud.GkeHub.V1Beta1/latest/Google.Cloud.GkeHub.V1Beta1.Authority), [IDeepCloneable](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IDeepCloneable-1.html)[Authority](/dotnet/docs/reference/Google.Cloud.GkeHub.V1Beta1/latest/Google.Cloud.GkeHub.V1Beta1.Authority), [IBufferMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IBufferMessage.html), [IMessage](https://cloud.google.com/dotnet/docs/reference/Google.Protobuf/latest/Google.Protobuf.IMessage.html) \n\nInherited Members\n-----------------\n\n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\nNamespace\n---------\n\n[Google.Cloud.GkeHub.V1Beta1](/dotnet/docs/reference/Google.Cloud.GkeHub.V1Beta1/latest/Google.Cloud.GkeHub.V1Beta1)\n\nAssembly\n--------\n\nGoogle.Cloud.GkeHub.V1Beta1.dll\n\nConstructors\n------------\n\n### Authority()\n\n public Authority()\n\n### Authority(Authority)\n\n public Authority(Authority other)\n\nProperties\n----------\n\n### IdentityProvider\n\n public string IdentityProvider { get; set; }\n\nOutput only. An identity provider that reflects the `issuer` in the\nworkload identity pool.\n\n### Issuer\n\n public string Issuer { get; set; }\n\nOptional. A JSON Web Token (JWT) issuer URI. `issuer` must start with\n`https://` and be a valid URL with length \\\u003c2000 characters.\n\nIf set, then Google will allow valid OIDC tokens from this issuer to\nauthenticate within the workload_identity_pool. OIDC discovery will be\nperformed on this URI to validate tokens from the issuer.\n\nClearing `issuer` disables Workload Identity. `issuer` cannot be directly\nmodified; it must be cleared (and Workload Identity disabled) before using\na new issuer (and re-enabling Workload Identity).\n\n### OidcJwks\n\n public ByteString OidcJwks { get; set; }\n\nOptional. OIDC verification keys for this Membership in JWKS format (RFC\n7517).\n\nWhen this field is set, OIDC discovery will NOT be performed on `issuer`,\nand instead OIDC tokens will be validated using this field.\n\n### WorkloadIdentityPool\n\n public string WorkloadIdentityPool { get; set; }\n\nOutput only. The name of the workload identity pool in which `issuer` will\nbe recognized.\n\nThere is a single Workload Identity Pool per Hub that is shared\nbetween all Memberships that belong to that Hub. For a Hub hosted in\n{PROJECT_ID}, the workload pool format is `{PROJECT_ID}.hub.id.goog`,\nalthough this is subject to change in newer versions of this API."]]
