@hivemq/gcp/iam
v2026.04.27.34
Contents
Quality score
How well-documented and verifiable this extension is.
Grade F
- Has README or module doc0/2missing
- README has a code example0/1missing
- README is substantive0/1pending
- Most symbols documented1/1earned
- No slow types1/1earned
- Has description0/1missing
- At least one platform tag (or universal)1/1earned
- Two or more platform tags (or universal)1/1earned
- License declared0/1missing
- Verified public repository0/2missing
Install
$ swamp extension pull @hivemq/gcp/iam@hivemq/gcp/iamv2026.03.31.1gcp_iam.ts
Global Arguments
| Argument | Type | Description |
|---|---|---|
| projectId | string | GCP project ID |
create_poolCreate a Workload Identity Federation pool (idempotent — skips if exists)
| Argument | Type | Description |
|---|---|---|
| displayName | string | Human-readable pool name |
| description? | string | Pool description |
create_github_providerCreate a GitHub Actions OIDC provider on a WIF pool (idempotent)
| Argument | Type | Description |
|---|---|---|
| poolId | string | WIF pool ID to attach the provider to |
| providerId | string | Provider ID (e.g. github-provider) |
create_service_accountCreate a GCP service account (idempotent)
| Argument | Type | Description |
|---|---|---|
| displayName | string | Human-readable SA name |
| description? | string | SA description |
bind_service_account_to_poolGrant roles/iam.workloadIdentityUser on a SA to a WIF pool principal scoped to a GitHub repository
| Argument | Type | Description |
|---|---|---|
| serviceAccountEmail | string | SA email to bind |
| poolId | string | WIF pool ID |
grant_external_project_roleGrant an IAM role to a service account on a project other than this model's own projectId (idempotent)
grant_dns_zone_roleGrant an IAM role to a service account on a specific Cloud DNS managed zone in another project (idempotent). Use this for least-privilege DNS record management scoped to one zone.
revoke_dns_zone_roleRevoke an IAM role from a service account on a specific Cloud DNS managed zone (idempotent — no-op if not granted).
grant_project_roleGrant an IAM role to a service account on the project
refresh_access_tokenExchange the local ADC refresh token for a fresh GCP access token and store it in a swamp vault. Reads credentials from application_default_credentials.json — no gcloud binary required. Defaults to vault 'swamp', key 'GCP_ACCESS_TOKEN'.
syncRefresh stored pool, provider, and service account state from the GCP API
delete_poolDelete a Workload Identity Federation pool (also deletes its providers)
| Argument | Type | Description |
|---|---|---|
| poolId | string | Pool ID to delete |
delete_service_accountDelete a GCP service account
| Argument | Type | Description |
|---|---|---|
| serviceAccountEmail | string | SA email to delete |
Resources
pool(infinite)— Workload Identity Federation pool
provider(infinite)— Workload Identity Federation OIDC provider
serviceAccount(infinite)— GCP service account
iamBinding(infinite)— IAM policy binding record
2026.04.01.2111.9 KBApr 1, 2026
linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64
2026.04.01.2011.9 KBApr 1, 2026
Changelog
Models
~iammethods: +revoke_dns_zone_role
linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64
2026.03.31.1511.5 KBMar 31, 2026
linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64
2026.03.31.111.2 KBMar 31, 2026
Changelog
Models
~iammethods: +refresh_access_token
linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64
2026.03.30.139.0 KBMar 30, 2026
Changelog
Models
~iammethods: +grant_dns_zone_role
linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64
2026.03.30.117.7 KBMar 30, 2026
Changelog
Models
~iammethods: +grant_external_project_role
linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64
2026.03.25.36.9 KBMar 25, 2026
linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64
2026.03.25.16.9 KBMar 25, 2026
linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64