A WorkforcePoolSubject is automatically created the first time an external credential is exchanged for a Google Cloud credential using a mapped google.subject attribute. There is no endpoint to manually create a WorkforcePoolSubject.
For 30 days after a WorkforcePoolSubject is deleted, using the same google.subject attribute in token exchanges with Google Cloud STS fails.
Call subjects.undelete to undelete a WorkforcePoolSubject that has been deleted, within within 30 days of deleting it.
After 30 days, the WorkforcePoolSubject is permanently deleted. At this point, a token exchange with Google Cloud STS that uses the same mapped google.subject attribute automatically creates a new WorkforcePoolSubject that is unrelated to the previously deleted WorkforcePoolSubject but has the same google.subject value.
Required. The resource name of the WorkforcePoolSubject. Special characters, like / and :, must be escaped, because all URLs need to conform to the "When to Escape and Unescape" section of RFC3986.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-21 UTC."],[[["\u003cp\u003eThis endpoint deletes a \u003ccode\u003eWorkforcePoolSubject\u003c/code\u003e, which must not already be in a deleted state.\u003c/p\u003e\n"],["\u003cp\u003eA deleted \u003ccode\u003eWorkforcePoolSubject\u003c/code\u003e prevents token exchanges with the same \u003ccode\u003egoogle.subject\u003c/code\u003e attribute for 30 days.\u003c/p\u003e\n"],["\u003cp\u003eWithin 30 days of deletion, a \u003ccode\u003eWorkforcePoolSubject\u003c/code\u003e can be undeleted using the \u003ccode\u003esubjects.undelete\u003c/code\u003e call, after which, it is permanently deleted.\u003c/p\u003e\n"],["\u003cp\u003eThe HTTP request for deleting a \u003ccode\u003eWorkforcePoolSubject\u003c/code\u003e is a \u003ccode\u003eDELETE\u003c/code\u003e request to a specific URL with the format \u003ccode\u003ehttps://iam.googleapis.com/v1/{name=locations/*/workforcePools/*/subjects/*}\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe request body must be empty and it requires one of two OAuth scopes: \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e or \u003ccode\u003ehttps://www.googleapis.com/auth/iam\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Method: locations.workforcePools.subjects.delete\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Path parameters](#body.PATH_PARAMETERS)\n- [Request body](#body.request_body)\n- [Response body](#body.response_body)\n- [Authorization scopes](#body.aspect)\n- [Examples](#examples)\n- [Try it!](#try-it)\n\nDeletes a `WorkforcePoolSubject`.\n\nSubject must not already be in a deleted state.\n\nA `WorkforcePoolSubject` is automatically created the first time an external credential is exchanged for a Google Cloud credential using a mapped `google.subject` attribute. There is no endpoint to manually create a `WorkforcePoolSubject`.\n\nFor 30 days after a `WorkforcePoolSubject` is deleted, using the same `google.subject` attribute in token exchanges with Google Cloud STS fails.\n\nCall [subjects.undelete](/iam/docs/reference/rest/v1/locations.workforcePools.subjects/undelete#google.iam.admin.v1.WorkforcePools.UndeleteWorkforcePoolSubject) to undelete a `WorkforcePoolSubject` that has been deleted, within within 30 days of deleting it.\n\nAfter 30 days, the `WorkforcePoolSubject` is permanently deleted. At this point, a token exchange with Google Cloud STS that uses the same mapped `google.subject` attribute automatically creates a new `WorkforcePoolSubject` that is unrelated to the previously deleted `WorkforcePoolSubject` but has the same `google.subject` value.\n\n### HTTP request\n\n`DELETE https://iam.googleapis.com/v1/{name=locations/*/workforcePools/*/subjects/*}`\n\nThe URL uses [gRPC Transcoding](https://google.aip.dev/127) syntax.\n\n### Path parameters\n\n### Request body\n\nThe request body must be empty.\n\n### Response body\n\nIf successful, the response body contains an instance of [Operation](/iam/docs/reference/rest/Shared.Types/Operation).\n\n### Authorization scopes\n\nRequires one of the following OAuth scopes:\n\n- `https://www.googleapis.com/auth/cloud-platform`\n- `\n https://www.googleapis.com/auth/iam`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp)."]]
