Using gcp serviceaccount with utils
TypeScriptIn Google Cloud Platform (GCP), a service account is a special type of account used by applications, not by people, to interact with GCP services. Service accounts give your applications an identity with which to authenticate and gain access to specific resources according to the permissions you've granted.
To manage these service accounts programmatically, Pulumi provides a set of utilities under the
gcp
package. For instance, you might want to create a service account and give it specific IAM roles to allow it to interact with resources within your GCP project.I will now show you how to use Pulumi to create a new service account on GCP and assign an IAM role to it. In this example, I will create a service account intended for a Cloud Run service, and I will assign it the
roles/logging.logWriter
role so that it can send logs to Stackdriver Logging.import * as gcp from "@pulumi/gcp"; // Create a new GCP service account const serviceAccount = new gcp.serviceAccount.Account("my-service-account", { // Set the service account ID and display name accountId: "my-application-service-account", displayName: "My Application Service Account", }); // Assign the 'roles/logging.logWriter' role to the service account const iamPolicy = new gcp.serviceAccount.IAMBinding("my-service-account-iam", { serviceAccountId: serviceAccount.name, role: "roles/logging.logWriter", members: [serviceAccount.email.apply(email => `serviceAccount:${email}`)], }); // Export the service account email address export const serviceAccountEmail = serviceAccount.email;
Explanation
Here's a breakdown of what the program above does:
-
Import the GCP Module: We import the GCP module from Pulumi's GCP package to interact with Google Cloud services.
-
Create a Service Account: The
gcp.serviceAccount.Account
resource is used to create a new service account within your GCP project. We provide the account ID and a human-readable name for the service account. -
Assign IAM Roles: The
gcp.serviceAccount.IAMBinding
resource allows us to assign an IAM role to a particular member, which in this case, is our new service account. The role we're assigning isroles/logging.logWriter
, which grants the service account permission to create log entries in Stackdriver Logging. -
Export the Service Account Email: Finally, we export the service account's email address so you can use it elsewhere. This email address is often used to identify the service account in IAM policies or other GCP service configurations.
The
apply
method is used with.email
to get the email value because it is not available until the service account is created. Theapply
method allows us to register a function that Pulumi will call to transform the service account's email once it is known.This is a basic example to get you started with service accounts and IAM roles. You can adjust the roles and resources according to your needs. Remember that IAM role assignments should follow the principle of least privilege, granting only the permissions necessary for the service account to perform its designated tasks.
-