1. Using gcp serviceaccount with utils

    TypeScript

    In Google Cloud Platform (GCP), a service account is a special type of account used by applications, not by people, to interact with GCP services. Service accounts give your applications an identity with which to authenticate and gain access to specific resources according to the permissions you've granted.

    To manage these service accounts programmatically, Pulumi provides a set of utilities under the gcp package. For instance, you might want to create a service account and give it specific IAM roles to allow it to interact with resources within your GCP project.

    I will now show you how to use Pulumi to create a new service account on GCP and assign an IAM role to it. In this example, I will create a service account intended for a Cloud Run service, and I will assign it the roles/logging.logWriter role so that it can send logs to Stackdriver Logging.

    import * as gcp from "@pulumi/gcp"; // Create a new GCP service account const serviceAccount = new gcp.serviceAccount.Account("my-service-account", { // Set the service account ID and display name accountId: "my-application-service-account", displayName: "My Application Service Account", }); // Assign the 'roles/logging.logWriter' role to the service account const iamPolicy = new gcp.serviceAccount.IAMBinding("my-service-account-iam", { serviceAccountId: serviceAccount.name, role: "roles/logging.logWriter", members: [serviceAccount.email.apply(email => `serviceAccount:${email}`)], }); // Export the service account email address export const serviceAccountEmail = serviceAccount.email;

    Explanation

    Here's a breakdown of what the program above does:

    1. Import the GCP Module: We import the GCP module from Pulumi's GCP package to interact with Google Cloud services.

    2. Create a Service Account: The gcp.serviceAccount.Account resource is used to create a new service account within your GCP project. We provide the account ID and a human-readable name for the service account.

    3. Assign IAM Roles: The gcp.serviceAccount.IAMBinding resource allows us to assign an IAM role to a particular member, which in this case, is our new service account. The role we're assigning is roles/logging.logWriter, which grants the service account permission to create log entries in Stackdriver Logging.

    4. Export the Service Account Email: Finally, we export the service account's email address so you can use it elsewhere. This email address is often used to identify the service account in IAM policies or other GCP service configurations.

    The apply method is used with .email to get the email value because it is not available until the service account is created. The apply method allows us to register a function that Pulumi will call to transform the service account's email once it is known.

    This is a basic example to get you started with service accounts and IAM roles. You can adjust the roles and resources according to your needs. Remember that IAM role assignments should follow the principle of least privilege, granting only the permissions necessary for the service account to perform its designated tasks.