gcp-login
The gcp-login provider enables you to log in to Google Cloud using OpenID Connect or by providing static credentials. The provider will return a set of credentials that can be used to access Google Cloud resources or fetch secrets using the gcp-secrets provider.
Example
Basic configuration
values:
gcp:
login:
fn::open::gcp-login:
project: 123456789
oidc:
workloadPoolId: pulumi-esc
providerId: pulumi-esc
serviceAccount: pulumi-esc@foo-bar-123456.iam.gserviceaccount.com
Using outputs with Pulumi IaC and gcloud CLI
The gcp-login provider outputs credentials for use with both Pulumi’s Google Cloud provider and the gcloud CLI. This example shows how to configure both:
values:
gcp:
login:
fn::open::gcp-login:
project: 123456789
oidc:
workloadPoolId: pulumi-esc
providerId: pulumi-esc
serviceAccount: pulumi-esc@foo-bar-123456.iam.gserviceaccount.com
pulumiConfig:
gcp:project: ${gcp.login.project}
environmentVariables:
# The Google Cloud SDK (used by Pulumi's GCP provider) requires the project to be set by number
GOOGLE_CLOUD_PROJECT: ${gcp.login.project}
# The gcloud CLI requires the project to be set by name, and via a different env var
# See: https://cloud.google.com/sdk/docs/properties#setting_properties_using_environment_variables
CLOUDSDK_CORE_PROJECT: my-project-name
# Provide OAuth access tokens to both the Google Cloud SDK and gcloud CLI
GOOGLE_OAUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
CLOUDSDK_AUTH_ACCESS_TOKEN: ${gcp.login.accessToken}
Note that both GOOGLE_CLOUD_PROJECT (numeric project ID) and CLOUDSDK_CORE_PROJECT (project name) are set because the Google Cloud SDK and gcloud CLI have different requirements for project identification.
This configuration enables:
- Pulumi IaC: The
pulumiConfigsection sets the GCP project for Pulumi’s Google Cloud provider. - gcloud CLI: The
environmentVariablessection configures authentication for thegcloudcommand-line tool.
Configuring OIDC
To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Google Cloud, see the OpenID Connect integration documentation.
Inputs
| Property | Type | Description |
|---|---|---|
project | number | The numerical ID of the GCP project, aka project number. (e.g. 951040570662) |
accessToken | GCPLoginAccessToken | [Optional] Options for access token login. |
oidc | GCPLoginOIDC | [Optional] Options for OIDC login. |
GCPLoginAccessToken
| Property | Type | Description |
|---|---|---|
accessToken | string | The token used to authenticate with Google Cloud. |
serviceAccount | string | [Optional] - The service account to impersonate, if any. |
tokenLifetime | string | [Optional] - The lifetime of the temporary credentials when impersonating a service account. |
GCPLoginOIDC
| Property | Type | Description |
|---|---|---|
workloadPoolId | string | The (short) ID of the workload pool to use. |
providerId | string | The (short) ID of the identity provider associated with the workload pool. |
serviceAccount | string | The email address of the service account to use. |
region | string | [Optional] - The region of the GCP project. |
tokenLifetime | string | [Optional] - The lifetime of the temporary credentials. |
subjectAttributes | string[] | [Optional] - Subject attributes to be included in the OIDC token. For more information see the OpenID subject customization documentation |
Outputs
| Property | Type | Description |
|---|---|---|
project | string | The numerical ID of the GCP project, aka project number. (e.g. 951040570662) |
accessToken | string | The access token used to authenticate with Google Cloud. |
tokenType | string | The type of the access token. |
expiry | string | [Optional] - The access token’s expiry time. |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.