Module serviceAccount

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-gcp repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-google repo.

Resources

Data Sources

Others

Resources

Resource Account

class Account extends CustomResource

Allows management of a Google Cloud Platform service account

Creation of service accounts is eventually consistent, and that can lead to errors when you try to apply ACLs to service accounts immediately after creation.

Example Usage

This snippet creates a service account, then gives it objectViewer permission in a project.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const objectViewer = new gcp.serviceAccount.Account("objectViewer", {
    accountId: "object-viewer",
    displayName: "Object viewer",
});

This content is derived from https://github.com/terraform-providers/terraform-provider-google/blob/master/website/docs/r/service_account.html.markdown.

constructor

new Account(name: string, args: AccountArgs, opts?: pulumi.CustomResourceOptions)

Create a Account resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccountState, opts?: pulumi.CustomResourceOptions): Account

Get an existing Account resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): boolean

Returns true if the given object is an instance of Account. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accountId

public accountId: pulumi.Output<string>;

The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression a-z to comply with RFC1035. Changing this forces a new service account to be created.

property displayName

public displayName: pulumi.Output<string | undefined>;

The display name for the service account. Can be updated without creating a new resource.

property email

public email: pulumi.Output<string>;

The e-mail address of the service account. This value should be referenced from any gcp.organizations.getIAMPolicy data sources that would grant the service account privileges.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The fully-qualified name of the service account.

property project

public project: pulumi.Output<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property uniqueId

public uniqueId: pulumi.Output<string>;

The unique id of the service account.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource IAMBinding

class IAMBinding extends CustomResource

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the googleProjectIam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • gcp.serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • gcp.serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • gcp.serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: gcp.serviceAccount.IAMPolicy cannot be used in conjunction with gcp.serviceAccount.IAMBinding and gcp.serviceAccount.IAMMember or they will fight over what your policy should be.

Note: gcp.serviceAccount.IAMBinding resources can be used in conjunction with gcp.serviceAccount.IAMMember resources only if they do not grant privilege to the same role.

google_service_account_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    bindings: [{
        members: ["user:jane@example.com"],
        role: "roles/iam.serviceAccountUser",
    }],
});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can interact with",
});
const adminAccountIam = new gcp.serviceAccount.IAMPolicy("admin-account-iam", {
    policyData: admin.policyData,
    serviceAccountId: sa.name,
});

google_service_account_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMBinding("admin-account-iam", {
    members: ["user:jane@example.com"],
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});

google_service_account_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const defaultDefaultServiceAccount = gcp.compute.getDefaultServiceAccount({});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMMember("admin-account-iam", {
    member: "user:jane@example.com",
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});
// Allow SA service account use the default GCE account
const gceDefaultAccountIam = new gcp.serviceAccount.IAMMember("gce-default-account-iam", {
    member: pulumi.interpolate`serviceAccount:${sa.email}`,
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: defaultDefaultServiceAccount.name,
});

This content is derived from https://github.com/terraform-providers/terraform-provider-google/blob/master/website/docs/r/service_account_iam_binding.html.markdown.

constructor

new IAMBinding(name: string, args: IAMBindingArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMBinding resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMBindingState, opts?: pulumi.CustomResourceOptions): IAMBinding

Get an existing IAMBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): boolean

Returns true if the given object is an instance of IAMBinding. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property members

public members: pulumi.Output<string[]>;

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one gcp.serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The fully-qualified name of the service account to apply policy to.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource IAMMember

class IAMMember extends CustomResource

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the googleProjectIam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • gcp.serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • gcp.serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • gcp.serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: gcp.serviceAccount.IAMPolicy cannot be used in conjunction with gcp.serviceAccount.IAMBinding and gcp.serviceAccount.IAMMember or they will fight over what your policy should be.

Note: gcp.serviceAccount.IAMBinding resources can be used in conjunction with gcp.serviceAccount.IAMMember resources only if they do not grant privilege to the same role.

google_service_account_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    bindings: [{
        members: ["user:jane@example.com"],
        role: "roles/iam.serviceAccountUser",
    }],
});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can interact with",
});
const adminAccountIam = new gcp.serviceAccount.IAMPolicy("admin-account-iam", {
    policyData: admin.policyData,
    serviceAccountId: sa.name,
});

google_service_account_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMBinding("admin-account-iam", {
    members: ["user:jane@example.com"],
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});

google_service_account_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const defaultDefaultServiceAccount = gcp.compute.getDefaultServiceAccount({});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMMember("admin-account-iam", {
    member: "user:jane@example.com",
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});
// Allow SA service account use the default GCE account
const gceDefaultAccountIam = new gcp.serviceAccount.IAMMember("gce-default-account-iam", {
    member: pulumi.interpolate`serviceAccount:${sa.email}`,
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: defaultDefaultServiceAccount.name,
});

This content is derived from https://github.com/terraform-providers/terraform-provider-google/blob/master/website/docs/r/service_account_iam_member.html.markdown.

constructor

new IAMMember(name: string, args: IAMMemberArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMMember resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMMemberState, opts?: pulumi.CustomResourceOptions): IAMMember

Get an existing IAMMember resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): boolean

Returns true if the given object is an instance of IAMMember. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property member

public member: pulumi.Output<string>;

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one gcp.serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The fully-qualified name of the service account to apply policy to.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource IAMPolicy

class IAMPolicy extends CustomResource

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the googleProjectIam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • gcp.serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • gcp.serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • gcp.serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: gcp.serviceAccount.IAMPolicy cannot be used in conjunction with gcp.serviceAccount.IAMBinding and gcp.serviceAccount.IAMMember or they will fight over what your policy should be.

Note: gcp.serviceAccount.IAMBinding resources can be used in conjunction with gcp.serviceAccount.IAMMember resources only if they do not grant privilege to the same role.

google_service_account_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    bindings: [{
        members: ["user:jane@example.com"],
        role: "roles/iam.serviceAccountUser",
    }],
});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can interact with",
});
const adminAccountIam = new gcp.serviceAccount.IAMPolicy("admin-account-iam", {
    policyData: admin.policyData,
    serviceAccountId: sa.name,
});

google_service_account_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMBinding("admin-account-iam", {
    members: ["user:jane@example.com"],
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});

google_service_account_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const defaultDefaultServiceAccount = gcp.compute.getDefaultServiceAccount({});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMMember("admin-account-iam", {
    member: "user:jane@example.com",
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});
// Allow SA service account use the default GCE account
const gceDefaultAccountIam = new gcp.serviceAccount.IAMMember("gce-default-account-iam", {
    member: pulumi.interpolate`serviceAccount:${sa.email}`,
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: defaultDefaultServiceAccount.name,
});

This content is derived from https://github.com/terraform-providers/terraform-provider-google/blob/master/website/docs/r/service_account_iam_policy.html.markdown.

constructor

new IAMPolicy(name: string, args: IAMPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMPolicy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMPolicyState, opts?: pulumi.CustomResourceOptions): IAMPolicy

Get an existing IAMPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): boolean

Returns true if the given object is an instance of IAMPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyData

public policyData: pulumi.Output<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The fully-qualified name of the service account to apply policy to.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Key

class Key extends CustomResource

Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see the official documentation and API.

Example Usage, creating a new Key Pair

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myaccount = new gcp.serviceAccount.Account("myaccount", {
    accountId: "myaccount",
    displayName: "My Service Account",
});
const mykey = new gcp.serviceAccount.Key("mykey", {
    publicKeyType: "TYPE_X509_PEM_FILE",
    serviceAccountId: myaccount.name,
});

Create new Key Pair, encrypting the private key with a PGP Key

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myaccount = new gcp.serviceAccount.Account("myaccount", {
    accountId: "myaccount",
    displayName: "My Service Account",
});
const mykey = new gcp.serviceAccount.Key("mykey", {
    pgpKey: "keybase:keybaseusername",
    publicKeyType: "TYPE_X509_PEM_FILE",
    serviceAccountId: myaccount.name,
});

This content is derived from https://github.com/terraform-providers/terraform-provider-google/blob/master/website/docs/r/service_account_key.html.markdown.

constructor

new Key(name: string, args: KeyArgs, opts?: pulumi.CustomResourceOptions)

Create a Key resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyState, opts?: pulumi.CustomResourceOptions): Key

Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): boolean

Returns true if the given object is an instance of Key. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyAlgorithm

public keyAlgorithm: pulumi.Output<string | undefined>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property name

public name: pulumi.Output<string>;

The name used for this key pair

property pgpKey

public pgpKey: pulumi.Output<string | undefined>;

An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.

property privateKey

public privateKey: pulumi.Output<string>;

The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key, and when no pgpKey is provided.

property privateKeyEncrypted

public privateKeyEncrypted: pulumi.Output<string>;

The private key material, base 64 encoded and encrypted with the given pgpKey. This is only populated when creating a new key and pgpKey is supplied

property privateKeyFingerprint

public privateKeyFingerprint: pulumi.Output<string>;

The MD5 public key fingerprint for the encrypted private key. This is only populated when creating a new key and pgpKey is supplied

property privateKeyType

public privateKeyType: pulumi.Output<string | undefined>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKey

public publicKey: pulumi.Output<string>;

The public key, base64 encoded

property publicKeyType

public publicKeyType: pulumi.Output<string | undefined>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validAfter

public validAfter: pulumi.Output<string>;

The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property validBefore

public validBefore: pulumi.Output<string>;

The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

Data Sources

Data Source getAccount

getAccount(args: GetAccountArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountResult> & GetAccountResult

Get the service account from a project. For more information see the official API documentation.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const objectViewer = gcp.serviceAccount.getAccount({
    accountId: "object-viewer",
});

This content is derived from https://github.com/terraform-providers/terraform-provider-google/blob/master/website/docs/d/service_account.html.markdown.

Data Source getAccountAccessToken

getAccountAccessToken(args: GetAccountAccessTokenArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountAccessTokenResult> & GetAccountAccessTokenResult

This data source provides a google oauth2 accessToken for a different service account than the one initially running the script.

For more information see the official documentation as well as iamcredentials.generateAccessToken()

This content is derived from https://github.com/terraform-providers/terraform-provider-google/blob/master/website/docs/d/service_account_access_token.html.markdown.

Data Source getAccountKey

getAccountKey(args: GetAccountKeyArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountKeyResult> & GetAccountKeyResult

Get service account public key. For more information, see the official documentation and API.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myaccount = new gcp.serviceAccount.Account("myaccount", {
    accountId: "dev-foo-account",
});
const mykeyKey = new gcp.serviceAccount.Key("mykey", {
    serviceAccountId: myaccount.name,
});
const mykeyAccountKey = mykeyKey.name.apply(name => gcp.serviceAccount.getAccountKey({
    name: name,
    publicKeyType: "TYPE_X509_PEM_FILE",
}));

This content is derived from https://github.com/terraform-providers/terraform-provider-google/blob/master/website/docs/d/service_account_key.html.markdown.

Others

interface AccountArgs

interface AccountArgs

The set of arguments for constructing a Account resource.

property accountId

accountId: pulumi.Input<string>;

The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression a-z to comply with RFC1035. Changing this forces a new service account to be created.

property displayName

displayName?: pulumi.Input<string>;

The display name for the service account. Can be updated without creating a new resource.

property project

project?: pulumi.Input<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

interface AccountState

interface AccountState

Input properties used for looking up and filtering Account resources.

property accountId

accountId?: pulumi.Input<string>;

The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression a-z to comply with RFC1035. Changing this forces a new service account to be created.

property displayName

displayName?: pulumi.Input<string>;

The display name for the service account. Can be updated without creating a new resource.

property email

email?: pulumi.Input<string>;

The e-mail address of the service account. This value should be referenced from any gcp.organizations.getIAMPolicy data sources that would grant the service account privileges.

property name

name?: pulumi.Input<string>;

The fully-qualified name of the service account.

property project

project?: pulumi.Input<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property uniqueId

uniqueId?: pulumi.Input<string>;

The unique id of the service account.

interface GetAccountAccessTokenArgs

interface GetAccountAccessTokenArgs

A collection of arguments for invoking getAccountAccessToken.

property delegates

delegates?: string[];

Deegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"])

property lifetime

lifetime?: undefined | string;

Lifetime of the impersonated token (defaults to its max: 3600s).

property scopes

scopes: string[];

The scopes the new credential should have (e.g. ["storage-ro", "cloud-platform"])

property targetServiceAccount

targetServiceAccount: string;

The service account to impersonate (e.g. service_B@your-project-id.iam.gserviceaccount.com)

interface GetAccountAccessTokenResult

interface GetAccountAccessTokenResult

A collection of values returned by getAccountAccessToken.

property accessToken

accessToken: string;

The accessToken representing the new generated identity.

property delegates

delegates?: string[];

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property lifetime

lifetime?: undefined | string;

property scopes

scopes: string[];

property targetServiceAccount

targetServiceAccount: string;

interface GetAccountArgs

interface GetAccountArgs

A collection of arguments for invoking getAccount.

property accountId

accountId: string;

The Service account id. (This is the part of the service account’s email field that comes before the @ symbol.)

property project

project?: undefined | string;

The ID of the project that the service account is present in. Defaults to the provider project configuration.

interface GetAccountKeyArgs

interface GetAccountKeyArgs

A collection of arguments for invoking getAccountKey.

property name

name: string;

The name of the service account key. This must have format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{KEYID}, where {ACCOUNT} is the email address or unique id of the service account.

property project

project?: undefined | string;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property publicKeyType

publicKeyType?: undefined | string;

The output format of the public key requested. X509_PEM is the default output format.

interface GetAccountKeyResult

interface GetAccountKeyResult

A collection of values returned by getAccountKey.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property keyAlgorithm

keyAlgorithm: string;

property name

name: string;

property project

project?: undefined | string;

property publicKey

publicKey: string;

The public key, base64 encoded

property publicKeyType

publicKeyType?: undefined | string;

interface GetAccountResult

interface GetAccountResult

A collection of values returned by getAccount.

property accountId

accountId: string;

property displayName

displayName: string;

The display name for the service account.

property email

email: string;

The e-mail address of the service account. This value should be referenced from any gcp.organizations.getIAMPolicy data sources that would grant the service account privileges.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property name

name: string;

The fully-qualified name of the service account.

property project

project?: undefined | string;

property uniqueId

uniqueId: string;

The unique id of the service account.

interface IAMBindingArgs

interface IAMBindingArgs

The set of arguments for constructing a IAMBinding resource.

property members

members: pulumi.Input<pulumi.Input<string>[]>;

property role

role: pulumi.Input<string>;

The role that should be applied. Only one gcp.serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface IAMBindingState

interface IAMBindingState

Input properties used for looking up and filtering IAMBinding resources.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property members

members?: pulumi.Input<pulumi.Input<string>[]>;

property role

role?: pulumi.Input<string>;

The role that should be applied. Only one gcp.serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface IAMMemberArgs

interface IAMMemberArgs

The set of arguments for constructing a IAMMember resource.

property member

member: pulumi.Input<string>;

property role

role: pulumi.Input<string>;

The role that should be applied. Only one gcp.serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface IAMMemberState

interface IAMMemberState

Input properties used for looking up and filtering IAMMember resources.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property member

member?: pulumi.Input<string>;

property role

role?: pulumi.Input<string>;

The role that should be applied. Only one gcp.serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface IAMPolicyArgs

interface IAMPolicyArgs

The set of arguments for constructing a IAMPolicy resource.

property policyData

policyData: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface IAMPolicyState

interface IAMPolicyState

Input properties used for looking up and filtering IAMPolicy resources.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property policyData

policyData?: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface KeyArgs

interface KeyArgs

The set of arguments for constructing a Key resource.

property keyAlgorithm

keyAlgorithm?: pulumi.Input<string>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property pgpKey

pgpKey?: pulumi.Input<string>;

An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.

property privateKeyType

privateKeyType?: pulumi.Input<string>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKeyType

publicKeyType?: pulumi.Input<string>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

interface KeyState

interface KeyState

Input properties used for looking up and filtering Key resources.

property keyAlgorithm

keyAlgorithm?: pulumi.Input<string>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property name

name?: pulumi.Input<string>;

The name used for this key pair

property pgpKey

pgpKey?: pulumi.Input<string>;

An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.

property privateKey

privateKey?: pulumi.Input<string>;

The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key, and when no pgpKey is provided.

property privateKeyEncrypted

privateKeyEncrypted?: pulumi.Input<string>;

The private key material, base 64 encoded and encrypted with the given pgpKey. This is only populated when creating a new key and pgpKey is supplied

property privateKeyFingerprint

privateKeyFingerprint?: pulumi.Input<string>;

The MD5 public key fingerprint for the encrypted private key. This is only populated when creating a new key and pgpKey is supplied

property privateKeyType

privateKeyType?: pulumi.Input<string>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKey

publicKey?: pulumi.Input<string>;

The public key, base64 encoded

property publicKeyType

publicKeyType?: pulumi.Input<string>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

property validAfter

validAfter?: pulumi.Input<string>;

The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property validBefore

validBefore?: pulumi.Input<string>;

The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.