Module service_account

service_account

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-gcp repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-google repo.
class pulumi_gcp.service_account.Account(resource_name, opts=None, account_id=None, display_name=None, project=None, __props__=None, __name__=None, __opts__=None)

Allows management of a Google Cloud Platform service account

Creation of service accounts is eventually consistent, and that can lead to errors when you try to apply ACLs to service accounts immediately after creation.
Parameters:
  • resource_name (str) – The name of the resource.
  • opts (pulumi.ResourceOptions) – Options for the resource.
  • account_id (pulumi.Input[str]) – The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression a-z to comply with RFC1035. Changing this forces a new service account to be created.
  • display_name (pulumi.Input[str]) – The display name for the service account. Can be updated without creating a new resource.
  • project (pulumi.Input[str]) – The ID of the project that the service account will be created in. Defaults to the provider project configuration.
account_id = None

The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression a-z to comply with RFC1035. Changing this forces a new service account to be created.

display_name = None

The display name for the service account. Can be updated without creating a new resource.

email = None

The e-mail address of the service account. This value should be referenced from any organizations.getIAMPolicy data sources that would grant the service account privileges.

name = None

The fully-qualified name of the service account.

project = None

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

unique_id = None

The unique id of the service account.

static get(resource_name, id, opts=None, account_id=None, display_name=None, email=None, name=None, project=None, unique_id=None)

Get an existing Account resource’s state with the given name, id, and optional extra properties used to qualify the lookup. :param str resource_name: The unique name of the resulting resource. :param str id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] account_id: The account id that is used to generate the service

account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression a-z to comply with RFC1035. Changing this forces a new service account to be created.
Parameters:
  • display_name (pulumi.Input[str]) – The display name for the service account. Can be updated without creating a new resource.
  • email (pulumi.Input[str]) – The e-mail address of the service account. This value should be referenced from any organizations.getIAMPolicy data sources that would grant the service account privileges.
  • name (pulumi.Input[str]) – The fully-qualified name of the service account.
  • project (pulumi.Input[str]) – The ID of the project that the service account will be created in. Defaults to the provider project configuration.
  • unique_id (pulumi.Input[str]) – The unique id of the service account.
translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
class pulumi_gcp.service_account.AwaitableGetAccountAccessTokenResult(access_token=None, delegates=None, lifetime=None, scopes=None, target_service_account=None, id=None)
class pulumi_gcp.service_account.AwaitableGetAccountKeyResult(key_algorithm=None, name=None, project=None, public_key=None, public_key_type=None, id=None)
class pulumi_gcp.service_account.AwaitableGetAccountResult(account_id=None, display_name=None, email=None, name=None, project=None, unique_id=None, id=None)
class pulumi_gcp.service_account.GetAccountAccessTokenResult(access_token=None, delegates=None, lifetime=None, scopes=None, target_service_account=None, id=None)

A collection of values returned by getAccountAccessToken.

access_token = None

The access_token representing the new generated identity.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_gcp.service_account.GetAccountKeyResult(key_algorithm=None, name=None, project=None, public_key=None, public_key_type=None, id=None)

A collection of values returned by getAccountKey.

public_key = None

The public key, base64 encoded

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_gcp.service_account.GetAccountResult(account_id=None, display_name=None, email=None, name=None, project=None, unique_id=None, id=None)

A collection of values returned by getAccount.

display_name = None

The display name for the service account.

email = None

The e-mail address of the service account. This value should be referenced from any organizations.getIAMPolicy data sources that would grant the service account privileges.

name = None

The fully-qualified name of the service account.

unique_id = None

The unique id of the service account.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_gcp.service_account.IAMBinding(resource_name, opts=None, members=None, role=None, service_account_id=None, __props__=None, __name__=None, __opts__=None)

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: serviceAccount.IAMPolicy cannot be used in conjunction with serviceAccount.IAMBinding and serviceAccount.IAMMember or they will fight over what your policy should be.

Note: serviceAccount.IAMBinding resources can be used in conjunction with serviceAccount.IAMMember resources only if they do not grant privilege to the same role.

Parameters:
  • resource_name (str) – The name of the resource.
  • opts (pulumi.ResourceOptions) – Options for the resource.
  • role (pulumi.Input[str]) – The role that should be applied. Only one serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
  • service_account_id (pulumi.Input[str]) – The fully-qualified name of the service account to apply policy to.
etag = None

(Computed) The etag of the service account IAM policy.

role = None

The role that should be applied. Only one serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

service_account_id = None

The fully-qualified name of the service account to apply policy to.

static get(resource_name, id, opts=None, etag=None, members=None, role=None, service_account_id=None)

Get an existing IAMBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup. :param str resource_name: The unique name of the resulting resource. :param str id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] etag: (Computed) The etag of the service account IAM policy. :param pulumi.Input[str] role: The role that should be applied. Only one

serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
Parameters:service_account_id (pulumi.Input[str]) – The fully-qualified name of the service account to apply policy to.
translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
class pulumi_gcp.service_account.IAMMember(resource_name, opts=None, member=None, role=None, service_account_id=None, __props__=None, __name__=None, __opts__=None)

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: serviceAccount.IAMPolicy cannot be used in conjunction with serviceAccount.IAMBinding and serviceAccount.IAMMember or they will fight over what your policy should be.

Note: serviceAccount.IAMBinding resources can be used in conjunction with serviceAccount.IAMMember resources only if they do not grant privilege to the same role.

Parameters:
  • resource_name (str) – The name of the resource.
  • opts (pulumi.ResourceOptions) – Options for the resource.
  • role (pulumi.Input[str]) – The role that should be applied. Only one serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
  • service_account_id (pulumi.Input[str]) – The fully-qualified name of the service account to apply policy to.
etag = None

(Computed) The etag of the service account IAM policy.

role = None

The role that should be applied. Only one serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

service_account_id = None

The fully-qualified name of the service account to apply policy to.

static get(resource_name, id, opts=None, etag=None, member=None, role=None, service_account_id=None)

Get an existing IAMMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup. :param str resource_name: The unique name of the resulting resource. :param str id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] etag: (Computed) The etag of the service account IAM policy. :param pulumi.Input[str] role: The role that should be applied. Only one

serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
Parameters:service_account_id (pulumi.Input[str]) – The fully-qualified name of the service account to apply policy to.
translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
class pulumi_gcp.service_account.IAMPolicy(resource_name, opts=None, policy_data=None, service_account_id=None, __props__=None, __name__=None, __opts__=None)

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: serviceAccount.IAMPolicy cannot be used in conjunction with serviceAccount.IAMBinding and serviceAccount.IAMMember or they will fight over what your policy should be.

Note: serviceAccount.IAMBinding resources can be used in conjunction with serviceAccount.IAMMember resources only if they do not grant privilege to the same role.

Parameters:
  • resource_name (str) – The name of the resource.
  • opts (pulumi.ResourceOptions) – Options for the resource.
  • policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.
  • service_account_id (pulumi.Input[str]) – The fully-qualified name of the service account to apply policy to.
etag = None

(Computed) The etag of the service account IAM policy.

policy_data = None

The policy data generated by a organizations.getIAMPolicy data source.

service_account_id = None

The fully-qualified name of the service account to apply policy to.

static get(resource_name, id, opts=None, etag=None, policy_data=None, service_account_id=None)

Get an existing IAMPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup. :param str resource_name: The unique name of the resulting resource. :param str id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] etag: (Computed) The etag of the service account IAM policy. :param pulumi.Input[str] policy_data: The policy data generated by

a organizations.getIAMPolicy data source.
Parameters:service_account_id (pulumi.Input[str]) – The fully-qualified name of the service account to apply policy to.
translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
class pulumi_gcp.service_account.Key(resource_name, opts=None, key_algorithm=None, pgp_key=None, private_key_type=None, public_key_type=None, service_account_id=None, __props__=None, __name__=None, __opts__=None)

Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see the official documentation and API.

Parameters:
  • resource_name (str) – The name of the resource.
  • opts (pulumi.ResourceOptions) – Options for the resource.
  • key_algorithm (pulumi.Input[str]) – The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
  • pgp_key (pulumi.Input[str]) – An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.
  • private_key_type (pulumi.Input[str]) – The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
  • public_key_type (pulumi.Input[str]) – The output format of the public key requested. X509_PEM is the default output format.
  • service_account_id (pulumi.Input[str]) – The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.
key_algorithm = None

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

name = None

The name used for this key pair

pgp_key = None

An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.

private_key = None

The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key, and when no pgp_key is provided.

private_key_encrypted = None

The private key material, base 64 encoded and encrypted with the given pgp_key. This is only populated when creating a new key and pgp_key is supplied

private_key_fingerprint = None

The MD5 public key fingerprint for the encrypted private key. This is only populated when creating a new key and pgp_key is supplied

private_key_type = None

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

public_key = None

The public key, base64 encoded

public_key_type = None

The output format of the public key requested. X509_PEM is the default output format.

service_account_id = None

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

valid_after = None

The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

valid_before = None

The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

static get(resource_name, id, opts=None, key_algorithm=None, name=None, pgp_key=None, private_key=None, private_key_encrypted=None, private_key_fingerprint=None, private_key_type=None, public_key=None, public_key_type=None, service_account_id=None, valid_after=None, valid_before=None)

Get an existing Key resource’s state with the given name, id, and optional extra properties used to qualify the lookup. :param str resource_name: The unique name of the resulting resource. :param str id: The unique provider ID of the resource to lookup. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] key_algorithm: The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm.

Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
Parameters:
  • name (pulumi.Input[str]) – The name used for this key pair
  • pgp_key (pulumi.Input[str]) – An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.
  • private_key (pulumi.Input[str]) – The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key, and when no pgp_key is provided.
  • private_key_encrypted (pulumi.Input[str]) – The private key material, base 64 encoded and encrypted with the given pgp_key. This is only populated when creating a new key and pgp_key is supplied
  • private_key_fingerprint (pulumi.Input[str]) – The MD5 public key fingerprint for the encrypted private key. This is only populated when creating a new key and pgp_key is supplied
  • private_key_type (pulumi.Input[str]) – The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
  • public_key (pulumi.Input[str]) – The public key, base64 encoded
  • public_key_type (pulumi.Input[str]) – The output format of the public key requested. X509_PEM is the default output format.
  • service_account_id (pulumi.Input[str]) – The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.
  • valid_after (pulumi.Input[str]) – The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.
  • valid_before (pulumi.Input[str]) – The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.
translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
pulumi_gcp.service_account.get_account(account_id=None, project=None, opts=None)

Get the service account from a project. For more information see the official API documentation.

pulumi_gcp.service_account.get_account_access_token(delegates=None, lifetime=None, scopes=None, target_service_account=None, opts=None)

This data source provides a google oauth2 access_token for a different service account than the one initially running the script.

For more information see the official documentation as well as iamcredentials.generateAccessToken()

pulumi_gcp.service_account.get_account_key(name=None, project=None, public_key_type=None, opts=None)

Get service account public key. For more information, see the official documentation and API.