1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. accessapproval
  5. getFolderServiceAccount
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

gcp.accessapproval.getFolderServiceAccount

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

    Get the email address of a folder’s Access Approval service account.

    Each Google Cloud folder has a unique service account used by Access Approval. When using Access Approval with a custom signing key, this account needs to be granted the cloudkms.signerVerifier IAM role on the Cloud KMS key used to sign approvals.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const serviceAccount = gcp.accessapproval.getFolderServiceAccount({
        folderId: "my-folder",
    });
    const iam = new gcp.kms.CryptoKeyIAMMember("iam", {
        cryptoKeyId: cryptoKey.id,
        role: "roles/cloudkms.signerVerifier",
        member: serviceAccount.then(serviceAccount => `serviceAccount:${serviceAccount.accountEmail}`),
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    service_account = gcp.accessapproval.get_folder_service_account(folder_id="my-folder")
    iam = gcp.kms.CryptoKeyIAMMember("iam",
        crypto_key_id=crypto_key["id"],
        role="roles/cloudkms.signerVerifier",
        member=f"serviceAccount:{service_account.account_email}")
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/accessapproval"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		serviceAccount, err := accessapproval.GetFolderServiceAccount(ctx, &accessapproval.GetFolderServiceAccountArgs{
    			FolderId: "my-folder",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = kms.NewCryptoKeyIAMMember(ctx, "iam", &kms.CryptoKeyIAMMemberArgs{
    			CryptoKeyId: pulumi.Any(cryptoKey.Id),
    			Role:        pulumi.String("roles/cloudkms.signerVerifier"),
    			Member:      pulumi.String(fmt.Sprintf("serviceAccount:%v", serviceAccount.AccountEmail)),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var serviceAccount = Gcp.AccessApproval.GetFolderServiceAccount.Invoke(new()
        {
            FolderId = "my-folder",
        });
    
        var iam = new Gcp.Kms.CryptoKeyIAMMember("iam", new()
        {
            CryptoKeyId = cryptoKey.Id,
            Role = "roles/cloudkms.signerVerifier",
            Member = $"serviceAccount:{serviceAccount.Apply(getFolderServiceAccountResult => getFolderServiceAccountResult.AccountEmail)}",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.accessapproval.AccessapprovalFunctions;
    import com.pulumi.gcp.accessapproval.inputs.GetFolderServiceAccountArgs;
    import com.pulumi.gcp.kms.CryptoKeyIAMMember;
    import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var serviceAccount = AccessapprovalFunctions.getFolderServiceAccount(GetFolderServiceAccountArgs.builder()
                .folderId("my-folder")
                .build());
    
            var iam = new CryptoKeyIAMMember("iam", CryptoKeyIAMMemberArgs.builder()        
                .cryptoKeyId(cryptoKey.id())
                .role("roles/cloudkms.signerVerifier")
                .member(String.format("serviceAccount:%s", serviceAccount.applyValue(getFolderServiceAccountResult -> getFolderServiceAccountResult.accountEmail())))
                .build());
    
        }
    }
    
    resources:
      iam:
        type: gcp:kms:CryptoKeyIAMMember
        properties:
          cryptoKeyId: ${cryptoKey.id}
          role: roles/cloudkms.signerVerifier
          member: serviceAccount:${serviceAccount.accountEmail}
    variables:
      serviceAccount:
        fn::invoke:
          Function: gcp:accessapproval:getFolderServiceAccount
          Arguments:
            folderId: my-folder
    

    Using getFolderServiceAccount

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getFolderServiceAccount(args: GetFolderServiceAccountArgs, opts?: InvokeOptions): Promise<GetFolderServiceAccountResult>
    function getFolderServiceAccountOutput(args: GetFolderServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetFolderServiceAccountResult>
    def get_folder_service_account(folder_id: Optional[str] = None,
                                   opts: Optional[InvokeOptions] = None) -> GetFolderServiceAccountResult
    def get_folder_service_account_output(folder_id: Optional[pulumi.Input[str]] = None,
                                   opts: Optional[InvokeOptions] = None) -> Output[GetFolderServiceAccountResult]
    func GetFolderServiceAccount(ctx *Context, args *GetFolderServiceAccountArgs, opts ...InvokeOption) (*GetFolderServiceAccountResult, error)
    func GetFolderServiceAccountOutput(ctx *Context, args *GetFolderServiceAccountOutputArgs, opts ...InvokeOption) GetFolderServiceAccountResultOutput

    > Note: This function is named GetFolderServiceAccount in the Go SDK.

    public static class GetFolderServiceAccount 
    {
        public static Task<GetFolderServiceAccountResult> InvokeAsync(GetFolderServiceAccountArgs args, InvokeOptions? opts = null)
        public static Output<GetFolderServiceAccountResult> Invoke(GetFolderServiceAccountInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetFolderServiceAccountResult> getFolderServiceAccount(GetFolderServiceAccountArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: gcp:accessapproval/getFolderServiceAccount:getFolderServiceAccount
      arguments:
        # arguments dictionary

    The following arguments are supported:

    FolderId string
    The folder ID the service account was created for.
    FolderId string
    The folder ID the service account was created for.
    folderId String
    The folder ID the service account was created for.
    folderId string
    The folder ID the service account was created for.
    folder_id str
    The folder ID the service account was created for.
    folderId String
    The folder ID the service account was created for.

    getFolderServiceAccount Result

    The following output properties are available:

    AccountEmail string
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    FolderId string
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
    AccountEmail string
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    FolderId string
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
    accountEmail String
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    folderId String
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
    accountEmail string
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    folderId string
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
    account_email str
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    folder_id str
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
    accountEmail String
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    folderId String
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi