Google Cloud Classic v8.9.1 published on Wednesday, Nov 13, 2024 by Pulumi
gcp.accessapproval.getFolderServiceAccount
Explore with Pulumi AI
Get the email address of a folder’s Access Approval service account.
Each Google Cloud folder has a unique service account used by Access Approval.
When using Access Approval with a
custom signing key,
this account needs to be granted the cloudkms.signerVerifier
IAM role on the
Cloud KMS key used to sign approvals.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const serviceAccount = gcp.accessapproval.getFolderServiceAccount({
folderId: "my-folder",
});
const iam = new gcp.kms.CryptoKeyIAMMember("iam", {
cryptoKeyId: cryptoKey.id,
role: "roles/cloudkms.signerVerifier",
member: serviceAccount.then(serviceAccount => `serviceAccount:${serviceAccount.accountEmail}`),
});
import pulumi
import pulumi_gcp as gcp
service_account = gcp.accessapproval.get_folder_service_account(folder_id="my-folder")
iam = gcp.kms.CryptoKeyIAMMember("iam",
crypto_key_id=crypto_key["id"],
role="roles/cloudkms.signerVerifier",
member=f"serviceAccount:{service_account.account_email}")
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/accessapproval"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceAccount, err := accessapproval.GetFolderServiceAccount(ctx, &accessapproval.GetFolderServiceAccountArgs{
FolderId: "my-folder",
}, nil)
if err != nil {
return err
}
_, err = kms.NewCryptoKeyIAMMember(ctx, "iam", &kms.CryptoKeyIAMMemberArgs{
CryptoKeyId: pulumi.Any(cryptoKey.Id),
Role: pulumi.String("roles/cloudkms.signerVerifier"),
Member: pulumi.Sprintf("serviceAccount:%v", serviceAccount.AccountEmail),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var serviceAccount = Gcp.AccessApproval.GetFolderServiceAccount.Invoke(new()
{
FolderId = "my-folder",
});
var iam = new Gcp.Kms.CryptoKeyIAMMember("iam", new()
{
CryptoKeyId = cryptoKey.Id,
Role = "roles/cloudkms.signerVerifier",
Member = $"serviceAccount:{serviceAccount.Apply(getFolderServiceAccountResult => getFolderServiceAccountResult.AccountEmail)}",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.accessapproval.AccessapprovalFunctions;
import com.pulumi.gcp.accessapproval.inputs.GetFolderServiceAccountArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var serviceAccount = AccessapprovalFunctions.getFolderServiceAccount(GetFolderServiceAccountArgs.builder()
.folderId("my-folder")
.build());
var iam = new CryptoKeyIAMMember("iam", CryptoKeyIAMMemberArgs.builder()
.cryptoKeyId(cryptoKey.id())
.role("roles/cloudkms.signerVerifier")
.member(String.format("serviceAccount:%s", serviceAccount.applyValue(getFolderServiceAccountResult -> getFolderServiceAccountResult.accountEmail())))
.build());
}
}
resources:
iam:
type: gcp:kms:CryptoKeyIAMMember
properties:
cryptoKeyId: ${cryptoKey.id}
role: roles/cloudkms.signerVerifier
member: serviceAccount:${serviceAccount.accountEmail}
variables:
serviceAccount:
fn::invoke:
Function: gcp:accessapproval:getFolderServiceAccount
Arguments:
folderId: my-folder
Using getFolderServiceAccount
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getFolderServiceAccount(args: GetFolderServiceAccountArgs, opts?: InvokeOptions): Promise<GetFolderServiceAccountResult>
function getFolderServiceAccountOutput(args: GetFolderServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetFolderServiceAccountResult>
def get_folder_service_account(folder_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetFolderServiceAccountResult
def get_folder_service_account_output(folder_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetFolderServiceAccountResult]
func GetFolderServiceAccount(ctx *Context, args *GetFolderServiceAccountArgs, opts ...InvokeOption) (*GetFolderServiceAccountResult, error)
func GetFolderServiceAccountOutput(ctx *Context, args *GetFolderServiceAccountOutputArgs, opts ...InvokeOption) GetFolderServiceAccountResultOutput
> Note: This function is named GetFolderServiceAccount
in the Go SDK.
public static class GetFolderServiceAccount
{
public static Task<GetFolderServiceAccountResult> InvokeAsync(GetFolderServiceAccountArgs args, InvokeOptions? opts = null)
public static Output<GetFolderServiceAccountResult> Invoke(GetFolderServiceAccountInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetFolderServiceAccountResult> getFolderServiceAccount(GetFolderServiceAccountArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: gcp:accessapproval/getFolderServiceAccount:getFolderServiceAccount
arguments:
# arguments dictionary
The following arguments are supported:
- Folder
Id string - The folder ID the service account was created for.
- Folder
Id string - The folder ID the service account was created for.
- folder
Id String - The folder ID the service account was created for.
- folder
Id string - The folder ID the service account was created for.
- folder_
id str - The folder ID the service account was created for.
- folder
Id String - The folder ID the service account was created for.
getFolderServiceAccount Result
The following output properties are available:
- Account
Email string - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- Folder
Id string - Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
- Account
Email string - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- Folder
Id string - Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
- account
Email String - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- folder
Id String - id String
- The provider-assigned unique ID for this managed resource.
- name String
- The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
- account
Email string - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- folder
Id string - id string
- The provider-assigned unique ID for this managed resource.
- name string
- The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
- account_
email str - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- folder_
id str - id str
- The provider-assigned unique ID for this managed resource.
- name str
- The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
- account
Email String - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- folder
Id String - id String
- The provider-assigned unique ID for this managed resource.
- name String
- The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-beta
Terraform Provider.