Google Cloud (GCP) Classic

Pulumi Official
Package maintained by Pulumi
v6.32.0 published on Wednesday, Jul 20, 2022 by Pulumi

getFolderServiceAccount

Get the email address of a folder’s Access Approval service account.

Each Google Cloud folder has a unique service account used by Access Approval. When using Access Approval with a custom signing key, this account needs to be granted the cloudkms.signerVerifier IAM role on the Cloud KMS key used to sign approvals.

Example Usage

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var serviceAccount = Output.Create(Gcp.AccessApproval.GetFolderServiceAccount.InvokeAsync(new Gcp.AccessApproval.GetFolderServiceAccountArgs
        {
            FolderId = "my-folder",
        }));
        var iam = new Gcp.Kms.CryptoKeyIAMMember("iam", new Gcp.Kms.CryptoKeyIAMMemberArgs
        {
            CryptoKeyId = google_kms_crypto_key.Crypto_key.Id,
            Role = "roles/cloudkms.signerVerifier",
            Member = serviceAccount.Apply(serviceAccount => $"serviceAccount:{serviceAccount.AccountEmail}"),
        });
    }

}
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/accessapproval"
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		serviceAccount, err := accessapproval.GetFolderServiceAccount(ctx, &accessapproval.GetFolderServiceAccountArgs{
			FolderId: "my-folder",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKeyIAMMember(ctx, "iam", &kms.CryptoKeyIAMMemberArgs{
			CryptoKeyId: pulumi.Any(google_kms_crypto_key.Crypto_key.Id),
			Role:        pulumi.String("roles/cloudkms.signerVerifier"),
			Member:      pulumi.String(fmt.Sprintf("%v%v", "serviceAccount:", serviceAccount.AccountEmail)),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var serviceAccount = Output.of(AccessapprovalFunctions.getFolderServiceAccount(GetFolderServiceAccountArgs.builder()
            .folderId("my-folder")
            .build()));

        var iam = new CryptoKeyIAMMember("iam", CryptoKeyIAMMemberArgs.builder()        
            .cryptoKeyId(google_kms_crypto_key.crypto_key().id())
            .role("roles/cloudkms.signerVerifier")
            .member(String.format("serviceAccount:%s", serviceAccount.apply(getFolderServiceAccountResult -> getFolderServiceAccountResult.accountEmail())))
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

service_account = gcp.accessapproval.get_folder_service_account(folder_id="my-folder")
iam = gcp.kms.CryptoKeyIAMMember("iam",
    crypto_key_id=google_kms_crypto_key["crypto_key"]["id"],
    role="roles/cloudkms.signerVerifier",
    member=f"serviceAccount:{service_account.account_email}")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const serviceAccount = gcp.accessapproval.getFolderServiceAccount({
    folderId: "my-folder",
});
const iam = new gcp.kms.CryptoKeyIAMMember("iam", {
    cryptoKeyId: google_kms_crypto_key.crypto_key.id,
    role: "roles/cloudkms.signerVerifier",
    member: serviceAccount.then(serviceAccount => `serviceAccount:${serviceAccount.accountEmail}`),
});
resources:
  iam:
    type: gcp:kms:CryptoKeyIAMMember
    properties:
      cryptoKeyId: ${google_kms_crypto_key.crypto_key.id}
      role: roles/cloudkms.signerVerifier
      member: serviceAccount:${serviceAccount.accountEmail}
variables:
  serviceAccount:
    Fn::Invoke:
      Function: gcp:accessapproval:getFolderServiceAccount
      Arguments:
        folderId: my-folder

Using getFolderServiceAccount

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getFolderServiceAccount(args: GetFolderServiceAccountArgs, opts?: InvokeOptions): Promise<GetFolderServiceAccountResult>
function getFolderServiceAccountOutput(args: GetFolderServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetFolderServiceAccountResult>
def get_folder_service_account(folder_id: Optional[str] = None,
                               opts: Optional[InvokeOptions] = None) -> GetFolderServiceAccountResult
def get_folder_service_account_output(folder_id: Optional[pulumi.Input[str]] = None,
                               opts: Optional[InvokeOptions] = None) -> Output[GetFolderServiceAccountResult]
func GetFolderServiceAccount(ctx *Context, args *GetFolderServiceAccountArgs, opts ...InvokeOption) (*GetFolderServiceAccountResult, error)
func GetFolderServiceAccountOutput(ctx *Context, args *GetFolderServiceAccountOutputArgs, opts ...InvokeOption) GetFolderServiceAccountResultOutput

> Note: This function is named GetFolderServiceAccount in the Go SDK.

public static class GetFolderServiceAccount 
{
    public static Task<GetFolderServiceAccountResult> InvokeAsync(GetFolderServiceAccountArgs args, InvokeOptions? opts = null)
    public static Output<GetFolderServiceAccountResult> Invoke(GetFolderServiceAccountInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetFolderServiceAccountResult> getFolderServiceAccount(GetFolderServiceAccountArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
Fn::Invoke:
  Function: gcp:accessapproval/getFolderServiceAccount:getFolderServiceAccount
  Arguments:
    # Arguments dictionary

The following arguments are supported:

FolderId string

The folder ID the service account was created for.

FolderId string

The folder ID the service account was created for.

folderId String

The folder ID the service account was created for.

folderId string

The folder ID the service account was created for.

folder_id str

The folder ID the service account was created for.

folderId String

The folder ID the service account was created for.

getFolderServiceAccount Result

The following output properties are available:

AccountEmail string

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

FolderId string
Id string

The provider-assigned unique ID for this managed resource.

Name string

The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".

AccountEmail string

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

FolderId string
Id string

The provider-assigned unique ID for this managed resource.

Name string

The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".

accountEmail String

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

folderId String
id String

The provider-assigned unique ID for this managed resource.

name String

The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".

accountEmail string

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

folderId string
id string

The provider-assigned unique ID for this managed resource.

name string

The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".

account_email str

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

folder_id str
id str

The provider-assigned unique ID for this managed resource.

name str

The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".

accountEmail String

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

folderId String
id String

The provider-assigned unique ID for this managed resource.

name String

The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".

Package Details

Repository
https://github.com/pulumi/pulumi-gcp
License
Apache-2.0
Notes

This Pulumi package is based on the google-beta Terraform Provider.