1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. accessapproval
  5. getOrganizationServiceAccount
Viewing docs for Google Cloud v9.15.0
published on Thursday, Mar 12, 2026 by Pulumi
Schema (JSON)
pulumi/pulumi-gcp

gcp.accessapproval.getOrganizationServiceAccount

gcp logo
Viewing docs for Google Cloud v9.15.0
published on Thursday, Mar 12, 2026 by Pulumi
Schema (JSON)
pulumi/pulumi-gcp

    Get the email address of an organization’s Access Approval service account.

    Each Google Cloud organization has a unique service account used by Access Approval. When using Access Approval with a custom signing key, this account needs to be granted the cloudkms.signerVerifier IAM role on the Cloud KMS key used to sign approvals.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const serviceAccount = gcp.accessapproval.getOrganizationServiceAccount({
    organizationId: "my-organization",
});
const iam = new gcp.kms.CryptoKeyIAMMember("iam", {
    cryptoKeyId: cryptoKey.id,
    role: "roles/cloudkms.signerVerifier",
    member: serviceAccount.then(serviceAccount => `serviceAccount:${serviceAccount.accountEmail}`),
});

    import pulumi
import pulumi_gcp as gcp

service_account = gcp.accessapproval.get_organization_service_account(organization_id="my-organization")
iam = gcp.kms.CryptoKeyIAMMember("iam",
    crypto_key_id=crypto_key["id"],
    role="roles/cloudkms.signerVerifier",
    member=f"serviceAccount:{service_account.account_email}")

    package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/accessapproval"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		serviceAccount, err := accessapproval.GetOrganizationServiceAccount(ctx, &accessapproval.GetOrganizationServiceAccountArgs{
			OrganizationId: "my-organization",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKeyIAMMember(ctx, "iam", &kms.CryptoKeyIAMMemberArgs{
			CryptoKeyId: pulumi.Any(cryptoKey.Id),
			Role:        pulumi.String("roles/cloudkms.signerVerifier"),
			Member:      pulumi.Sprintf("serviceAccount:%v", serviceAccount.AccountEmail),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var serviceAccount = Gcp.AccessApproval.GetOrganizationServiceAccount.Invoke(new()
    {
        OrganizationId = "my-organization",
    });

    var iam = new Gcp.Kms.CryptoKeyIAMMember("iam", new()
    {
        CryptoKeyId = cryptoKey.Id,
        Role = "roles/cloudkms.signerVerifier",
        Member = $"serviceAccount:{serviceAccount.Apply(getOrganizationServiceAccountResult => getOrganizationServiceAccountResult.AccountEmail)}",
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.accessapproval.AccessapprovalFunctions;
import com.pulumi.gcp.accessapproval.inputs.GetOrganizationServiceAccountArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var serviceAccount = AccessapprovalFunctions.getOrganizationServiceAccount(GetOrganizationServiceAccountArgs.builder()
            .organizationId("my-organization")
            .build());

        var iam = new CryptoKeyIAMMember("iam", CryptoKeyIAMMemberArgs.builder()
            .cryptoKeyId(cryptoKey.id())
            .role("roles/cloudkms.signerVerifier")
            .member(String.format("serviceAccount:%s", serviceAccount.accountEmail()))
            .build());

    }
}

    resources:
  iam:
    type: gcp:kms:CryptoKeyIAMMember
    properties:
      cryptoKeyId: ${cryptoKey.id}
      role: roles/cloudkms.signerVerifier
      member: serviceAccount:${serviceAccount.accountEmail}
variables:
  serviceAccount:
    fn::invoke:
      function: gcp:accessapproval:getOrganizationServiceAccount
      arguments:
        organizationId: my-organization

    Using getOrganizationServiceAccount

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getOrganizationServiceAccount(args: GetOrganizationServiceAccountArgs, opts?: InvokeOptions): Promise<GetOrganizationServiceAccountResult>
function getOrganizationServiceAccountOutput(args: GetOrganizationServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetOrganizationServiceAccountResult>
    def get_organization_service_account(organization_id: Optional[str] = None,
                                     opts: Optional[InvokeOptions] = None) -> GetOrganizationServiceAccountResult
def get_organization_service_account_output(organization_id: Optional[pulumi.Input[str]] = None,
                                     opts: Optional[InvokeOptions] = None) -> Output[GetOrganizationServiceAccountResult]
    func GetOrganizationServiceAccount(ctx *Context, args *GetOrganizationServiceAccountArgs, opts ...InvokeOption) (*GetOrganizationServiceAccountResult, error)
func GetOrganizationServiceAccountOutput(ctx *Context, args *GetOrganizationServiceAccountOutputArgs, opts ...InvokeOption) GetOrganizationServiceAccountResultOutput

    > Note: This function is named GetOrganizationServiceAccount in the Go SDK.

    public static class GetOrganizationServiceAccount 
{
    public static Task<GetOrganizationServiceAccountResult> InvokeAsync(GetOrganizationServiceAccountArgs args, InvokeOptions? opts = null)
    public static Output<GetOrganizationServiceAccountResult> Invoke(GetOrganizationServiceAccountInvokeArgs args, InvokeOptions? opts = null)
}
    public static CompletableFuture<GetOrganizationServiceAccountResult> getOrganizationServiceAccount(GetOrganizationServiceAccountArgs args, InvokeOptions options)
public static Output<GetOrganizationServiceAccountResult> getOrganizationServiceAccount(GetOrganizationServiceAccountArgs args, InvokeOptions options)

    fn::invoke:
  function: gcp:accessapproval/getOrganizationServiceAccount:getOrganizationServiceAccount
  arguments:
    # arguments dictionary

    The following arguments are supported:

    OrganizationId string
    The organization ID the service account was created for.
    OrganizationId string
    The organization ID the service account was created for.
    organizationId String
    The organization ID the service account was created for.
    organizationId string
    The organization ID the service account was created for.
    organization_id str
    The organization ID the service account was created for.
    organizationId String
    The organization ID the service account was created for.

    getOrganizationServiceAccount Result

    The following output properties are available:

    AccountEmail string
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    OrganizationId string
    AccountEmail string
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    OrganizationId string
    accountEmail String
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    organizationId String
    accountEmail string
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    organizationId string
    account_email str
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    organization_id str
    accountEmail String
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    organizationId String

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Viewing docs for Google Cloud v9.15.0
    published on Thursday, Mar 12, 2026 by Pulumi
    Schema (JSON)
    pulumi/pulumi-gcp
      Try Pulumi Cloud free. Your team will thank you.