1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. accessapproval
  5. getOrganizationServiceAccount
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

gcp.accessapproval.getOrganizationServiceAccount

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi

    Get the email address of an organization’s Access Approval service account.

    Each Google Cloud organization has a unique service account used by Access Approval. When using Access Approval with a custom signing key, this account needs to be granted the cloudkms.signerVerifier IAM role on the Cloud KMS key used to sign approvals.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const serviceAccount = gcp.accessapproval.getOrganizationServiceAccount({
        organizationId: "my-organization",
    });
    const iam = new gcp.kms.CryptoKeyIAMMember("iam", {
        cryptoKeyId: cryptoKey.id,
        role: "roles/cloudkms.signerVerifier",
        member: serviceAccount.then(serviceAccount => `serviceAccount:${serviceAccount.accountEmail}`),
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    service_account = gcp.accessapproval.get_organization_service_account(organization_id="my-organization")
    iam = gcp.kms.CryptoKeyIAMMember("iam",
        crypto_key_id=crypto_key["id"],
        role="roles/cloudkms.signerVerifier",
        member=f"serviceAccount:{service_account.account_email}")
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/accessapproval"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		serviceAccount, err := accessapproval.GetOrganizationServiceAccount(ctx, &accessapproval.GetOrganizationServiceAccountArgs{
    			OrganizationId: "my-organization",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = kms.NewCryptoKeyIAMMember(ctx, "iam", &kms.CryptoKeyIAMMemberArgs{
    			CryptoKeyId: pulumi.Any(cryptoKey.Id),
    			Role:        pulumi.String("roles/cloudkms.signerVerifier"),
    			Member:      pulumi.String(fmt.Sprintf("serviceAccount:%v", serviceAccount.AccountEmail)),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var serviceAccount = Gcp.AccessApproval.GetOrganizationServiceAccount.Invoke(new()
        {
            OrganizationId = "my-organization",
        });
    
        var iam = new Gcp.Kms.CryptoKeyIAMMember("iam", new()
        {
            CryptoKeyId = cryptoKey.Id,
            Role = "roles/cloudkms.signerVerifier",
            Member = $"serviceAccount:{serviceAccount.Apply(getOrganizationServiceAccountResult => getOrganizationServiceAccountResult.AccountEmail)}",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.accessapproval.AccessapprovalFunctions;
    import com.pulumi.gcp.accessapproval.inputs.GetOrganizationServiceAccountArgs;
    import com.pulumi.gcp.kms.CryptoKeyIAMMember;
    import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var serviceAccount = AccessapprovalFunctions.getOrganizationServiceAccount(GetOrganizationServiceAccountArgs.builder()
                .organizationId("my-organization")
                .build());
    
            var iam = new CryptoKeyIAMMember("iam", CryptoKeyIAMMemberArgs.builder()        
                .cryptoKeyId(cryptoKey.id())
                .role("roles/cloudkms.signerVerifier")
                .member(String.format("serviceAccount:%s", serviceAccount.applyValue(getOrganizationServiceAccountResult -> getOrganizationServiceAccountResult.accountEmail())))
                .build());
    
        }
    }
    
    resources:
      iam:
        type: gcp:kms:CryptoKeyIAMMember
        properties:
          cryptoKeyId: ${cryptoKey.id}
          role: roles/cloudkms.signerVerifier
          member: serviceAccount:${serviceAccount.accountEmail}
    variables:
      serviceAccount:
        fn::invoke:
          Function: gcp:accessapproval:getOrganizationServiceAccount
          Arguments:
            organizationId: my-organization
    

    Using getOrganizationServiceAccount

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getOrganizationServiceAccount(args: GetOrganizationServiceAccountArgs, opts?: InvokeOptions): Promise<GetOrganizationServiceAccountResult>
    function getOrganizationServiceAccountOutput(args: GetOrganizationServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetOrganizationServiceAccountResult>
    def get_organization_service_account(organization_id: Optional[str] = None,
                                         opts: Optional[InvokeOptions] = None) -> GetOrganizationServiceAccountResult
    def get_organization_service_account_output(organization_id: Optional[pulumi.Input[str]] = None,
                                         opts: Optional[InvokeOptions] = None) -> Output[GetOrganizationServiceAccountResult]
    func GetOrganizationServiceAccount(ctx *Context, args *GetOrganizationServiceAccountArgs, opts ...InvokeOption) (*GetOrganizationServiceAccountResult, error)
    func GetOrganizationServiceAccountOutput(ctx *Context, args *GetOrganizationServiceAccountOutputArgs, opts ...InvokeOption) GetOrganizationServiceAccountResultOutput

    > Note: This function is named GetOrganizationServiceAccount in the Go SDK.

    public static class GetOrganizationServiceAccount 
    {
        public static Task<GetOrganizationServiceAccountResult> InvokeAsync(GetOrganizationServiceAccountArgs args, InvokeOptions? opts = null)
        public static Output<GetOrganizationServiceAccountResult> Invoke(GetOrganizationServiceAccountInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetOrganizationServiceAccountResult> getOrganizationServiceAccount(GetOrganizationServiceAccountArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: gcp:accessapproval/getOrganizationServiceAccount:getOrganizationServiceAccount
      arguments:
        # arguments dictionary

    The following arguments are supported:

    OrganizationId string
    The organization ID the service account was created for.
    OrganizationId string
    The organization ID the service account was created for.
    organizationId String
    The organization ID the service account was created for.
    organizationId string
    The organization ID the service account was created for.
    organization_id str
    The organization ID the service account was created for.
    organizationId String
    The organization ID the service account was created for.

    getOrganizationServiceAccount Result

    The following output properties are available:

    AccountEmail string
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    OrganizationId string
    AccountEmail string
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    OrganizationId string
    accountEmail String
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    organizationId String
    accountEmail string
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    organizationId string
    account_email str
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    organization_id str
    accountEmail String
    The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
    organizationId String

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.16.0 published on Wednesday, Mar 27, 2024 by Pulumi