Google Cloud (GCP) Classic

Pulumi Official
Package maintained by Pulumi
v6.32.0 published on Wednesday, Jul 20, 2022 by Pulumi

getOrganizationServiceAccount

Get the email address of an organization’s Access Approval service account.

Each Google Cloud organization has a unique service account used by Access Approval. When using Access Approval with a custom signing key, this account needs to be granted the cloudkms.signerVerifier IAM role on the Cloud KMS key used to sign approvals.

Example Usage

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var serviceAccount = Output.Create(Gcp.AccessApproval.GetOrganizationServiceAccount.InvokeAsync(new Gcp.AccessApproval.GetOrganizationServiceAccountArgs
        {
            OrganizationId = "my-organization",
        }));
        var iam = new Gcp.Kms.CryptoKeyIAMMember("iam", new Gcp.Kms.CryptoKeyIAMMemberArgs
        {
            CryptoKeyId = google_kms_crypto_key.Crypto_key.Id,
            Role = "roles/cloudkms.signerVerifier",
            Member = serviceAccount.Apply(serviceAccount => $"serviceAccount:{serviceAccount.AccountEmail}"),
        });
    }

}
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/accessapproval"
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		serviceAccount, err := accessapproval.GetOrganizationServiceAccount(ctx, &accessapproval.GetOrganizationServiceAccountArgs{
			OrganizationId: "my-organization",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKeyIAMMember(ctx, "iam", &kms.CryptoKeyIAMMemberArgs{
			CryptoKeyId: pulumi.Any(google_kms_crypto_key.Crypto_key.Id),
			Role:        pulumi.String("roles/cloudkms.signerVerifier"),
			Member:      pulumi.String(fmt.Sprintf("%v%v", "serviceAccount:", serviceAccount.AccountEmail)),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var serviceAccount = Output.of(AccessapprovalFunctions.getOrganizationServiceAccount(GetOrganizationServiceAccountArgs.builder()
            .organizationId("my-organization")
            .build()));

        var iam = new CryptoKeyIAMMember("iam", CryptoKeyIAMMemberArgs.builder()        
            .cryptoKeyId(google_kms_crypto_key.crypto_key().id())
            .role("roles/cloudkms.signerVerifier")
            .member(String.format("serviceAccount:%s", serviceAccount.apply(getOrganizationServiceAccountResult -> getOrganizationServiceAccountResult.accountEmail())))
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

service_account = gcp.accessapproval.get_organization_service_account(organization_id="my-organization")
iam = gcp.kms.CryptoKeyIAMMember("iam",
    crypto_key_id=google_kms_crypto_key["crypto_key"]["id"],
    role="roles/cloudkms.signerVerifier",
    member=f"serviceAccount:{service_account.account_email}")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const serviceAccount = gcp.accessapproval.getOrganizationServiceAccount({
    organizationId: "my-organization",
});
const iam = new gcp.kms.CryptoKeyIAMMember("iam", {
    cryptoKeyId: google_kms_crypto_key.crypto_key.id,
    role: "roles/cloudkms.signerVerifier",
    member: serviceAccount.then(serviceAccount => `serviceAccount:${serviceAccount.accountEmail}`),
});
resources:
  iam:
    type: gcp:kms:CryptoKeyIAMMember
    properties:
      cryptoKeyId: ${google_kms_crypto_key.crypto_key.id}
      role: roles/cloudkms.signerVerifier
      member: serviceAccount:${serviceAccount.accountEmail}
variables:
  serviceAccount:
    Fn::Invoke:
      Function: gcp:accessapproval:getOrganizationServiceAccount
      Arguments:
        organizationId: my-organization

Using getOrganizationServiceAccount

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getOrganizationServiceAccount(args: GetOrganizationServiceAccountArgs, opts?: InvokeOptions): Promise<GetOrganizationServiceAccountResult>
function getOrganizationServiceAccountOutput(args: GetOrganizationServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetOrganizationServiceAccountResult>
def get_organization_service_account(organization_id: Optional[str] = None,
                                     opts: Optional[InvokeOptions] = None) -> GetOrganizationServiceAccountResult
def get_organization_service_account_output(organization_id: Optional[pulumi.Input[str]] = None,
                                     opts: Optional[InvokeOptions] = None) -> Output[GetOrganizationServiceAccountResult]
func GetOrganizationServiceAccount(ctx *Context, args *GetOrganizationServiceAccountArgs, opts ...InvokeOption) (*GetOrganizationServiceAccountResult, error)
func GetOrganizationServiceAccountOutput(ctx *Context, args *GetOrganizationServiceAccountOutputArgs, opts ...InvokeOption) GetOrganizationServiceAccountResultOutput

> Note: This function is named GetOrganizationServiceAccount in the Go SDK.

public static class GetOrganizationServiceAccount 
{
    public static Task<GetOrganizationServiceAccountResult> InvokeAsync(GetOrganizationServiceAccountArgs args, InvokeOptions? opts = null)
    public static Output<GetOrganizationServiceAccountResult> Invoke(GetOrganizationServiceAccountInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetOrganizationServiceAccountResult> getOrganizationServiceAccount(GetOrganizationServiceAccountArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
Fn::Invoke:
  Function: gcp:accessapproval/getOrganizationServiceAccount:getOrganizationServiceAccount
  Arguments:
    # Arguments dictionary

The following arguments are supported:

OrganizationId string

The organization ID the service account was created for.

OrganizationId string

The organization ID the service account was created for.

organizationId String

The organization ID the service account was created for.

organizationId string

The organization ID the service account was created for.

organization_id str

The organization ID the service account was created for.

organizationId String

The organization ID the service account was created for.

getOrganizationServiceAccount Result

The following output properties are available:

AccountEmail string

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

Id string

The provider-assigned unique ID for this managed resource.

Name string

The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".

OrganizationId string
AccountEmail string

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

Id string

The provider-assigned unique ID for this managed resource.

Name string

The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".

OrganizationId string
accountEmail String

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

id String

The provider-assigned unique ID for this managed resource.

name String

The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".

organizationId String
accountEmail string

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

id string

The provider-assigned unique ID for this managed resource.

name string

The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".

organizationId string
account_email str

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

id str

The provider-assigned unique ID for this managed resource.

name str

The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".

organization_id str
accountEmail String

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

id String

The provider-assigned unique ID for this managed resource.

name String

The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".

organizationId String

Package Details

Repository
https://github.com/pulumi/pulumi-gcp
License
Apache-2.0
Notes

This Pulumi package is based on the google-beta Terraform Provider.