Google Cloud Classic v6.52.0, Mar 22 23

gcp.bigquery.getDefaultServiceAccount

Get the email address of a project’s unique BigQuery service account.

Each Google Cloud project has a unique service account used by BigQuery. When using BigQuery with customer-managed encryption keys, this account needs to be granted the cloudkms.cryptoKeyEncrypterDecrypter IAM role on the customer-managed Cloud KMS key used to protect the data.

For more information see the API reference.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var bqSa = Gcp.BigQuery.GetDefaultServiceAccount.Invoke();

    var keySaUser = new Gcp.Kms.CryptoKeyIAMMember("keySaUser", new()
    {
        CryptoKeyId = google_kms_crypto_key.Key.Id,
        Role = "roles/cloudkms.cryptoKeyEncrypterDecrypter",
        Member = $"serviceAccount:{bqSa.Apply(getDefaultServiceAccountResult => getDefaultServiceAccountResult.Email)}",
    });

});

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/bigquery"
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		bqSa, err := bigquery.GetDefaultServiceAccount(ctx, nil, nil)
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKeyIAMMember(ctx, "keySaUser", &kms.CryptoKeyIAMMemberArgs{
			CryptoKeyId: pulumi.Any(google_kms_crypto_key.Key.Id),
			Role:        pulumi.String("roles/cloudkms.cryptoKeyEncrypterDecrypter"),
			Member:      pulumi.String(fmt.Sprintf("serviceAccount:%v", bqSa.Email)),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigquery.BigqueryFunctions;
import com.pulumi.gcp.bigquery.inputs.GetDefaultServiceAccountArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var bqSa = BigqueryFunctions.getDefaultServiceAccount();

        var keySaUser = new CryptoKeyIAMMember("keySaUser", CryptoKeyIAMMemberArgs.builder()        
            .cryptoKeyId(google_kms_crypto_key.key().id())
            .role("roles/cloudkms.cryptoKeyEncrypterDecrypter")
            .member(String.format("serviceAccount:%s", bqSa.applyValue(getDefaultServiceAccountResult -> getDefaultServiceAccountResult.email())))
            .build());

    }
}

import pulumi
import pulumi_gcp as gcp

bq_sa = gcp.bigquery.get_default_service_account()
key_sa_user = gcp.kms.CryptoKeyIAMMember("keySaUser",
    crypto_key_id=google_kms_crypto_key["key"]["id"],
    role="roles/cloudkms.cryptoKeyEncrypterDecrypter",
    member=f"serviceAccount:{bq_sa.email}")

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const bqSa = gcp.bigquery.getDefaultServiceAccount({});
const keySaUser = new gcp.kms.CryptoKeyIAMMember("keySaUser", {
    cryptoKeyId: google_kms_crypto_key.key.id,
    role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
    member: bqSa.then(bqSa => `serviceAccount:${bqSa.email}`),
});

resources:
  keySaUser:
    type: gcp:kms:CryptoKeyIAMMember
    properties:
      cryptoKeyId: ${google_kms_crypto_key.key.id}
      role: roles/cloudkms.cryptoKeyEncrypterDecrypter
      member: serviceAccount:${bqSa.email}
variables:
  bqSa:
    fn::invoke:
      Function: gcp:bigquery:getDefaultServiceAccount
      Arguments: {}

Using getDefaultServiceAccount

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getDefaultServiceAccount(args: GetDefaultServiceAccountArgs, opts?: InvokeOptions): Promise<GetDefaultServiceAccountResult>
function getDefaultServiceAccountOutput(args: GetDefaultServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetDefaultServiceAccountResult>

def get_default_service_account(project: Optional[str] = None,
                                opts: Optional[InvokeOptions] = None) -> GetDefaultServiceAccountResult
def get_default_service_account_output(project: Optional[pulumi.Input[str]] = None,
                                opts: Optional[InvokeOptions] = None) -> Output[GetDefaultServiceAccountResult]

func GetDefaultServiceAccount(ctx *Context, args *GetDefaultServiceAccountArgs, opts ...InvokeOption) (*GetDefaultServiceAccountResult, error)
func GetDefaultServiceAccountOutput(ctx *Context, args *GetDefaultServiceAccountOutputArgs, opts ...InvokeOption) GetDefaultServiceAccountResultOutput

> Note: This function is named GetDefaultServiceAccount in the Go SDK.

public static class GetDefaultServiceAccount 
{
    public static Task<GetDefaultServiceAccountResult> InvokeAsync(GetDefaultServiceAccountArgs args, InvokeOptions? opts = null)
    public static Output<GetDefaultServiceAccountResult> Invoke(GetDefaultServiceAccountInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetDefaultServiceAccountResult> getDefaultServiceAccount(GetDefaultServiceAccountArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet

fn::invoke:
  function: gcp:bigquery/getDefaultServiceAccount:getDefaultServiceAccount
  arguments:
    # arguments dictionary

The following arguments are supported:

Project string: The project the unique service account was created for. If it is not provided, the provider project is used.

Project string: The project the unique service account was created for. If it is not provided, the provider project is used.

project String: The project the unique service account was created for. If it is not provided, the provider project is used.

project string: The project the unique service account was created for. If it is not provided, the provider project is used.

project str: The project the unique service account was created for. If it is not provided, the provider project is used.

project String: The project the unique service account was created for. If it is not provided, the provider project is used.

getDefaultServiceAccount Result

The following output properties are available:

Email string: The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
Id string: The provider-assigned unique ID for this managed resource.
Member string: The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
Project string

Email string: The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
Id string: The provider-assigned unique ID for this managed resource.
Member string: The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
Project string

email String: The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
id String: The provider-assigned unique ID for this managed resource.
member String: The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
project String

email string: The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
id string: The provider-assigned unique ID for this managed resource.
member string: The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
project string

email str: The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
id str: The provider-assigned unique ID for this managed resource.
member str: The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
project str

email String: The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
id String: The provider-assigned unique ID for this managed resource.
member String: The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
project String

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

gcp.bigquery.getDefaultServiceAccount

Example Usage

Using getDefaultServiceAccount

getDefaultServiceAccount Result

Package Details

Contents