Google Cloud Classic v7.2.1, Nov 22 23

Google Cloud Classic v7.2.1 published on Wednesday, Nov 22, 2023 by Pulumi

gcp.serviceaccount.getAccountAccessToken

Explore with Pulumi AI

Google Cloud Classic v7.2.1 published on Wednesday, Nov 22, 2023 by Pulumi

pulumi/pulumi-gcp

Example Usage

To allow

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var token_creator_iam = new Gcp.ServiceAccount.IAMBinding("token-creator-iam", new()
    {
        Members = new[]
        {
            "serviceAccount:service_A@projectA.iam.gserviceaccount.com",
        },
        Role = "roles/iam.serviceAccountTokenCreator",
        ServiceAccountId = "projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com",
    });

});

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := serviceaccount.NewIAMBinding(ctx, "token-creator-iam", &serviceaccount.IAMBindingArgs{
			Members: pulumi.StringArray{
				pulumi.String("serviceAccount:service_A@projectA.iam.gserviceaccount.com"),
			},
			Role:             pulumi.String("roles/iam.serviceAccountTokenCreator"),
			ServiceAccountId: pulumi.String("projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.IAMBinding;
import com.pulumi.gcp.serviceaccount.IAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var token_creator_iam = new IAMBinding("token-creator-iam", IAMBindingArgs.builder()        
            .members("serviceAccount:service_A@projectA.iam.gserviceaccount.com")
            .role("roles/iam.serviceAccountTokenCreator")
            .serviceAccountId("projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com")
            .build());

    }
}

import pulumi
import pulumi_gcp as gcp

token_creator_iam = gcp.serviceaccount.IAMBinding("token-creator-iam",
    members=["serviceAccount:service_A@projectA.iam.gserviceaccount.com"],
    role="roles/iam.serviceAccountTokenCreator",
    service_account_id="projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com")

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const token_creator_iam = new gcp.serviceaccount.IAMBinding("token-creator-iam", {
    members: ["serviceAccount:service_A@projectA.iam.gserviceaccount.com"],
    role: "roles/iam.serviceAccountTokenCreator",
    serviceAccountId: "projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com",
});

resources:
  token-creator-iam:
    type: gcp:serviceaccount:IAMBinding
    properties:
      members:
        - serviceAccount:service_A@projectA.iam.gserviceaccount.com
      role: roles/iam.serviceAccountTokenCreator
      serviceAccountId: projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var defaultClientConfig = Gcp.Organizations.GetClientConfig.Invoke();

    var defaultAccountAccessToken = Gcp.ServiceAccount.GetAccountAccessToken.Invoke(new()
    {
        TargetServiceAccount = "service_B@projectB.iam.gserviceaccount.com",
        Scopes = new[]
        {
            "userinfo-email",
            "cloud-platform",
        },
        Lifetime = "300s",
    });

    var impersonated = new Pulumi.Providers.Google("impersonated", new()
    {
        AccessToken = defaultAccountAccessToken.Apply(getAccountAccessTokenResult => getAccountAccessTokenResult.AccessToken),
    });

    var me = Gcp.Organizations.GetClientOpenIdUserInfo.Invoke();

    return new Dictionary<string, object?>
    {
        ["target-email"] = me.Apply(getClientOpenIdUserInfoResult => getClientOpenIdUserInfoResult.Email),
    };
});

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
	"github.com/pulumi/pulumi-google/sdk/v1/go/google"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := organizations.GetClientConfig(ctx, nil, nil)
		if err != nil {
			return err
		}
		defaultAccountAccessToken, err := serviceaccount.GetAccountAccessToken(ctx, &serviceaccount.GetAccountAccessTokenArgs{
			TargetServiceAccount: "service_B@projectB.iam.gserviceaccount.com",
			Scopes: []string{
				"userinfo-email",
				"cloud-platform",
			},
			Lifetime: pulumi.StringRef("300s"),
		}, nil)
		if err != nil {
			return err
		}
		_, err = google.NewProvider(ctx, "impersonated", &google.ProviderArgs{
			AccessToken: defaultAccountAccessToken.AccessToken,
		})
		if err != nil {
			return err
		}
		me, err := organizations.GetClientOpenIdUserInfo(ctx, nil, nil)
		if err != nil {
			return err
		}
		ctx.Export("target-email", me.Email)
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountAccessTokenArgs;
import com.pulumi.pulumi.providers.google;
import com.pulumi.pulumi.providers.ProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var defaultClientConfig = OrganizationsFunctions.getClientConfig();

        final var defaultAccountAccessToken = ServiceaccountFunctions.getAccountAccessToken(GetAccountAccessTokenArgs.builder()
            .targetServiceAccount("service_B@projectB.iam.gserviceaccount.com")
            .scopes(            
                "userinfo-email",
                "cloud-platform")
            .lifetime("300s")
            .build());

        var impersonated = new Provider("impersonated", ProviderArgs.builder()        
            .accessToken(defaultAccountAccessToken.applyValue(getAccountAccessTokenResult -> getAccountAccessTokenResult.accessToken()))
            .build());

        final var me = OrganizationsFunctions.getClientOpenIdUserInfo();

        ctx.export("target-email", me.applyValue(getClientOpenIdUserInfoResult -> getClientOpenIdUserInfoResult.email()));
    }
}

import pulumi
import pulumi_gcp as gcp

default_client_config = gcp.organizations.get_client_config()
default_account_access_token = gcp.serviceaccount.get_account_access_token(target_service_account="service_B@projectB.iam.gserviceaccount.com",
    scopes=[
        "userinfo-email",
        "cloud-platform",
    ],
    lifetime="300s")
impersonated = pulumi.providers.Google("impersonated", access_token=default_account_access_token.access_token)
me = gcp.organizations.get_client_open_id_user_info()
pulumi.export("target-email", me.email)

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

export = async () => {
    const defaultClientConfig = await gcp.organizations.getClientConfig({});
    const defaultAccountAccessToken = await gcp.serviceaccount.getAccountAccessToken({
        targetServiceAccount: "service_B@projectB.iam.gserviceaccount.com",
        scopes: [
            "userinfo-email",
            "cloud-platform",
        ],
        lifetime: "300s",
    });
    const impersonated = new pulumi.providers.Google("impersonated", {accessToken: defaultAccountAccessToken.accessToken});
    const me = await gcp.organizations.getClientOpenIdUserInfo({});
    return {
        "target-email": me.email,
    };
}

resources:
  impersonated:
    type: pulumi:providers:google
    properties:
      accessToken: ${defaultAccountAccessToken.accessToken}
variables:
  defaultClientConfig:
    fn::invoke:
      Function: gcp:organizations:getClientConfig
      Arguments: {}
  defaultAccountAccessToken:
    fn::invoke:
      Function: gcp:serviceaccount:getAccountAccessToken
      Arguments:
        targetServiceAccount: service_B@projectB.iam.gserviceaccount.com
        scopes:
          - userinfo-email
          - cloud-platform
        lifetime: 300s
  me:
    fn::invoke:
      Function: gcp:organizations:getClientOpenIdUserInfo
      Arguments: {}
outputs:
  target-email: ${me.email}

Using getAccountAccessToken

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getAccountAccessToken(args: GetAccountAccessTokenArgs, opts?: InvokeOptions): Promise<GetAccountAccessTokenResult>
function getAccountAccessTokenOutput(args: GetAccountAccessTokenOutputArgs, opts?: InvokeOptions): Output<GetAccountAccessTokenResult>

def get_account_access_token(delegates: Optional[Sequence[str]] = None,
                             lifetime: Optional[str] = None,
                             scopes: Optional[Sequence[str]] = None,
                             target_service_account: Optional[str] = None,
                             opts: Optional[InvokeOptions] = None) -> GetAccountAccessTokenResult
def get_account_access_token_output(delegates: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                             lifetime: Optional[pulumi.Input[str]] = None,
                             scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                             target_service_account: Optional[pulumi.Input[str]] = None,
                             opts: Optional[InvokeOptions] = None) -> Output[GetAccountAccessTokenResult]

func GetAccountAccessToken(ctx *Context, args *GetAccountAccessTokenArgs, opts ...InvokeOption) (*GetAccountAccessTokenResult, error)
func GetAccountAccessTokenOutput(ctx *Context, args *GetAccountAccessTokenOutputArgs, opts ...InvokeOption) GetAccountAccessTokenResultOutput

> Note: This function is named GetAccountAccessToken in the Go SDK.

public static class GetAccountAccessToken 
{
    public static Task<GetAccountAccessTokenResult> InvokeAsync(GetAccountAccessTokenArgs args, InvokeOptions? opts = null)
    public static Output<GetAccountAccessTokenResult> Invoke(GetAccountAccessTokenInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetAccountAccessTokenResult> getAccountAccessToken(GetAccountAccessTokenArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet

fn::invoke:
  function: gcp:serviceaccount/getAccountAccessToken:getAccountAccessToken
  arguments:
    # arguments dictionary

The following arguments are supported:

Scopes List<string>: The scopes the new credential should have (e.g. ["cloud-platform"])
TargetServiceAccount string: The service account to impersonate (e.g. service_B@your-project-id.iam.gserviceaccount.com)
Delegates List<string>: Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"])
Lifetime string: Lifetime of the impersonated token (defaults to its max: 3600s).

Scopes []string: The scopes the new credential should have (e.g. ["cloud-platform"])
TargetServiceAccount string: The service account to impersonate (e.g. service_B@your-project-id.iam.gserviceaccount.com)
Delegates []string: Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"])
Lifetime string: Lifetime of the impersonated token (defaults to its max: 3600s).

scopes List<String>: The scopes the new credential should have (e.g. ["cloud-platform"])
targetServiceAccount String: The service account to impersonate (e.g. service_B@your-project-id.iam.gserviceaccount.com)
delegates List<String>: Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"])
lifetime String: Lifetime of the impersonated token (defaults to its max: 3600s).

scopes string[]: The scopes the new credential should have (e.g. ["cloud-platform"])
targetServiceAccount string: The service account to impersonate (e.g. service_B@your-project-id.iam.gserviceaccount.com)
delegates string[]: Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"])
lifetime string: Lifetime of the impersonated token (defaults to its max: 3600s).

scopes Sequence[str]: The scopes the new credential should have (e.g. ["cloud-platform"])
target_service_account str: The service account to impersonate (e.g. service_B@your-project-id.iam.gserviceaccount.com)
delegates Sequence[str]: Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"])
lifetime str: Lifetime of the impersonated token (defaults to its max: 3600s).

scopes List<String>: The scopes the new credential should have (e.g. ["cloud-platform"])
targetServiceAccount String: The service account to impersonate (e.g. service_B@your-project-id.iam.gserviceaccount.com)
delegates List<String>: Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"])
lifetime String: Lifetime of the impersonated token (defaults to its max: 3600s).

getAccountAccessToken Result

The following output properties are available:

AccessToken string: The access_token representing the new generated identity.
Id string: The provider-assigned unique ID for this managed resource.
Scopes List<string>
TargetServiceAccount string
Delegates List<string>
Lifetime string

AccessToken string: The access_token representing the new generated identity.
Id string: The provider-assigned unique ID for this managed resource.
Scopes []string
TargetServiceAccount string
Delegates []string
Lifetime string

accessToken String: The access_token representing the new generated identity.
id String: The provider-assigned unique ID for this managed resource.
scopes List<String>
targetServiceAccount String
delegates List<String>
lifetime String

accessToken string: The access_token representing the new generated identity.
id string: The provider-assigned unique ID for this managed resource.
scopes string[]
targetServiceAccount string
delegates string[]
lifetime string

access_token str: The access_token representing the new generated identity.
id str: The provider-assigned unique ID for this managed resource.
scopes Sequence[str]
target_service_account str
delegates Sequence[str]
lifetime str

accessToken String: The access_token representing the new generated identity.
id String: The provider-assigned unique ID for this managed resource.
scopes List<String>
targetServiceAccount String
delegates List<String>
lifetime String

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud Classic v7.2.1 published on Wednesday, Nov 22, 2023 by Pulumi

pulumi/pulumi-gcp

gcp.serviceaccount.getAccountAccessToken

On this page

On this page

Example Usage

Using getAccountAccessToken

getAccountAccessToken Result

Package Details

On this page

On this page