gcp.serviceaccount.getAccountAccessToken
Explore with Pulumi AI
This data source provides a google oauth2
access_token
for a different service account than the one initially running the script.
For more information see the official documentation as well as iamcredentials.generateAccessToken()
Example Usage
To allow
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var token_creator_iam = new Gcp.ServiceAccount.IAMBinding("token-creator-iam", new()
{
Members = new[]
{
"serviceAccount:service_A@projectA.iam.gserviceaccount.com",
},
Role = "roles/iam.serviceAccountTokenCreator",
ServiceAccountId = "projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com",
});
});
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := serviceaccount.NewIAMBinding(ctx, "token-creator-iam", &serviceaccount.IAMBindingArgs{
Members: pulumi.StringArray{
pulumi.String("serviceAccount:service_A@projectA.iam.gserviceaccount.com"),
},
Role: pulumi.String("roles/iam.serviceAccountTokenCreator"),
ServiceAccountId: pulumi.String("projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.IAMBinding;
import com.pulumi.gcp.serviceaccount.IAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var token_creator_iam = new IAMBinding("token-creator-iam", IAMBindingArgs.builder()
.members("serviceAccount:service_A@projectA.iam.gserviceaccount.com")
.role("roles/iam.serviceAccountTokenCreator")
.serviceAccountId("projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com")
.build());
}
}
import pulumi
import pulumi_gcp as gcp
token_creator_iam = gcp.serviceaccount.IAMBinding("token-creator-iam",
members=["serviceAccount:service_A@projectA.iam.gserviceaccount.com"],
role="roles/iam.serviceAccountTokenCreator",
service_account_id="projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const token_creator_iam = new gcp.serviceaccount.IAMBinding("token-creator-iam", {
members: ["serviceAccount:service_A@projectA.iam.gserviceaccount.com"],
role: "roles/iam.serviceAccountTokenCreator",
serviceAccountId: "projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com",
});
resources:
token-creator-iam:
type: gcp:serviceaccount:IAMBinding
properties:
members:
- serviceAccount:service_A@projectA.iam.gserviceaccount.com
role: roles/iam.serviceAccountTokenCreator
serviceAccountId: projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com
.
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var defaultClientConfig = Gcp.Organizations.GetClientConfig.Invoke();
var defaultAccountAccessToken = Gcp.ServiceAccount.GetAccountAccessToken.Invoke(new()
{
TargetServiceAccount = "service_B@projectB.iam.gserviceaccount.com",
Scopes = new[]
{
"userinfo-email",
"cloud-platform",
},
Lifetime = "300s",
});
var impersonated = new Pulumi.Providers.Google("impersonated", new()
{
AccessToken = defaultAccountAccessToken.Apply(getAccountAccessTokenResult => getAccountAccessTokenResult.AccessToken),
});
var me = Gcp.Organizations.GetClientOpenIdUserInfo.Invoke();
return new Dictionary<string, object?>
{
["target-email"] = me.Apply(getClientOpenIdUserInfoResult => getClientOpenIdUserInfoResult.Email),
};
});
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi-google/sdk/v1/go/google"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := organizations.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
defaultAccountAccessToken, err := serviceaccount.GetAccountAccessToken(ctx, &serviceaccount.GetAccountAccessTokenArgs{
TargetServiceAccount: "service_B@projectB.iam.gserviceaccount.com",
Scopes: []string{
"userinfo-email",
"cloud-platform",
},
Lifetime: pulumi.StringRef("300s"),
}, nil)
if err != nil {
return err
}
_, err = google.NewProvider(ctx, "impersonated", &google.ProviderArgs{
AccessToken: defaultAccountAccessToken.AccessToken,
})
if err != nil {
return err
}
me, err := organizations.GetClientOpenIdUserInfo(ctx, nil, nil)
if err != nil {
return err
}
ctx.Export("target-email", me.Email)
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountAccessTokenArgs;
import com.pulumi.pulumi.providers.google;
import com.pulumi.pulumi.providers.ProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var defaultClientConfig = OrganizationsFunctions.getClientConfig();
final var defaultAccountAccessToken = ServiceaccountFunctions.getAccountAccessToken(GetAccountAccessTokenArgs.builder()
.targetServiceAccount("service_B@projectB.iam.gserviceaccount.com")
.scopes(
"userinfo-email",
"cloud-platform")
.lifetime("300s")
.build());
var impersonated = new Provider("impersonated", ProviderArgs.builder()
.accessToken(defaultAccountAccessToken.applyValue(getAccountAccessTokenResult -> getAccountAccessTokenResult.accessToken()))
.build());
final var me = OrganizationsFunctions.getClientOpenIdUserInfo();
ctx.export("target-email", me.applyValue(getClientOpenIdUserInfoResult -> getClientOpenIdUserInfoResult.email()));
}
}
import pulumi
import pulumi_gcp as gcp
default_client_config = gcp.organizations.get_client_config()
default_account_access_token = gcp.serviceaccount.get_account_access_token(target_service_account="service_B@projectB.iam.gserviceaccount.com",
scopes=[
"userinfo-email",
"cloud-platform",
],
lifetime="300s")
impersonated = pulumi.providers.Google("impersonated", access_token=default_account_access_token.access_token)
me = gcp.organizations.get_client_open_id_user_info()
pulumi.export("target-email", me.email)
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
export = async () => {
const defaultClientConfig = await gcp.organizations.getClientConfig({});
const defaultAccountAccessToken = await gcp.serviceaccount.getAccountAccessToken({
targetServiceAccount: "service_B@projectB.iam.gserviceaccount.com",
scopes: [
"userinfo-email",
"cloud-platform",
],
lifetime: "300s",
});
const impersonated = new pulumi.providers.Google("impersonated", {accessToken: defaultAccountAccessToken.accessToken});
const me = await gcp.organizations.getClientOpenIdUserInfo({});
return {
"target-email": me.email,
};
}
resources:
impersonated:
type: pulumi:providers:google
properties:
accessToken: ${defaultAccountAccessToken.accessToken}
variables:
defaultClientConfig:
fn::invoke:
Function: gcp:organizations:getClientConfig
Arguments: {}
defaultAccountAccessToken:
fn::invoke:
Function: gcp:serviceaccount:getAccountAccessToken
Arguments:
targetServiceAccount: service_B@projectB.iam.gserviceaccount.com
scopes:
- userinfo-email
- cloud-platform
lifetime: 300s
me:
fn::invoke:
Function: gcp:organizations:getClientOpenIdUserInfo
Arguments: {}
outputs:
target-email: ${me.email}
Using getAccountAccessToken
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAccountAccessToken(args: GetAccountAccessTokenArgs, opts?: InvokeOptions): Promise<GetAccountAccessTokenResult>
function getAccountAccessTokenOutput(args: GetAccountAccessTokenOutputArgs, opts?: InvokeOptions): Output<GetAccountAccessTokenResult>
def get_account_access_token(delegates: Optional[Sequence[str]] = None,
lifetime: Optional[str] = None,
scopes: Optional[Sequence[str]] = None,
target_service_account: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetAccountAccessTokenResult
def get_account_access_token_output(delegates: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
lifetime: Optional[pulumi.Input[str]] = None,
scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
target_service_account: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAccountAccessTokenResult]
func GetAccountAccessToken(ctx *Context, args *GetAccountAccessTokenArgs, opts ...InvokeOption) (*GetAccountAccessTokenResult, error)
func GetAccountAccessTokenOutput(ctx *Context, args *GetAccountAccessTokenOutputArgs, opts ...InvokeOption) GetAccountAccessTokenResultOutput
> Note: This function is named GetAccountAccessToken
in the Go SDK.
public static class GetAccountAccessToken
{
public static Task<GetAccountAccessTokenResult> InvokeAsync(GetAccountAccessTokenArgs args, InvokeOptions? opts = null)
public static Output<GetAccountAccessTokenResult> Invoke(GetAccountAccessTokenInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetAccountAccessTokenResult> getAccountAccessToken(GetAccountAccessTokenArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: gcp:serviceaccount/getAccountAccessToken:getAccountAccessToken
arguments:
# arguments dictionary
The following arguments are supported:
- Scopes List<string>
The scopes the new credential should have (e.g.
["cloud-platform"]
)- Target
Service stringAccount The service account to impersonate (e.g.
service_B@your-project-id.iam.gserviceaccount.com
)- Delegates List<string>
Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g.
["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]
)- Lifetime string
Lifetime of the impersonated token (defaults to its max:
3600s
).
- Scopes []string
The scopes the new credential should have (e.g.
["cloud-platform"]
)- Target
Service stringAccount The service account to impersonate (e.g.
service_B@your-project-id.iam.gserviceaccount.com
)- Delegates []string
Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g.
["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]
)- Lifetime string
Lifetime of the impersonated token (defaults to its max:
3600s
).
- scopes List<String>
The scopes the new credential should have (e.g.
["cloud-platform"]
)- target
Service StringAccount The service account to impersonate (e.g.
service_B@your-project-id.iam.gserviceaccount.com
)- delegates List<String>
Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g.
["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]
)- lifetime String
Lifetime of the impersonated token (defaults to its max:
3600s
).
- scopes string[]
The scopes the new credential should have (e.g.
["cloud-platform"]
)- target
Service stringAccount The service account to impersonate (e.g.
service_B@your-project-id.iam.gserviceaccount.com
)- delegates string[]
Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g.
["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]
)- lifetime string
Lifetime of the impersonated token (defaults to its max:
3600s
).
- scopes Sequence[str]
The scopes the new credential should have (e.g.
["cloud-platform"]
)- target_
service_ straccount The service account to impersonate (e.g.
service_B@your-project-id.iam.gserviceaccount.com
)- delegates Sequence[str]
Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g.
["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]
)- lifetime str
Lifetime of the impersonated token (defaults to its max:
3600s
).
- scopes List<String>
The scopes the new credential should have (e.g.
["cloud-platform"]
)- target
Service StringAccount The service account to impersonate (e.g.
service_B@your-project-id.iam.gserviceaccount.com
)- delegates List<String>
Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g.
["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]
)- lifetime String
Lifetime of the impersonated token (defaults to its max:
3600s
).
getAccountAccessToken Result
The following output properties are available:
- Access
Token string The
access_token
representing the new generated identity.- Id string
The provider-assigned unique ID for this managed resource.
- Scopes List<string>
- Target
Service stringAccount - Delegates List<string>
- Lifetime string
- Access
Token string The
access_token
representing the new generated identity.- Id string
The provider-assigned unique ID for this managed resource.
- Scopes []string
- Target
Service stringAccount - Delegates []string
- Lifetime string
- access
Token String The
access_token
representing the new generated identity.- id String
The provider-assigned unique ID for this managed resource.
- scopes List<String>
- target
Service StringAccount - delegates List<String>
- lifetime String
- access
Token string The
access_token
representing the new generated identity.- id string
The provider-assigned unique ID for this managed resource.
- scopes string[]
- target
Service stringAccount - delegates string[]
- lifetime string
- access_
token str The
access_token
representing the new generated identity.- id str
The provider-assigned unique ID for this managed resource.
- scopes Sequence[str]
- target_
service_ straccount - delegates Sequence[str]
- lifetime str
- access
Token String The
access_token
representing the new generated identity.- id String
The provider-assigned unique ID for this managed resource.
- scopes List<String>
- target
Service StringAccount - delegates List<String>
- lifetime String
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
google-beta
Terraform Provider.