1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. serviceaccount
  5. getAccountIdToken
Google Cloud Classic v7.27.0 published on Thursday, Jun 13, 2024 by Pulumi

gcp.serviceaccount.getAccountIdToken

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.27.0 published on Thursday, Jun 13, 2024 by Pulumi

    This data source provides a Google OpenID Connect (oidc) id_token. Tokens issued from this data source are typically used to call external services that accept OIDC tokens for authentication (e.g. Google Cloud Run).

    For more information see OpenID Connect.

    Example Usage

    ServiceAccount JSON Credential File.

    gcp.serviceaccount.getAccountIdToken will use the configured provider credentials

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const oidc = gcp.serviceaccount.getAccountIdToken({
        targetAudience: "https://foo.bar/",
    });
    export const oidcToken = oidc.then(oidc => oidc.idToken);
    
    import pulumi
    import pulumi_gcp as gcp
    
    oidc = gcp.serviceaccount.get_account_id_token(target_audience="https://foo.bar/")
    pulumi.export("oidcToken", oidc.id_token)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
    			TargetAudience: "https://foo.bar/",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		ctx.Export("oidcToken", oidc.IdToken)
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var oidc = Gcp.ServiceAccount.GetAccountIdToken.Invoke(new()
        {
            TargetAudience = "https://foo.bar/",
        });
    
        return new Dictionary<string, object?>
        {
            ["oidcToken"] = oidc.Apply(getAccountIdTokenResult => getAccountIdTokenResult.IdToken),
        };
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
    import com.pulumi.gcp.serviceaccount.inputs.GetAccountIdTokenArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var oidc = ServiceaccountFunctions.getAccountIdToken(GetAccountIdTokenArgs.builder()
                .targetAudience("https://foo.bar/")
                .build());
    
            ctx.export("oidcToken", oidc.applyValue(getAccountIdTokenResult -> getAccountIdTokenResult.idToken()));
        }
    }
    
    variables:
      oidc:
        fn::invoke:
          Function: gcp:serviceaccount:getAccountIdToken
          Arguments:
            targetAudience: https://foo.bar/
    outputs:
      oidcToken: ${oidc.idToken}
    

    Service Account Impersonation.

    gcp.serviceaccount.getAccountAccessToken will use background impersonated credentials provided by gcp.serviceaccount.getAccountAccessToken.

    Note: to use the following, you must grant target_service_account the roles/iam.serviceAccountTokenCreator role on itself.

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const impersonated = gcp.serviceaccount.getAccountAccessToken({
        targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
        delegates: [],
        scopes: [
            "userinfo-email",
            "cloud-platform",
        ],
        lifetime: "300s",
    });
    const oidc = gcp.serviceaccount.getAccountIdToken({
        targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
        delegates: [],
        includeEmail: true,
        targetAudience: "https://foo.bar/",
    });
    export const oidcToken = oidc.then(oidc => oidc.idToken);
    
    import pulumi
    import pulumi_gcp as gcp
    
    impersonated = gcp.serviceaccount.get_account_access_token(target_service_account="impersonated-account@project.iam.gserviceaccount.com",
        delegates=[],
        scopes=[
            "userinfo-email",
            "cloud-platform",
        ],
        lifetime="300s")
    oidc = gcp.serviceaccount.get_account_id_token(target_service_account="impersonated-account@project.iam.gserviceaccount.com",
        delegates=[],
        include_email=True,
        target_audience="https://foo.bar/")
    pulumi.export("oidcToken", oidc.id_token)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := serviceaccount.GetAccountAccessToken(ctx, &serviceaccount.GetAccountAccessTokenArgs{
    			TargetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
    			Delegates:            []interface{}{},
    			Scopes: []string{
    				"userinfo-email",
    				"cloud-platform",
    			},
    			Lifetime: pulumi.StringRef("300s"),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
    			TargetServiceAccount: pulumi.StringRef("impersonated-account@project.iam.gserviceaccount.com"),
    			Delegates:            []interface{}{},
    			IncludeEmail:         pulumi.BoolRef(true),
    			TargetAudience:       "https://foo.bar/",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		ctx.Export("oidcToken", oidc.IdToken)
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var impersonated = Gcp.ServiceAccount.GetAccountAccessToken.Invoke(new()
        {
            TargetServiceAccount = "impersonated-account@project.iam.gserviceaccount.com",
            Delegates = new() { },
            Scopes = new[]
            {
                "userinfo-email",
                "cloud-platform",
            },
            Lifetime = "300s",
        });
    
        var oidc = Gcp.ServiceAccount.GetAccountIdToken.Invoke(new()
        {
            TargetServiceAccount = "impersonated-account@project.iam.gserviceaccount.com",
            Delegates = new() { },
            IncludeEmail = true,
            TargetAudience = "https://foo.bar/",
        });
    
        return new Dictionary<string, object?>
        {
            ["oidcToken"] = oidc.Apply(getAccountIdTokenResult => getAccountIdTokenResult.IdToken),
        };
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
    import com.pulumi.gcp.serviceaccount.inputs.GetAccountAccessTokenArgs;
    import com.pulumi.gcp.serviceaccount.inputs.GetAccountIdTokenArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var impersonated = ServiceaccountFunctions.getAccountAccessToken(GetAccountAccessTokenArgs.builder()
                .targetServiceAccount("impersonated-account@project.iam.gserviceaccount.com")
                .delegates()
                .scopes(            
                    "userinfo-email",
                    "cloud-platform")
                .lifetime("300s")
                .build());
    
            final var oidc = ServiceaccountFunctions.getAccountIdToken(GetAccountIdTokenArgs.builder()
                .targetServiceAccount("impersonated-account@project.iam.gserviceaccount.com")
                .delegates()
                .includeEmail(true)
                .targetAudience("https://foo.bar/")
                .build());
    
            ctx.export("oidcToken", oidc.applyValue(getAccountIdTokenResult -> getAccountIdTokenResult.idToken()));
        }
    }
    
    variables:
      impersonated:
        fn::invoke:
          Function: gcp:serviceaccount:getAccountAccessToken
          Arguments:
            targetServiceAccount: impersonated-account@project.iam.gserviceaccount.com
            delegates: []
            scopes:
              - userinfo-email
              - cloud-platform
            lifetime: 300s
      oidc:
        fn::invoke:
          Function: gcp:serviceaccount:getAccountIdToken
          Arguments:
            targetServiceAccount: impersonated-account@project.iam.gserviceaccount.com
            delegates: []
            includeEmail: true
            targetAudience: https://foo.bar/
    outputs:
      oidcToken: ${oidc.idToken}
    

    Invoking Cloud Run Endpoint

    The following configuration will invoke Cloud Run endpoint where the service account for the provider has been granted roles/run.invoker role previously.

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as http from "@pulumi/http";
    
    const oidc = gcp.serviceaccount.getAccountIdToken({
        targetAudience: "https://your.cloud.run.app/",
    });
    const cloudrun = oidc.then(oidc => http.getHttp({
        url: "https://your.cloud.run.app/",
        requestHeaders: {
            Authorization: `Bearer ${oidc.idToken}`,
        },
    }));
    export const cloudRunResponse = cloudrun.then(cloudrun => cloudrun.body);
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_http as http
    
    oidc = gcp.serviceaccount.get_account_id_token(target_audience="https://your.cloud.run.app/")
    cloudrun = http.get_http(url="https://your.cloud.run.app/",
        request_headers={
            "Authorization": f"Bearer {oidc.id_token}",
        })
    pulumi.export("cloudRunResponse", cloudrun.body)
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
    	"github.com/pulumi/pulumi-http/sdk/go/http"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
    			TargetAudience: "https://your.cloud.run.app/",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		cloudrun, err := http.GetHttp(ctx, &http.GetHttpArgs{
    			Url: "https://your.cloud.run.app/",
    			RequestHeaders: map[string]interface{}{
    				"Authorization": fmt.Sprintf("Bearer %v", oidc.IdToken),
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		ctx.Export("cloudRunResponse", cloudrun.Body)
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Http = Pulumi.Http;
    
    return await Deployment.RunAsync(() => 
    {
        var oidc = Gcp.ServiceAccount.GetAccountIdToken.Invoke(new()
        {
            TargetAudience = "https://your.cloud.run.app/",
        });
    
        var cloudrun = Http.GetHttp.Invoke(new()
        {
            Url = "https://your.cloud.run.app/",
            RequestHeaders = 
            {
                { "Authorization", $"Bearer {oidc.Apply(getAccountIdTokenResult => getAccountIdTokenResult.IdToken)}" },
            },
        });
    
        return new Dictionary<string, object?>
        {
            ["cloudRunResponse"] = cloudrun.Apply(getHttpResult => getHttpResult.Body),
        };
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
    import com.pulumi.gcp.serviceaccount.inputs.GetAccountIdTokenArgs;
    import com.pulumi.http.HttpFunctions;
    import com.pulumi.http.inputs.GetHttpArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var oidc = ServiceaccountFunctions.getAccountIdToken(GetAccountIdTokenArgs.builder()
                .targetAudience("https://your.cloud.run.app/")
                .build());
    
            final var cloudrun = HttpFunctions.getHttp(GetHttpArgs.builder()
                .url("https://your.cloud.run.app/")
                .requestHeaders(Map.of("Authorization", String.format("Bearer %s", oidc.applyValue(getAccountIdTokenResult -> getAccountIdTokenResult.idToken()))))
                .build());
    
            ctx.export("cloudRunResponse", cloudrun.applyValue(getHttpResult -> getHttpResult.body()));
        }
    }
    
    variables:
      oidc:
        fn::invoke:
          Function: gcp:serviceaccount:getAccountIdToken
          Arguments:
            targetAudience: https://your.cloud.run.app/
      cloudrun:
        fn::invoke:
          Function: http:getHttp
          Arguments:
            url: https://your.cloud.run.app/
            requestHeaders:
              Authorization: Bearer ${oidc.idToken}
    outputs:
      cloudRunResponse: ${cloudrun.body}
    

    Using getAccountIdToken

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getAccountIdToken(args: GetAccountIdTokenArgs, opts?: InvokeOptions): Promise<GetAccountIdTokenResult>
    function getAccountIdTokenOutput(args: GetAccountIdTokenOutputArgs, opts?: InvokeOptions): Output<GetAccountIdTokenResult>
    def get_account_id_token(delegates: Optional[Sequence[str]] = None,
                             include_email: Optional[bool] = None,
                             target_audience: Optional[str] = None,
                             target_service_account: Optional[str] = None,
                             opts: Optional[InvokeOptions] = None) -> GetAccountIdTokenResult
    def get_account_id_token_output(delegates: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                             include_email: Optional[pulumi.Input[bool]] = None,
                             target_audience: Optional[pulumi.Input[str]] = None,
                             target_service_account: Optional[pulumi.Input[str]] = None,
                             opts: Optional[InvokeOptions] = None) -> Output[GetAccountIdTokenResult]
    func GetAccountIdToken(ctx *Context, args *GetAccountIdTokenArgs, opts ...InvokeOption) (*GetAccountIdTokenResult, error)
    func GetAccountIdTokenOutput(ctx *Context, args *GetAccountIdTokenOutputArgs, opts ...InvokeOption) GetAccountIdTokenResultOutput

    > Note: This function is named GetAccountIdToken in the Go SDK.

    public static class GetAccountIdToken 
    {
        public static Task<GetAccountIdTokenResult> InvokeAsync(GetAccountIdTokenArgs args, InvokeOptions? opts = null)
        public static Output<GetAccountIdTokenResult> Invoke(GetAccountIdTokenInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetAccountIdTokenResult> getAccountIdToken(GetAccountIdTokenArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: gcp:serviceaccount/getAccountIdToken:getAccountIdToken
      arguments:
        # arguments dictionary

    The following arguments are supported:

    TargetAudience string
    The audience claim for the id_token.
    Delegates List<string>
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    IncludeEmail bool
    Include the verified email in the claim. Used only when using impersonation mode.
    TargetServiceAccount string
    The email of the service account being impersonated. Used only when using impersonation mode.
    TargetAudience string
    The audience claim for the id_token.
    Delegates []string
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    IncludeEmail bool
    Include the verified email in the claim. Used only when using impersonation mode.
    TargetServiceAccount string
    The email of the service account being impersonated. Used only when using impersonation mode.
    targetAudience String
    The audience claim for the id_token.
    delegates List<String>
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    includeEmail Boolean
    Include the verified email in the claim. Used only when using impersonation mode.
    targetServiceAccount String
    The email of the service account being impersonated. Used only when using impersonation mode.
    targetAudience string
    The audience claim for the id_token.
    delegates string[]
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    includeEmail boolean
    Include the verified email in the claim. Used only when using impersonation mode.
    targetServiceAccount string
    The email of the service account being impersonated. Used only when using impersonation mode.
    target_audience str
    The audience claim for the id_token.
    delegates Sequence[str]
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    include_email bool
    Include the verified email in the claim. Used only when using impersonation mode.
    target_service_account str
    The email of the service account being impersonated. Used only when using impersonation mode.
    targetAudience String
    The audience claim for the id_token.
    delegates List<String>
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    includeEmail Boolean
    Include the verified email in the claim. Used only when using impersonation mode.
    targetServiceAccount String
    The email of the service account being impersonated. Used only when using impersonation mode.

    getAccountIdToken Result

    The following output properties are available:

    Id string
    The provider-assigned unique ID for this managed resource.
    IdToken string
    The id_token representing the new generated identity.
    TargetAudience string
    Delegates List<string>
    IncludeEmail bool
    TargetServiceAccount string
    Id string
    The provider-assigned unique ID for this managed resource.
    IdToken string
    The id_token representing the new generated identity.
    TargetAudience string
    Delegates []string
    IncludeEmail bool
    TargetServiceAccount string
    id String
    The provider-assigned unique ID for this managed resource.
    idToken String
    The id_token representing the new generated identity.
    targetAudience String
    delegates List<String>
    includeEmail Boolean
    targetServiceAccount String
    id string
    The provider-assigned unique ID for this managed resource.
    idToken string
    The id_token representing the new generated identity.
    targetAudience string
    delegates string[]
    includeEmail boolean
    targetServiceAccount string
    id str
    The provider-assigned unique ID for this managed resource.
    id_token str
    The id_token representing the new generated identity.
    target_audience str
    delegates Sequence[str]
    include_email bool
    target_service_account str
    id String
    The provider-assigned unique ID for this managed resource.
    idToken String
    The id_token representing the new generated identity.
    targetAudience String
    delegates List<String>
    includeEmail Boolean
    targetServiceAccount String

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.27.0 published on Thursday, Jun 13, 2024 by Pulumi