Viewing docs for Google Cloud v9.15.0
published on Thursday, Mar 12, 2026 by Pulumi
published on Thursday, Mar 12, 2026 by Pulumi
Viewing docs for Google Cloud v9.15.0
published on Thursday, Mar 12, 2026 by Pulumi
published on Thursday, Mar 12, 2026 by Pulumi
This data source provides a self-signed JWT. Tokens issued from this data source are typically used to call external services that accept JWTs for authentication.
Example Usage
Note: in order to use the following, the caller must have at least roles/iam.serviceAccountTokenCreator on the target_service_account.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const foo = gcp.serviceaccount.getAccountJwt({
targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
payload: JSON.stringify({
foo: "bar",
sub: "subject",
}),
expiresIn: 60,
});
export const jwt = foo.then(foo => foo.jwt);
import pulumi
import json
import pulumi_gcp as gcp
foo = gcp.serviceaccount.get_account_jwt(target_service_account="impersonated-account@project.iam.gserviceaccount.com",
payload=json.dumps({
"foo": "bar",
"sub": "subject",
}),
expires_in=60)
pulumi.export("jwt", foo.jwt)
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tmpJSON0, err := json.Marshal(map[string]interface{}{
"foo": "bar",
"sub": "subject",
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
foo, err := serviceaccount.GetAccountJwt(ctx, &serviceaccount.GetAccountJwtArgs{
TargetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
Payload: json0,
ExpiresIn: pulumi.IntRef(60),
}, nil)
if err != nil {
return err
}
ctx.Export("jwt", foo.Jwt)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var foo = Gcp.ServiceAccount.GetAccountJwt.Invoke(new()
{
TargetServiceAccount = "impersonated-account@project.iam.gserviceaccount.com",
Payload = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["foo"] = "bar",
["sub"] = "subject",
}),
ExpiresIn = 60,
});
return new Dictionary<string, object?>
{
["jwt"] = foo.Apply(getAccountJwtResult => getAccountJwtResult.Jwt),
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountJwtArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var foo = ServiceaccountFunctions.getAccountJwt(GetAccountJwtArgs.builder()
.targetServiceAccount("impersonated-account@project.iam.gserviceaccount.com")
.payload(serializeJson(
jsonObject(
jsonProperty("foo", "bar"),
jsonProperty("sub", "subject")
)))
.expiresIn(60)
.build());
ctx.export("jwt", foo.jwt());
}
}
variables:
foo:
fn::invoke:
function: gcp:serviceaccount:getAccountJwt
arguments:
targetServiceAccount: impersonated-account@project.iam.gserviceaccount.com
payload:
fn::toJSON:
foo: bar
sub: subject
expiresIn: 60
outputs:
jwt: ${foo.jwt}
Using getAccountJwt
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAccountJwt(args: GetAccountJwtArgs, opts?: InvokeOptions): Promise<GetAccountJwtResult>
function getAccountJwtOutput(args: GetAccountJwtOutputArgs, opts?: InvokeOptions): Output<GetAccountJwtResult>def get_account_jwt(delegates: Optional[Sequence[str]] = None,
expires_in: Optional[int] = None,
payload: Optional[str] = None,
target_service_account: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetAccountJwtResult
def get_account_jwt_output(delegates: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
expires_in: Optional[pulumi.Input[int]] = None,
payload: Optional[pulumi.Input[str]] = None,
target_service_account: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAccountJwtResult]func GetAccountJwt(ctx *Context, args *GetAccountJwtArgs, opts ...InvokeOption) (*GetAccountJwtResult, error)
func GetAccountJwtOutput(ctx *Context, args *GetAccountJwtOutputArgs, opts ...InvokeOption) GetAccountJwtResultOutput> Note: This function is named GetAccountJwt in the Go SDK.
public static class GetAccountJwt
{
public static Task<GetAccountJwtResult> InvokeAsync(GetAccountJwtArgs args, InvokeOptions? opts = null)
public static Output<GetAccountJwtResult> Invoke(GetAccountJwtInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetAccountJwtResult> getAccountJwt(GetAccountJwtArgs args, InvokeOptions options)
public static Output<GetAccountJwtResult> getAccountJwt(GetAccountJwtArgs args, InvokeOptions options)
fn::invoke:
function: gcp:serviceaccount/getAccountJwt:getAccountJwt
arguments:
# arguments dictionaryThe following arguments are supported:
- Payload string
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- Target
Service stringAccount - The email of the service account that will sign the JWT.
- Delegates List<string>
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- Expires
In int - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
- Payload string
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- Target
Service stringAccount - The email of the service account that will sign the JWT.
- Delegates []string
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- Expires
In int - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
- payload String
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- target
Service StringAccount - The email of the service account that will sign the JWT.
- delegates List<String>
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- expires
In Integer - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
- payload string
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- target
Service stringAccount - The email of the service account that will sign the JWT.
- delegates string[]
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- expires
In number - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
- payload str
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- target_
service_ straccount - The email of the service account that will sign the JWT.
- delegates Sequence[str]
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- expires_
in int - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
- payload String
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- target
Service StringAccount - The email of the service account that will sign the JWT.
- delegates List<String>
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- expires
In Number - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
getAccountJwt Result
The following output properties are available:
- id str
- The provider-assigned unique ID for this managed resource.
- jwt str
- The signed JWT containing the JWT Claims Set from the
payload. - payload str
- target_
service_ straccount - delegates Sequence[str]
- expires_
in int
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.
Viewing docs for Google Cloud v9.15.0
published on Thursday, Mar 12, 2026 by Pulumi
published on Thursday, Mar 12, 2026 by Pulumi
