gcp.serviceAccount.getAccountJwt

Explore with Pulumi AI

This data source provides a self-signed JWT. Tokens issued from this data source are typically used to call external services that accept JWTs for authentication.

Example Usage

Note: in order to use the following, the caller must have

using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var foo = Gcp.ServiceAccount.GetAccountJwt.Invoke(new()
    {
        TargetServiceAccount = "impersonated-account@project.iam.gserviceaccount.com",
        Payload = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["foo"] = "bar",
            ["sub"] = "subject",
        }),
        ExpiresIn = 60,
    });

    return new Dictionary<string, object?>
    {
        ["jwt"] = foo.Apply(getAccountJwtResult => getAccountJwtResult.Jwt),
    };
});
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/serviceAccount"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"foo": "bar",
			"sub": "subject",
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		foo, err := serviceAccount.GetAccountJwt(ctx, &serviceaccount.GetAccountJwtArgs{
			TargetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
			Payload:              json0,
			ExpiresIn:            pulumi.IntRef(60),
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("jwt", foo.Jwt)
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceAccount.ServiceAccountFunctions;
import com.pulumi.gcp.serviceAccount.inputs.GetAccountJwtArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var foo = ServiceAccountFunctions.getAccountJwt(GetAccountJwtArgs.builder()
            .targetServiceAccount("impersonated-account@project.iam.gserviceaccount.com")
            .payload(serializeJson(
                jsonObject(
                    jsonProperty("foo", "bar"),
                    jsonProperty("sub", "subject")
                )))
            .expiresIn(60)
            .build());

        ctx.export("jwt", foo.applyValue(getAccountJwtResult -> getAccountJwtResult.jwt()));
    }
}
import pulumi
import json
import pulumi_gcp as gcp

foo = gcp.serviceAccount.get_account_jwt(target_service_account="impersonated-account@project.iam.gserviceaccount.com",
    payload=json.dumps({
        "foo": "bar",
        "sub": "subject",
    }),
    expires_in=60)
pulumi.export("jwt", foo.jwt)
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const foo = gcp.serviceAccount.getAccountJwt({
    targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
    payload: JSON.stringify({
        foo: "bar",
        sub: "subject",
    }),
    expiresIn: 60,
});
export const jwt = foo.then(foo => foo.jwt);
variables:
  foo:
    fn::invoke:
      Function: gcp:serviceAccount:getAccountJwt
      Arguments:
        targetServiceAccount: impersonated-account@project.iam.gserviceaccount.com
        payload:
          fn::toJSON:
            foo: bar
            sub: subject
        expiresIn: 60
outputs:
  jwt: ${foo.jwt}

Using getAccountJwt

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getAccountJwt(args: GetAccountJwtArgs, opts?: InvokeOptions): Promise<GetAccountJwtResult>
function getAccountJwtOutput(args: GetAccountJwtOutputArgs, opts?: InvokeOptions): Output<GetAccountJwtResult>
def get_account_jwt(delegates: Optional[Sequence[str]] = None,
                    expires_in: Optional[int] = None,
                    payload: Optional[str] = None,
                    target_service_account: Optional[str] = None,
                    opts: Optional[InvokeOptions] = None) -> GetAccountJwtResult
def get_account_jwt_output(delegates: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                    expires_in: Optional[pulumi.Input[int]] = None,
                    payload: Optional[pulumi.Input[str]] = None,
                    target_service_account: Optional[pulumi.Input[str]] = None,
                    opts: Optional[InvokeOptions] = None) -> Output[GetAccountJwtResult]
func GetAccountJwt(ctx *Context, args *GetAccountJwtArgs, opts ...InvokeOption) (*GetAccountJwtResult, error)
func GetAccountJwtOutput(ctx *Context, args *GetAccountJwtOutputArgs, opts ...InvokeOption) GetAccountJwtResultOutput

> Note: This function is named GetAccountJwt in the Go SDK.

public static class GetAccountJwt 
{
    public static Task<GetAccountJwtResult> InvokeAsync(GetAccountJwtArgs args, InvokeOptions? opts = null)
    public static Output<GetAccountJwtResult> Invoke(GetAccountJwtInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetAccountJwtResult> getAccountJwt(GetAccountJwtArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
  function: gcp:serviceAccount/getAccountJwt:getAccountJwt
  arguments:
    # arguments dictionary

The following arguments are supported:

Payload string

The JSON-encoded JWT claims set to include in the self-signed JWT.

TargetServiceAccount string

The email of the service account that will sign the JWT.

Delegates List<string>

Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.

ExpiresIn int

Number of seconds until the JWT expires. If set and non-zero an exp claim will be added to the payload derived from the current timestamp plus expires_in seconds.

Payload string

The JSON-encoded JWT claims set to include in the self-signed JWT.

TargetServiceAccount string

The email of the service account that will sign the JWT.

Delegates []string

Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.

ExpiresIn int

Number of seconds until the JWT expires. If set and non-zero an exp claim will be added to the payload derived from the current timestamp plus expires_in seconds.

payload String

The JSON-encoded JWT claims set to include in the self-signed JWT.

targetServiceAccount String

The email of the service account that will sign the JWT.

delegates List<String>

Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.

expiresIn Integer

Number of seconds until the JWT expires. If set and non-zero an exp claim will be added to the payload derived from the current timestamp plus expires_in seconds.

payload string

The JSON-encoded JWT claims set to include in the self-signed JWT.

targetServiceAccount string

The email of the service account that will sign the JWT.

delegates string[]

Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.

expiresIn number

Number of seconds until the JWT expires. If set and non-zero an exp claim will be added to the payload derived from the current timestamp plus expires_in seconds.

payload str

The JSON-encoded JWT claims set to include in the self-signed JWT.

target_service_account str

The email of the service account that will sign the JWT.

delegates Sequence[str]

Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.

expires_in int

Number of seconds until the JWT expires. If set and non-zero an exp claim will be added to the payload derived from the current timestamp plus expires_in seconds.

payload String

The JSON-encoded JWT claims set to include in the self-signed JWT.

targetServiceAccount String

The email of the service account that will sign the JWT.

delegates List<String>

Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.

expiresIn Number

Number of seconds until the JWT expires. If set and non-zero an exp claim will be added to the payload derived from the current timestamp plus expires_in seconds.

getAccountJwt Result

The following output properties are available:

Id string

The provider-assigned unique ID for this managed resource.

Jwt string

The signed JWT containing the JWT Claims Set from the payload.

Payload string
TargetServiceAccount string
Delegates List<string>
ExpiresIn int
Id string

The provider-assigned unique ID for this managed resource.

Jwt string

The signed JWT containing the JWT Claims Set from the payload.

Payload string
TargetServiceAccount string
Delegates []string
ExpiresIn int
id String

The provider-assigned unique ID for this managed resource.

jwt String

The signed JWT containing the JWT Claims Set from the payload.

payload String
targetServiceAccount String
delegates List<String>
expiresIn Integer
id string

The provider-assigned unique ID for this managed resource.

jwt string

The signed JWT containing the JWT Claims Set from the payload.

payload string
targetServiceAccount string
delegates string[]
expiresIn number
id str

The provider-assigned unique ID for this managed resource.

jwt str

The signed JWT containing the JWT Claims Set from the payload.

payload str
target_service_account str
delegates Sequence[str]
expires_in int
id String

The provider-assigned unique ID for this managed resource.

jwt String

The signed JWT containing the JWT Claims Set from the payload.

payload String
targetServiceAccount String
delegates List<String>
expiresIn Number

Package Details

Repository
Google Cloud (GCP) Classic pulumi/pulumi-gcp
License
Apache-2.0
Notes

This Pulumi package is based on the google-beta Terraform Provider.