Namespace Pulumi.Gcp.ServiceAccount
Classes
Account
Allows management of a Google Cloud Platform service account
Creation of service accounts is eventually consistent, and that can lead to errors when you try to apply ACLs to service accounts immediately after creation.
Example Usage
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var serviceAccount = new Gcp.ServiceAccount.Account("serviceAccount", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "service_account_id",
DisplayName = "Service Account",
});
}
}
AccountArgs
AccountState
GetAccount
GetAccountAccessToken
GetAccountAccessTokenArgs
GetAccountAccessTokenResult
GetAccountArgs
GetAccountKey
GetAccountKeyArgs
GetAccountKeyResult
GetAccountResult
IAMBinding
When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.
Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:
gcp.serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.gcp.serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.gcp.serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.
Note:
gcp.serviceAccount.IAMPolicycannot be used in conjunction withgcp.serviceAccount.IAMBindingandgcp.serviceAccount.IAMMemberor they will fight over what your policy should be.
Note:
gcp.serviceAccount.IAMBindingresources can be used in conjunction withgcp.serviceAccount.IAMMemberresources only if they do not grant privilege to the same role.
google_service_account_iam_policy
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/iam.serviceAccountUser" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that only Jane can interact with",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMPolicy("admin-account-iam", new Gcp.ServiceAccount.IAMPolicyArgs
{
ServiceAccountId = sa.Name,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
google_service_account_iam_binding
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that only Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMBinding("admin-account-iam", new Gcp.ServiceAccount.IAMBindingArgs
{
ServiceAccountId = sa.Name,
Role = "roles/iam.serviceAccountUser",
Members =
{
"user:jane@example.com",
},
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that only Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMBinding("admin-account-iam", new Gcp.ServiceAccount.IAMBindingArgs
{
Condition = new Gcp.ServiceAccount.Inputs.IAMBindingConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
Members =
{
"user:jane@example.com",
},
Role = "roles/iam.serviceAccountUser",
ServiceAccountId = sa.Name,
});
}
}
google_service_account_iam_member
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var @default = Output.Create(Gcp.Compute.GetDefaultServiceAccount.InvokeAsync());
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMMember("admin-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
{
ServiceAccountId = sa.Name,
Role = "roles/iam.serviceAccountUser",
Member = "user:jane@example.com",
});
// Allow SA service account use the default GCE account
var gce_default_account_iam = new Gcp.ServiceAccount.IAMMember("gce-default-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
{
ServiceAccountId = @default.Apply(@default => @default.Name),
Role = "roles/iam.serviceAccountUser",
Member = sa.Email.Apply(email => $"serviceAccount:{email}"),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMMember("admin-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
{
Condition = new Gcp.ServiceAccount.Inputs.IAMMemberConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
Member = "user:jane@example.com",
Role = "roles/iam.serviceAccountUser",
ServiceAccountId = sa.Name,
});
}
}
IAMBindingArgs
IAMBindingState
IAMMember
When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.
Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:
gcp.serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.gcp.serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.gcp.serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.
Note:
gcp.serviceAccount.IAMPolicycannot be used in conjunction withgcp.serviceAccount.IAMBindingandgcp.serviceAccount.IAMMemberor they will fight over what your policy should be.
Note:
gcp.serviceAccount.IAMBindingresources can be used in conjunction withgcp.serviceAccount.IAMMemberresources only if they do not grant privilege to the same role.
google_service_account_iam_policy
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/iam.serviceAccountUser" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that only Jane can interact with",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMPolicy("admin-account-iam", new Gcp.ServiceAccount.IAMPolicyArgs
{
ServiceAccountId = sa.Name,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
google_service_account_iam_binding
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that only Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMBinding("admin-account-iam", new Gcp.ServiceAccount.IAMBindingArgs
{
ServiceAccountId = sa.Name,
Role = "roles/iam.serviceAccountUser",
Members =
{
"user:jane@example.com",
},
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that only Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMBinding("admin-account-iam", new Gcp.ServiceAccount.IAMBindingArgs
{
Condition = new Gcp.ServiceAccount.Inputs.IAMBindingConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
Members =
{
"user:jane@example.com",
},
Role = "roles/iam.serviceAccountUser",
ServiceAccountId = sa.Name,
});
}
}
google_service_account_iam_member
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var @default = Output.Create(Gcp.Compute.GetDefaultServiceAccount.InvokeAsync());
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMMember("admin-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
{
ServiceAccountId = sa.Name,
Role = "roles/iam.serviceAccountUser",
Member = "user:jane@example.com",
});
// Allow SA service account use the default GCE account
var gce_default_account_iam = new Gcp.ServiceAccount.IAMMember("gce-default-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
{
ServiceAccountId = @default.Apply(@default => @default.Name),
Role = "roles/iam.serviceAccountUser",
Member = sa.Email.Apply(email => $"serviceAccount:{email}"),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMMember("admin-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
{
Condition = new Gcp.ServiceAccount.Inputs.IAMMemberConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
Member = "user:jane@example.com",
Role = "roles/iam.serviceAccountUser",
ServiceAccountId = sa.Name,
});
}
}
IAMMemberArgs
IAMMemberState
IAMPolicy
When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.
Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:
gcp.serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.gcp.serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.gcp.serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.
Note:
gcp.serviceAccount.IAMPolicycannot be used in conjunction withgcp.serviceAccount.IAMBindingandgcp.serviceAccount.IAMMemberor they will fight over what your policy should be.
Note:
gcp.serviceAccount.IAMBindingresources can be used in conjunction withgcp.serviceAccount.IAMMemberresources only if they do not grant privilege to the same role.
google_service_account_iam_policy
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/iam.serviceAccountUser" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that only Jane can interact with",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMPolicy("admin-account-iam", new Gcp.ServiceAccount.IAMPolicyArgs
{
ServiceAccountId = sa.Name,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
google_service_account_iam_binding
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that only Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMBinding("admin-account-iam", new Gcp.ServiceAccount.IAMBindingArgs
{
ServiceAccountId = sa.Name,
Role = "roles/iam.serviceAccountUser",
Members =
{
"user:jane@example.com",
},
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that only Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMBinding("admin-account-iam", new Gcp.ServiceAccount.IAMBindingArgs
{
Condition = new Gcp.ServiceAccount.Inputs.IAMBindingConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
Members =
{
"user:jane@example.com",
},
Role = "roles/iam.serviceAccountUser",
ServiceAccountId = sa.Name,
});
}
}
google_service_account_iam_member
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var @default = Output.Create(Gcp.Compute.GetDefaultServiceAccount.InvokeAsync());
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMMember("admin-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
{
ServiceAccountId = sa.Name,
Role = "roles/iam.serviceAccountUser",
Member = "user:jane@example.com",
});
// Allow SA service account use the default GCE account
var gce_default_account_iam = new Gcp.ServiceAccount.IAMMember("gce-default-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
{
ServiceAccountId = @default.Apply(@default => @default.Name),
Role = "roles/iam.serviceAccountUser",
Member = sa.Email.Apply(email => $"serviceAccount:{email}"),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var sa = new Gcp.ServiceAccount.Account("sa", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-service-account",
DisplayName = "A service account that Jane can use",
});
var admin_account_iam = new Gcp.ServiceAccount.IAMMember("admin-account-iam", new Gcp.ServiceAccount.IAMMemberArgs
{
Condition = new Gcp.ServiceAccount.Inputs.IAMMemberConditionArgs
{
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
Title = "expires_after_2019_12_31",
},
Member = "user:jane@example.com",
Role = "roles/iam.serviceAccountUser",
ServiceAccountId = sa.Name,
});
}
}
IAMPolicyArgs
IAMPolicyState
Key
Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see the official documentation and API.
Example Usage, creating a new Key Pair
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var myaccount = new Gcp.ServiceAccount.Account("myaccount", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "myaccount",
DisplayName = "My Service Account",
});
var mykey = new Gcp.ServiceAccount.Key("mykey", new Gcp.ServiceAccount.KeyArgs
{
ServiceAccountId = myaccount.Name,
PublicKeyType = "TYPE_X509_PEM_FILE",
});
}
}