Module serviceAccount

This page documents the language specification for the gcp package. If you're looking for help working with the inputs, outputs, or functions of gcp resources in a Pulumi program, please see the resource documentation for examples and API reference.

Resources

Resource Account

class Account extends CustomResource

Allows management of a Google Cloud Platform service account

Creation of service accounts is eventually consistent, and that can lead to errors when you try to apply ACLs to service accounts immediately after creation.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const serviceAccount = new gcp.serviceAccount.Account("serviceAccount", {
    accountId: "serviceAccountId",
    displayName: "Service Account",
});

constructor

new Account(name: string, args: AccountArgs, opts?: pulumi.CustomResourceOptions)

Create a Account resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccountState, opts?: pulumi.CustomResourceOptions): Account

Get an existing Account resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Account

Returns true if the given object is an instance of Account. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accountId

public accountId: pulumi.Output<string>;

The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression a-z to comply with RFC1035. Changing this forces a new service account to be created.

property description

public description: pulumi.Output<string | undefined>;

A text description of the service account. Must be less than or equal to 256 UTF-8 bytes.

property displayName

public displayName: pulumi.Output<string | undefined>;

The display name for the service account. Can be updated without creating a new resource.

property email

public email: pulumi.Output<string>;

The e-mail address of the service account. This value should be referenced from any gcp.organizations.getIAMPolicy data sources that would grant the service account privileges.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The fully-qualified name of the service account.

property project

public project: pulumi.Output<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property uniqueId

public uniqueId: pulumi.Output<string>;

The unique id of the service account.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource IAMBinding

class IAMBinding extends CustomResource

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the googleProjectIam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

gcp.serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
gcp.serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
gcp.serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: gcp.serviceAccount.IAMPolicy cannot be used in conjunction with gcp.serviceAccount.IAMBinding and gcp.serviceAccount.IAMMember or they will fight over what your policy should be.
Note: gcp.serviceAccount.IAMBinding resources can be used in conjunction with gcp.serviceAccount.IAMMember resources only if they do not grant privilege to the same role.

google_service_account_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/iam.serviceAccountUser",
        members: ["user:jane@example.com"],
    }],
});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can interact with",
});
const adminAccountIam = new gcp.serviceAccount.IAMPolicy("admin-account-iam", {
    serviceAccountId: sa.name,
    policyData: admin.then(admin => admin.policyData),
});

google_service_account_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMBinding("admin-account-iam", {
    serviceAccountId: sa.name,
    role: "roles/iam.serviceAccountUser",
    members: ["user:jane@example.com"],
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMBinding("admin-account-iam", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    members: ["user:jane@example.com"],
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});

google_service_account_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const default = gcp.compute.getDefaultServiceAccount({});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMMember("admin-account-iam", {
    serviceAccountId: sa.name,
    role: "roles/iam.serviceAccountUser",
    member: "user:jane@example.com",
});
// Allow SA service account use the default GCE account
const gceDefaultAccountIam = new gcp.serviceAccount.IAMMember("gce-default-account-iam", {
    serviceAccountId: _default.then(_default => _default.name),
    role: "roles/iam.serviceAccountUser",
    member: pulumi.interpolate`serviceAccount:${sa.email}`,
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMMember("admin-account-iam", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    member: "user:jane@example.com",
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});

constructor

new IAMBinding(name: string, args: IAMBindingArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMBinding resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMBindingState, opts?: pulumi.CustomResourceOptions): IAMBinding

Get an existing IAMBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is IAMBinding

Returns true if the given object is an instance of IAMBinding. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property condition

public condition: pulumi.Output<IAMBindingCondition | undefined>;

) An IAM Condition for a given binding. Structure is documented below.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property members

public members: pulumi.Output<string[]>;

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one gcp.serviceAccount.IAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The fully-qualified name of the service account to apply policy to.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource IAMMember

class IAMMember extends CustomResource

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

gcp.serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
gcp.serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
gcp.serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: gcp.serviceAccount.IAMPolicy cannot be used in conjunction with gcp.serviceAccount.IAMBinding and gcp.serviceAccount.IAMMember or they will fight over what your policy should be.
Note: gcp.serviceAccount.IAMBinding resources can be used in conjunction with gcp.serviceAccount.IAMMember resources only if they do not grant privilege to the same role.

google_service_account_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/iam.serviceAccountUser",
        members: ["user:jane@example.com"],
    }],
});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can interact with",
});
const adminAccountIam = new gcp.serviceAccount.IAMPolicy("admin-account-iam", {
    serviceAccountId: sa.name,
    policyData: admin.then(admin => admin.policyData),
});

google_service_account_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMBinding("admin-account-iam", {
    serviceAccountId: sa.name,
    role: "roles/iam.serviceAccountUser",
    members: ["user:jane@example.com"],
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMBinding("admin-account-iam", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    members: ["user:jane@example.com"],
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});

google_service_account_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const default = gcp.compute.getDefaultServiceAccount({});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMMember("admin-account-iam", {
    serviceAccountId: sa.name,
    role: "roles/iam.serviceAccountUser",
    member: "user:jane@example.com",
});
// Allow SA service account use the default GCE account
const gceDefaultAccountIam = new gcp.serviceAccount.IAMMember("gce-default-account-iam", {
    serviceAccountId: _default.then(_default => _default.name),
    role: "roles/iam.serviceAccountUser",
    member: pulumi.interpolate`serviceAccount:${sa.email}`,
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMMember("admin-account-iam", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    member: "user:jane@example.com",
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});

constructor

new IAMMember(name: string, args: IAMMemberArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMMember resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMMemberState, opts?: pulumi.CustomResourceOptions): IAMMember

Get an existing IAMMember resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is IAMMember

Returns true if the given object is an instance of IAMMember. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property condition

public condition: pulumi.Output<IAMMemberCondition | undefined>;

) An IAM Condition for a given binding. Structure is documented below.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property member

public member: pulumi.Output<string>;

property role

public role: pulumi.Output<string>;

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The fully-qualified name of the service account to apply policy to.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource IAMPolicy

class IAMPolicy extends CustomResource

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

gcp.serviceAccount.IAMPolicy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
gcp.serviceAccount.IAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
gcp.serviceAccount.IAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: gcp.serviceAccount.IAMPolicy cannot be used in conjunction with gcp.serviceAccount.IAMBinding and gcp.serviceAccount.IAMMember or they will fight over what your policy should be.
Note: gcp.serviceAccount.IAMBinding resources can be used in conjunction with gcp.serviceAccount.IAMMember resources only if they do not grant privilege to the same role.

google_service_account_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/iam.serviceAccountUser",
        members: ["user:jane@example.com"],
    }],
});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can interact with",
});
const adminAccountIam = new gcp.serviceAccount.IAMPolicy("admin-account-iam", {
    serviceAccountId: sa.name,
    policyData: admin.then(admin => admin.policyData),
});

google_service_account_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMBinding("admin-account-iam", {
    serviceAccountId: sa.name,
    role: "roles/iam.serviceAccountUser",
    members: ["user:jane@example.com"],
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that only Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMBinding("admin-account-iam", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    members: ["user:jane@example.com"],
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});

google_service_account_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const default = gcp.compute.getDefaultServiceAccount({});
const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMMember("admin-account-iam", {
    serviceAccountId: sa.name,
    role: "roles/iam.serviceAccountUser",
    member: "user:jane@example.com",
});
// Allow SA service account use the default GCE account
const gceDefaultAccountIam = new gcp.serviceAccount.IAMMember("gce-default-account-iam", {
    serviceAccountId: _default.then(_default => _default.name),
    role: "roles/iam.serviceAccountUser",
    member: pulumi.interpolate`serviceAccount:${sa.email}`,
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceAccount.Account("sa", {
    accountId: "my-service-account",
    displayName: "A service account that Jane can use",
});
const adminAccountIam = new gcp.serviceAccount.IAMMember("admin-account-iam", {
    condition: {
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        title: "expiresAfter20191231",
    },
    member: "user:jane@example.com",
    role: "roles/iam.serviceAccountUser",
    serviceAccountId: sa.name,
});

constructor

new IAMPolicy(name: string, args: IAMPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMPolicy resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMPolicyState, opts?: pulumi.CustomResourceOptions): IAMPolicy

Get an existing IAMPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is IAMPolicy

Returns true if the given object is an instance of IAMPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyData

public policyData: pulumi.Output<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The fully-qualified name of the service account to apply policy to.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Key

class Key extends CustomResource

Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see the official documentation and API.

Example Usage, creating a new Key Pair

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myaccount = new gcp.serviceAccount.Account("myaccount", {
    accountId: "myaccount",
    displayName: "My Service Account",
});
const mykey = new gcp.serviceAccount.Key("mykey", {
    serviceAccountId: myaccount.name,
    publicKeyType: "TYPE_X509_PEM_FILE",
});

constructor

new Key(name: string, args: KeyArgs, opts?: pulumi.CustomResourceOptions)

Create a Key resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyState, opts?: pulumi.CustomResourceOptions): Key

Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Key

Returns true if the given object is an instance of Key. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyAlgorithm

public keyAlgorithm: pulumi.Output<string | undefined>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property name

public name: pulumi.Output<string>;

The name used for this key pair

property privateKey

public privateKey: pulumi.Output<string>;

The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.

property privateKeyType

public privateKeyType: pulumi.Output<string | undefined>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKey

public publicKey: pulumi.Output<string>;

The public key, base64 encoded

property publicKeyType

public publicKeyType: pulumi.Output<string | undefined>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validAfter

public validAfter: pulumi.Output<string>;

The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property validBefore

public validBefore: pulumi.Output<string>;

The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

Functions

Function getAccount

getAccount(args: GetAccountArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountResult>

Get the service account from a project. For more information see the official API documentation.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const objectViewer = pulumi.output(gcp.serviceAccount.getAccount({
    accountId: "object-viewer",
}, { async: true }));

Function getAccountAccessToken

getAccountAccessToken(args: GetAccountAccessTokenArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountAccessTokenResult>

This data source provides a google oauth2 accessToken for a different service account than the one initially running the script.

For more information see the official documentation as well as iamcredentials.generateAccessToken()

Function getAccountKey

getAccountKey(args: GetAccountKeyArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountKeyResult>

Get service account public key. For more information, see the official documentation and API.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const myaccount = new gcp.serviceAccount.Account("myaccount", {accountId: "dev-foo-account"});
const mykeyKey = new gcp.serviceAccount.Key("mykeyKey", {serviceAccountId: myaccount.name});
const mykeyAccountKey = mykeyKey.name.apply(name => gcp.serviceAccount.getAccountKey({
    name: name,
    publicKeyType: "TYPE_X509_PEM_FILE",
}));

Others

interface AccountArgs

interface AccountArgs

The set of arguments for constructing a Account resource.

property accountId

accountId: pulumi.Input<string>;

property description

description?: pulumi.Input<string>;

A text description of the service account. Must be less than or equal to 256 UTF-8 bytes.

property displayName

displayName?: pulumi.Input<string>;

The display name for the service account. Can be updated without creating a new resource.

property project

project?: pulumi.Input<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

interface AccountState

interface AccountState

Input properties used for looking up and filtering Account resources.

property accountId

accountId?: pulumi.Input<string>;

property description

description?: pulumi.Input<string>;

A text description of the service account. Must be less than or equal to 256 UTF-8 bytes.

property displayName

displayName?: pulumi.Input<string>;

The display name for the service account. Can be updated without creating a new resource.

property email

email?: pulumi.Input<string>;

The e-mail address of the service account. This value should be referenced from any gcp.organizations.getIAMPolicy data sources that would grant the service account privileges.

property name

name?: pulumi.Input<string>;

The fully-qualified name of the service account.

property project

project?: pulumi.Input<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property uniqueId

uniqueId?: pulumi.Input<string>;

The unique id of the service account.

interface GetAccountAccessTokenArgs

interface GetAccountAccessTokenArgs

A collection of arguments for invoking getAccountAccessToken.

property delegates

delegates?: string[];

Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"])

property lifetime

lifetime?: undefined | string;

Lifetime of the impersonated token (defaults to its max: 3600s).

property scopes

scopes: string[];

The scopes the new credential should have (e.g. ["storage-ro", "cloud-platform"])

property targetServiceAccount

targetServiceAccount: string;

The service account to impersonate (e.g. service_B@your-project-id.iam.gserviceaccount.com)

interface GetAccountAccessTokenResult

interface GetAccountAccessTokenResult

A collection of values returned by getAccountAccessToken.

property accessToken

accessToken: string;

The accessToken representing the new generated identity.

property delegates

delegates?: string[];

property id

id: string;

The provider-assigned unique ID for this managed resource.

property lifetime

lifetime?: undefined | string;

property scopes

scopes: string[];

property targetServiceAccount

targetServiceAccount: string;

interface GetAccountArgs

interface GetAccountArgs

A collection of arguments for invoking getAccount.

property accountId

accountId: string;

The Service account id. (This is the part of the service account’s email field that comes before the @ symbol.)

property project

project?: undefined | string;

The ID of the project that the service account is present in. Defaults to the provider project configuration.

interface GetAccountKeyArgs

interface GetAccountKeyArgs

A collection of arguments for invoking getAccountKey.

property name

name: string;

The name of the service account key. This must have format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{KEYID}, where {ACCOUNT} is the email address or unique id of the service account.

property project

project?: undefined | string;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property publicKeyType

publicKeyType?: undefined | string;

The output format of the public key requested. X509_PEM is the default output format.

interface GetAccountKeyResult

interface GetAccountKeyResult

A collection of values returned by getAccountKey.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property keyAlgorithm

keyAlgorithm: string;

property name

name: string;

property project

project?: undefined | string;

property publicKey

publicKey: string;

The public key, base64 encoded

property publicKeyType

publicKeyType?: undefined | string;

interface GetAccountResult

interface GetAccountResult

A collection of values returned by getAccount.

property accountId

accountId: string;

property displayName

displayName: string;

The display name for the service account.

property email

email: string;

The e-mail address of the service account. This value should be referenced from any gcp.organizations.getIAMPolicy data sources that would grant the service account privileges.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property name

name: string;

The fully-qualified name of the service account.

property project

project?: undefined | string;

property uniqueId

uniqueId: string;

The unique id of the service account.

interface IAMBindingArgs

interface IAMBindingArgs

The set of arguments for constructing a IAMBinding resource.

property condition

condition?: pulumi.Input<IAMBindingCondition>;

) An IAM Condition for a given binding. Structure is documented below.

property members

members: pulumi.Input<pulumi.Input<string>[]>;

property role

role: pulumi.Input<string>;

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface IAMBindingState

interface IAMBindingState

Input properties used for looking up and filtering IAMBinding resources.

property condition

condition?: pulumi.Input<IAMBindingCondition>;

) An IAM Condition for a given binding. Structure is documented below.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property members

members?: pulumi.Input<pulumi.Input<string>[]>;

property role

role?: pulumi.Input<string>;

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface IAMMemberArgs

interface IAMMemberArgs

The set of arguments for constructing a IAMMember resource.

property condition

condition?: pulumi.Input<IAMMemberCondition>;

) An IAM Condition for a given binding. Structure is documented below.

property member

member: pulumi.Input<string>;

property role

role: pulumi.Input<string>;

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface IAMMemberState

interface IAMMemberState

Input properties used for looking up and filtering IAMMember resources.

property condition

condition?: pulumi.Input<IAMMemberCondition>;

) An IAM Condition for a given binding. Structure is documented below.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property member

member?: pulumi.Input<string>;

property role

role?: pulumi.Input<string>;

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface IAMPolicyArgs

interface IAMPolicyArgs

The set of arguments for constructing a IAMPolicy resource.

property policyData

policyData: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface IAMPolicyState

interface IAMPolicyState

Input properties used for looking up and filtering IAMPolicy resources.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property policyData

policyData?: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

The fully-qualified name of the service account to apply policy to.

interface KeyArgs

interface KeyArgs

The set of arguments for constructing a Key resource.

property keyAlgorithm

keyAlgorithm?: pulumi.Input<string>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property privateKeyType

privateKeyType?: pulumi.Input<string>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKeyType

publicKeyType?: pulumi.Input<string>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

interface KeyState

interface KeyState

Input properties used for looking up and filtering Key resources.

property keyAlgorithm

keyAlgorithm?: pulumi.Input<string>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property name

name?: pulumi.Input<string>;

The name used for this key pair

property privateKey

privateKey?: pulumi.Input<string>;

property privateKeyType

privateKeyType?: pulumi.Input<string>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKey

publicKey?: pulumi.Input<string>;

The public key, base64 encoded

property publicKeyType

publicKeyType?: pulumi.Input<string>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

property validAfter

validAfter?: pulumi.Input<string>;

The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property validBefore

validBefore?: pulumi.Input<string>;

The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

Module serviceAccount

Resources

Functions

Others

Resources

Example Usage

google_service_account_iam_policy

google_service_account_iam_binding

google_service_account_iam_member

google_service_account_iam_policy

google_service_account_iam_binding

google_service_account_iam_member

google_service_account_iam_policy

google_service_account_iam_binding

google_service_account_iam_member

Example Usage, creating a new Key Pair

Functions

Example Usage

Example Usage

Others