Fork me on GitHub

Module serviceAccount

@pulumi/gcp > serviceAccount

Index

serviceAccount/account.ts serviceAccount/getAccount.ts serviceAccount/getAccountKey.ts serviceAccount/iAMBinding.ts serviceAccount/iAMMember.ts serviceAccount/iAMPolicy.ts serviceAccount/key.ts

class Account

Allows management of a Google Cloud Platform service account

constructor

new Account(name: string, args: AccountArgs, opts?: pulumi.CustomResourceOptions)

Create a Account resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccountState): Account

Get an existing Account resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accountId

public accountId: pulumi.Output<string>;

The service account ID. Changing this forces a new service account to be created.

property displayName

public displayName: pulumi.Output<string | undefined>;

The display name for the service account. Can be updated without creating a new resource.

property email

public email: pulumi.Output<string>;

The e-mail address of the service account. This value should be referenced from any google_iam_policy data sources that would grant the service account privileges.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The fully-qualified name of the service account.

property policyData

public policyData: pulumi.Output<string | undefined>;

The google_iam_policy data source that represents the IAM policy that will be applied to the service account. The policy will be merged with any existing policy.

property project

public project: pulumi.Output<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property uniqueId

public uniqueId: pulumi.Output<string>;

The unique id of the service account.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class IAMBinding

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

~> Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.

~> Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.

constructor

new IAMBinding(name: string, args: IAMBindingArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMBinding resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMBindingState): IAMBinding

Get an existing IAMBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property members

public members: pulumi.Output<string[]>;

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The service account id to apply policy to.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class IAMMember

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

~> Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.

~> Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.

constructor

new IAMMember(name: string, args: IAMMemberArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMMember resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMMemberState): IAMMember

Get an existing IAMMember resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property member

public member: pulumi.Output<string>;

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The service account id to apply policy to.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class IAMPolicy

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

~> Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.

~> Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.

constructor

new IAMPolicy(name: string, args: IAMPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMPolicy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMPolicyState): IAMPolicy

Get an existing IAMPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyData

public policyData: pulumi.Output<string>;

The policy data generated by a google_iam_policy data source.

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The service account id to apply policy to.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class Key

Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see the official documentation and API.

constructor

new Key(name: string, args: KeyArgs, opts?: pulumi.CustomResourceOptions)

Create a Key resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyState): Key

Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyAlgorithm

public keyAlgorithm: pulumi.Output<string | undefined>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property name

public name: pulumi.Output<string>;

The name used for this key pair

property pgpKey

public pgpKey: pulumi.Output<string | undefined>;

An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.

property privateKey

public privateKey: pulumi.Output<string>;

The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key, and when no pgp_key is provided.

property privateKeyEncrypted

public privateKeyEncrypted: pulumi.Output<string>;

The private key material, base 64 encoded and encrypted with the given pgp_key. This is only populated when creating a new key and pgp_key is supplied

property privateKeyFingerprint

public privateKeyFingerprint: pulumi.Output<string>;

The MD5 public key fingerprint for the encrypted private key. This is only populated when creating a new key and pgp_key is supplied

property privateKeyType

public privateKeyType: pulumi.Output<string | undefined>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKey

public publicKey: pulumi.Output<string>;

The public key, base64 encoded

property publicKeyType

public publicKeyType: pulumi.Output<string | undefined>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId

public serviceAccountId: pulumi.Output<string>;

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validAfter

public validAfter: pulumi.Output<string>;

The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property validBefore

public validBefore: pulumi.Output<string>;

The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

function getAccount

getAccount(args: GetAccountArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountResult>

Get the service account from a project. For more information see the official API documentation.

function getAccountKey

getAccountKey(args?: GetAccountKeyArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountKeyResult>

Get service account public key. For more information, see the official documentation and API.

interface AccountArgs

The set of arguments for constructing a Account resource.

property accountId

accountId: pulumi.Input<string>;

The service account ID. Changing this forces a new service account to be created.

property displayName

displayName?: pulumi.Input<string>;

The display name for the service account. Can be updated without creating a new resource.

property policyData

policyData?: pulumi.Input<string>;

The google_iam_policy data source that represents the IAM policy that will be applied to the service account. The policy will be merged with any existing policy.

property project

project?: pulumi.Input<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

interface AccountState

Input properties used for looking up and filtering Account resources.

property accountId

accountId?: pulumi.Input<string>;

The service account ID. Changing this forces a new service account to be created.

property displayName

displayName?: pulumi.Input<string>;

The display name for the service account. Can be updated without creating a new resource.

property email

email?: pulumi.Input<string>;

The e-mail address of the service account. This value should be referenced from any google_iam_policy data sources that would grant the service account privileges.

property name

name?: pulumi.Input<string>;

The fully-qualified name of the service account.

property policyData

policyData?: pulumi.Input<string>;

The google_iam_policy data source that represents the IAM policy that will be applied to the service account. The policy will be merged with any existing policy.

property project

project?: pulumi.Input<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property uniqueId

uniqueId?: pulumi.Input<string>;

The unique id of the service account.

interface GetAccountArgs

A collection of arguments for invoking getAccount.

property accountId

accountId: string;

The Service account id.

property project

project?: string;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

interface GetAccountKeyArgs

A collection of arguments for invoking getAccountKey.

property name

name?: string;

The name of the service account key. This must have format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{KEYID}, where {ACCOUNT} is the email address or unique id of the service account.

property project

project?: string;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property publicKeyType

publicKeyType?: string;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId

serviceAccountId?: string;

interface GetAccountKeyResult

A collection of values returned by getAccountKey.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property keyAlgorithm

keyAlgorithm: string;

property name

name: string;

property publicKey

publicKey: string;

The public key, base64 encoded

interface GetAccountResult

A collection of values returned by getAccount.

property displayName

displayName: string;

The display name for the service account.

property email

email: string;

The e-mail address of the service account. This value should be referenced from any google_iam_policy data sources that would grant the service account privileges.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property name

name: string;

The fully-qualified name of the service account.

property uniqueId

uniqueId: string;

The unique id of the service account.

interface IAMBindingArgs

The set of arguments for constructing a IAMBinding resource.

property members

members: pulumi.Input<pulumi.Input<string>[]>;

property role

role: pulumi.Input<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

The service account id to apply policy to.

interface IAMBindingState

Input properties used for looking up and filtering IAMBinding resources.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property members

members?: pulumi.Input<pulumi.Input<string>[]>;

property role

role?: pulumi.Input<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

The service account id to apply policy to.

interface IAMMemberArgs

The set of arguments for constructing a IAMMember resource.

property member

member: pulumi.Input<string>;

property role

role: pulumi.Input<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

The service account id to apply policy to.

interface IAMMemberState

Input properties used for looking up and filtering IAMMember resources.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property member

member?: pulumi.Input<string>;

property role

role?: pulumi.Input<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

The service account id to apply policy to.

interface IAMPolicyArgs

The set of arguments for constructing a IAMPolicy resource.

property policyData

policyData: pulumi.Input<string>;

The policy data generated by a google_iam_policy data source.

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

The service account id to apply policy to.

interface IAMPolicyState

Input properties used for looking up and filtering IAMPolicy resources.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property policyData

policyData?: pulumi.Input<string>;

The policy data generated by a google_iam_policy data source.

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

The service account id to apply policy to.

interface KeyArgs

The set of arguments for constructing a Key resource.

property keyAlgorithm

keyAlgorithm?: pulumi.Input<string>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property pgpKey

pgpKey?: pulumi.Input<string>;

An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.

property privateKeyType

privateKeyType?: pulumi.Input<string>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKeyType

publicKeyType?: pulumi.Input<string>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId

serviceAccountId: pulumi.Input<string>;

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

interface KeyState

Input properties used for looking up and filtering Key resources.

property keyAlgorithm

keyAlgorithm?: pulumi.Input<string>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property name

name?: pulumi.Input<string>;

The name used for this key pair

property pgpKey

pgpKey?: pulumi.Input<string>;

An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.

property privateKey

privateKey?: pulumi.Input<string>;

The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key, and when no pgp_key is provided.

property privateKeyEncrypted

privateKeyEncrypted?: pulumi.Input<string>;

The private key material, base 64 encoded and encrypted with the given pgp_key. This is only populated when creating a new key and pgp_key is supplied

property privateKeyFingerprint

privateKeyFingerprint?: pulumi.Input<string>;

The MD5 public key fingerprint for the encrypted private key. This is only populated when creating a new key and pgp_key is supplied

property privateKeyType

privateKeyType?: pulumi.Input<string>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKey

publicKey?: pulumi.Input<string>;

The public key, base64 encoded

property publicKeyType

publicKeyType?: pulumi.Input<string>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId

serviceAccountId?: pulumi.Input<string>;

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

property validAfter

validAfter?: pulumi.Input<string>;

The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property validBefore

validBefore?: pulumi.Input<string>;

The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.