Module serviceAccount
@pulumi/gcp > serviceAccount
Index
- class Account
- class IAMBinding
- class IAMMember
- class IAMPolicy
- class Key
- function getAccount
- function getAccountKey
- interface AccountArgs
- interface AccountState
- interface GetAccountArgs
- interface GetAccountKeyArgs
- interface GetAccountKeyResult
- interface GetAccountResult
- interface IAMBindingArgs
- interface IAMBindingState
- interface IAMMemberArgs
- interface IAMMemberState
- interface IAMPolicyArgs
- interface IAMPolicyState
- interface KeyArgs
- interface KeyState
serviceAccount/account.ts serviceAccount/getAccount.ts serviceAccount/getAccountKey.ts serviceAccount/iAMBinding.ts serviceAccount/iAMMember.ts serviceAccount/iAMPolicy.ts serviceAccount/key.ts
class Account
Allows management of a Google Cloud Platform service account
constructor
new Account(name: string, args: AccountArgs, opts?: pulumi.CustomResourceOptions)
Create a Account resource with the given unique name, arguments, and options.
nameThe unique name of the resource.argsThe arguments to use to populate this resource's properties.optsA bag of options that control this resource's behavior.
method get
public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccountState): Account
Get an existing Account resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method isInstance
static isInstance(obj: any): boolean
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
property accountId
public accountId: pulumi.Output<string>;
The service account ID. Changing this forces a new service account to be created.
property displayName
public displayName: pulumi.Output<string | undefined>;
The display name for the service account. Can be updated without creating a new resource.
property email
public email: pulumi.Output<string>;
The e-mail address of the service account. This value
should be referenced from any google_iam_policy data sources
that would grant the service account privileges.
property id
id: Output<ID>;
id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.
property name
public name: pulumi.Output<string>;
The fully-qualified name of the service account.
property policyData
public policyData: pulumi.Output<string | undefined>;
The google_iam_policy data source that represents
the IAM policy that will be applied to the service account. The policy will be
merged with any existing policy.
property project
public project: pulumi.Output<string>;
The ID of the project that the service account will be created in. Defaults to the provider project configuration.
property uniqueId
public uniqueId: pulumi.Output<string>;
The unique id of the service account.
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
class IAMBinding
When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.
Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:
google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.
~> Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.
~> Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.
constructor
new IAMBinding(name: string, args: IAMBindingArgs, opts?: pulumi.CustomResourceOptions)
Create a IAMBinding resource with the given unique name, arguments, and options.
nameThe unique name of the resource.argsThe arguments to use to populate this resource's properties.optsA bag of options that control this resource's behavior.
method get
public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMBindingState): IAMBinding
Get an existing IAMBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method isInstance
static isInstance(obj: any): boolean
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
property etag
public etag: pulumi.Output<string>;
(Computed) The etag of the service account IAM policy.
property id
id: Output<ID>;
id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.
property members
public members: pulumi.Output<string[]>;
property role
public role: pulumi.Output<string>;
The role that should be applied. Only one
google_service_account_iam_binding can be used per role. Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}.
property serviceAccountId
public serviceAccountId: pulumi.Output<string>;
The service account id to apply policy to.
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
class IAMMember
When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.
Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:
google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.
~> Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.
~> Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.
constructor
new IAMMember(name: string, args: IAMMemberArgs, opts?: pulumi.CustomResourceOptions)
Create a IAMMember resource with the given unique name, arguments, and options.
nameThe unique name of the resource.argsThe arguments to use to populate this resource's properties.optsA bag of options that control this resource's behavior.
method get
public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMMemberState): IAMMember
Get an existing IAMMember resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method isInstance
static isInstance(obj: any): boolean
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
property etag
public etag: pulumi.Output<string>;
(Computed) The etag of the service account IAM policy.
property id
id: Output<ID>;
id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.
property member
public member: pulumi.Output<string>;
property role
public role: pulumi.Output<string>;
The role that should be applied. Only one
google_service_account_iam_binding can be used per role. Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}.
property serviceAccountId
public serviceAccountId: pulumi.Output<string>;
The service account id to apply policy to.
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
class IAMPolicy
When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.
Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:
google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.
~> Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.
~> Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.
constructor
new IAMPolicy(name: string, args: IAMPolicyArgs, opts?: pulumi.CustomResourceOptions)
Create a IAMPolicy resource with the given unique name, arguments, and options.
nameThe unique name of the resource.argsThe arguments to use to populate this resource's properties.optsA bag of options that control this resource's behavior.
method get
public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMPolicyState): IAMPolicy
Get an existing IAMPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method isInstance
static isInstance(obj: any): boolean
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
property etag
public etag: pulumi.Output<string>;
(Computed) The etag of the service account IAM policy.
property id
id: Output<ID>;
id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.
property policyData
public policyData: pulumi.Output<string>;
The policy data generated by
a google_iam_policy data source.
property serviceAccountId
public serviceAccountId: pulumi.Output<string>;
The service account id to apply policy to.
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
class Key
Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see the official documentation and API.
constructor
new Key(name: string, args: KeyArgs, opts?: pulumi.CustomResourceOptions)
Create a Key resource with the given unique name, arguments, and options.
nameThe unique name of the resource.argsThe arguments to use to populate this resource's properties.optsA bag of options that control this resource's behavior.
method get
public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyState): Key
Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
method getProvider
getProvider(moduleMember: string): ProviderResource | undefined
method isInstance
static isInstance(obj: any): boolean
Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.
property id
id: Output<ID>;
id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.
property keyAlgorithm
public keyAlgorithm: pulumi.Output<string | undefined>;
The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
property name
public name: pulumi.Output<string>;
The name used for this key pair
property pgpKey
public pgpKey: pulumi.Output<string | undefined>;
An optional PGP key to encrypt the resulting private
key material. Only used when creating or importing a new key pair. May either be
a base64-encoded public key or a keybase:keybaseusername string for looking up
in Vault.
property privateKey
public privateKey: pulumi.Output<string>;
The private key in JSON format, base64 encoded. This is what you normally get as a file when creating
service account keys through the CLI or web console. This is only populated when creating a new key, and when no
pgp_key is provided.
property privateKeyEncrypted
public privateKeyEncrypted: pulumi.Output<string>;
The private key material, base 64 encoded and
encrypted with the given pgp_key. This is only populated when creating a new
key and pgp_key is supplied
property privateKeyFingerprint
public privateKeyFingerprint: pulumi.Output<string>;
The MD5 public key fingerprint for the encrypted
private key. This is only populated when creating a new key and pgp_key is supplied
property privateKeyType
public privateKeyType: pulumi.Output<string | undefined>;
The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
property publicKey
public publicKey: pulumi.Output<string>;
The public key, base64 encoded
property publicKeyType
public publicKeyType: pulumi.Output<string | undefined>;
The output format of the public key requested. X509_PEM is the default output format.
property serviceAccountId
public serviceAccountId: pulumi.Output<string>;
The Service account id of the Key Pair. This can be a string in the format
{ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or
unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.
property urn
urn: Output<URN>;
urn is the stable logical URN used to distinctly address a resource, both before and after deployments.
property validAfter
public validAfter: pulumi.Output<string>;
The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.
property validBefore
public validBefore: pulumi.Output<string>;
The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.
function getAccount
getAccount(args: GetAccountArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountResult>
Get the service account from a project. For more information see the official API documentation.
function getAccountKey
getAccountKey(args: GetAccountKeyArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountKeyResult>
Get service account public key. For more information, see the official documentation and API.
interface AccountArgs
The set of arguments for constructing a Account resource.
property accountId
accountId: pulumi.Input<string>;
The service account ID. Changing this forces a new service account to be created.
property displayName
displayName?: pulumi.Input<string>;
The display name for the service account. Can be updated without creating a new resource.
property policyData
policyData?: pulumi.Input<string>;
The google_iam_policy data source that represents
the IAM policy that will be applied to the service account. The policy will be
merged with any existing policy.
property project
project?: pulumi.Input<string>;
The ID of the project that the service account will be created in. Defaults to the provider project configuration.
interface AccountState
Input properties used for looking up and filtering Account resources.
property accountId
accountId?: pulumi.Input<string>;
The service account ID. Changing this forces a new service account to be created.
property displayName
displayName?: pulumi.Input<string>;
The display name for the service account. Can be updated without creating a new resource.
property email
email?: pulumi.Input<string>;
The e-mail address of the service account. This value
should be referenced from any google_iam_policy data sources
that would grant the service account privileges.
property name
name?: pulumi.Input<string>;
The fully-qualified name of the service account.
property policyData
policyData?: pulumi.Input<string>;
The google_iam_policy data source that represents
the IAM policy that will be applied to the service account. The policy will be
merged with any existing policy.
property project
project?: pulumi.Input<string>;
The ID of the project that the service account will be created in. Defaults to the provider project configuration.
property uniqueId
uniqueId?: pulumi.Input<string>;
The unique id of the service account.
interface GetAccountArgs
A collection of arguments for invoking getAccount.
property accountId
accountId: string;
The Service account id.
property project
project?: string;
The ID of the project that the service account will be created in. Defaults to the provider project configuration.
interface GetAccountKeyArgs
A collection of arguments for invoking getAccountKey.
property project
project?: string;
The ID of the project that the service account will be created in. Defaults to the provider project configuration.
property publicKeyType
publicKeyType?: string;
The output format of the public key requested. X509_PEM is the default output format.
property serviceAccountId
serviceAccountId: string;
The Service account id of the Key Pair. This can be a string in the format
{ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or
unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.
interface GetAccountKeyResult
A collection of values returned by getAccountKey.
property id
id: string;
id is the provider-assigned unique ID for this managed resource.
property keyAlgorithm
keyAlgorithm: string;
property name
name: string;
The name used for this key pair
property publicKey
publicKey: string;
The public key, base64 encoded
interface GetAccountResult
A collection of values returned by getAccount.
property displayName
displayName: string;
The display name for the service account.
property email
email: string;
The e-mail address of the service account. This value
should be referenced from any google_iam_policy data sources
that would grant the service account privileges.
property id
id: string;
id is the provider-assigned unique ID for this managed resource.
property name
name: string;
The fully-qualified name of the service account.
property uniqueId
uniqueId: string;
The unique id of the service account.
interface IAMBindingArgs
The set of arguments for constructing a IAMBinding resource.
property members
members: pulumi.Input<pulumi.Input<string>[]>;
property role
role: pulumi.Input<string>;
The role that should be applied. Only one
google_service_account_iam_binding can be used per role. Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}.
property serviceAccountId
serviceAccountId: pulumi.Input<string>;
The service account id to apply policy to.
interface IAMBindingState
Input properties used for looking up and filtering IAMBinding resources.
property etag
etag?: pulumi.Input<string>;
(Computed) The etag of the service account IAM policy.
property members
members?: pulumi.Input<pulumi.Input<string>[]>;
property role
role?: pulumi.Input<string>;
The role that should be applied. Only one
google_service_account_iam_binding can be used per role. Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}.
property serviceAccountId
serviceAccountId?: pulumi.Input<string>;
The service account id to apply policy to.
interface IAMMemberArgs
The set of arguments for constructing a IAMMember resource.
property member
member: pulumi.Input<string>;
property role
role: pulumi.Input<string>;
The role that should be applied. Only one
google_service_account_iam_binding can be used per role. Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}.
property serviceAccountId
serviceAccountId: pulumi.Input<string>;
The service account id to apply policy to.
interface IAMMemberState
Input properties used for looking up and filtering IAMMember resources.
property etag
etag?: pulumi.Input<string>;
(Computed) The etag of the service account IAM policy.
property member
member?: pulumi.Input<string>;
property role
role?: pulumi.Input<string>;
The role that should be applied. Only one
google_service_account_iam_binding can be used per role. Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}.
property serviceAccountId
serviceAccountId?: pulumi.Input<string>;
The service account id to apply policy to.
interface IAMPolicyArgs
The set of arguments for constructing a IAMPolicy resource.
property policyData
policyData: pulumi.Input<string>;
The policy data generated by
a google_iam_policy data source.
property serviceAccountId
serviceAccountId: pulumi.Input<string>;
The service account id to apply policy to.
interface IAMPolicyState
Input properties used for looking up and filtering IAMPolicy resources.
property etag
etag?: pulumi.Input<string>;
(Computed) The etag of the service account IAM policy.
property policyData
policyData?: pulumi.Input<string>;
The policy data generated by
a google_iam_policy data source.
property serviceAccountId
serviceAccountId?: pulumi.Input<string>;
The service account id to apply policy to.
interface KeyArgs
The set of arguments for constructing a Key resource.
property keyAlgorithm
keyAlgorithm?: pulumi.Input<string>;
The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
property pgpKey
pgpKey?: pulumi.Input<string>;
An optional PGP key to encrypt the resulting private
key material. Only used when creating or importing a new key pair. May either be
a base64-encoded public key or a keybase:keybaseusername string for looking up
in Vault.
property privateKeyType
privateKeyType?: pulumi.Input<string>;
The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
property publicKeyType
publicKeyType?: pulumi.Input<string>;
The output format of the public key requested. X509_PEM is the default output format.
property serviceAccountId
serviceAccountId: pulumi.Input<string>;
The Service account id of the Key Pair. This can be a string in the format
{ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or
unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.
interface KeyState
Input properties used for looking up and filtering Key resources.
property keyAlgorithm
keyAlgorithm?: pulumi.Input<string>;
The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
property name
name?: pulumi.Input<string>;
The name used for this key pair
property pgpKey
pgpKey?: pulumi.Input<string>;
An optional PGP key to encrypt the resulting private
key material. Only used when creating or importing a new key pair. May either be
a base64-encoded public key or a keybase:keybaseusername string for looking up
in Vault.
property privateKey
privateKey?: pulumi.Input<string>;
The private key in JSON format, base64 encoded. This is what you normally get as a file when creating
service account keys through the CLI or web console. This is only populated when creating a new key, and when no
pgp_key is provided.
property privateKeyEncrypted
privateKeyEncrypted?: pulumi.Input<string>;
The private key material, base 64 encoded and
encrypted with the given pgp_key. This is only populated when creating a new
key and pgp_key is supplied
property privateKeyFingerprint
privateKeyFingerprint?: pulumi.Input<string>;
The MD5 public key fingerprint for the encrypted
private key. This is only populated when creating a new key and pgp_key is supplied
property privateKeyType
privateKeyType?: pulumi.Input<string>;
The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
property publicKey
publicKey?: pulumi.Input<string>;
The public key, base64 encoded
property publicKeyType
publicKeyType?: pulumi.Input<string>;
The output format of the public key requested. X509_PEM is the default output format.
property serviceAccountId
serviceAccountId?: pulumi.Input<string>;
The Service account id of the Key Pair. This can be a string in the format
{ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or
unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.
property validAfter
validAfter?: pulumi.Input<string>;
The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.
property validBefore
validBefore?: pulumi.Input<string>;
The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.