Edit This Page

Module serviceAccount

@pulumi/gcp > serviceAccount

Index

serviceAccount/account.ts serviceAccount/getAccount.ts serviceAccount/getAccountKey.ts serviceAccount/iAMBinding.ts serviceAccount/iAMMember.ts serviceAccount/iAMPolicy.ts serviceAccount/key.ts

class Account

Allows management of a Google Cloud Platform service account

constructor 

new Account(name: string, args: AccountArgs, opts?: pulumi.CustomResourceOptions)

Create a Account resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get 

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccountState): Account

Get an existing Account resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider 

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance 

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accountId 

public accountId: pulumi.Output<string>;

The service account ID. Changing this forces a new service account to be created.

property displayName 

public displayName: pulumi.Output<string | undefined>;

The display name for the service account. Can be updated without creating a new resource.

property email 

public email: pulumi.Output<string>;

The e-mail address of the service account. This value should be referenced from any google_iam_policy data sources that would grant the service account privileges.

property id 

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name 

public name: pulumi.Output<string>;

The fully-qualified name of the service account.

property policyData 

public policyData: pulumi.Output<string | undefined>;

The google_iam_policy data source that represents the IAM policy that will be applied to the service account. The policy will be merged with any existing policy.

property project 

public project: pulumi.Output<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property uniqueId 

public uniqueId: pulumi.Output<string>;

The unique id of the service account.

property urn 

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class IAMBinding

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

~> Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.

~> Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.

constructor 

new IAMBinding(name: string, args: IAMBindingArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMBinding resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get 

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMBindingState): IAMBinding

Get an existing IAMBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider 

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance 

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag 

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id 

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property members 

public members: pulumi.Output<string[]>;

property role 

public role: pulumi.Output<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId 

public serviceAccountId: pulumi.Output<string>;

The service account id to apply policy to.

property urn 

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class IAMMember

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

~> Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.

~> Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.

constructor 

new IAMMember(name: string, args: IAMMemberArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMMember resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get 

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMMemberState): IAMMember

Get an existing IAMMember resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider 

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance 

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag 

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id 

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property member 

public member: pulumi.Output<string>;

property role 

public role: pulumi.Output<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId 

public serviceAccountId: pulumi.Output<string>;

The service account id to apply policy to.

property urn 

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class IAMPolicy

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

~> Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.

~> Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.

constructor 

new IAMPolicy(name: string, args: IAMPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a IAMPolicy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get 

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IAMPolicyState): IAMPolicy

Get an existing IAMPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider 

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance 

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag 

public etag: pulumi.Output<string>;

(Computed) The etag of the service account IAM policy.

property id 

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyData 

public policyData: pulumi.Output<string>;

The policy data generated by a google_iam_policy data source.

property serviceAccountId 

public serviceAccountId: pulumi.Output<string>;

The service account id to apply policy to.

property urn 

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class Key

Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see the official documentation and API.

constructor 

new Key(name: string, args: KeyArgs, opts?: pulumi.CustomResourceOptions)

Create a Key resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get 

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyState): Key

Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider 

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance 

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id 

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyAlgorithm 

public keyAlgorithm: pulumi.Output<string | undefined>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property name 

public name: pulumi.Output<string>;

The name used for this key pair

property pgpKey 

public pgpKey: pulumi.Output<string | undefined>;

An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.

property privateKey 

public privateKey: pulumi.Output<string>;

The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key, and when no pgp_key is provided.

property privateKeyEncrypted 

public privateKeyEncrypted: pulumi.Output<string>;

The private key material, base 64 encoded and encrypted with the given pgp_key. This is only populated when creating a new key and pgp_key is supplied

property privateKeyFingerprint 

public privateKeyFingerprint: pulumi.Output<string>;

The MD5 public key fingerprint for the encrypted private key. This is only populated when creating a new key and pgp_key is supplied

property privateKeyType 

public privateKeyType: pulumi.Output<string | undefined>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKey 

public publicKey: pulumi.Output<string>;

The public key, base64 encoded

property publicKeyType 

public publicKeyType: pulumi.Output<string | undefined>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId 

public serviceAccountId: pulumi.Output<string>;

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

property urn 

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validAfter 

public validAfter: pulumi.Output<string>;

The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property validBefore 

public validBefore: pulumi.Output<string>;

The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

function getAccount 

getAccount(args: GetAccountArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountResult>

Get the service account from a project. For more information see the official API documentation.

function getAccountKey 

getAccountKey(args?: GetAccountKeyArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountKeyResult>

Get service account public key. For more information, see the official documentation and API.

interface AccountArgs

The set of arguments for constructing a Account resource.

property accountId 

accountId: pulumi.Input<string>;

The service account ID. Changing this forces a new service account to be created.

property displayName 

displayName?: pulumi.Input<string>;

The display name for the service account. Can be updated without creating a new resource.

property policyData 

policyData?: pulumi.Input<string>;

The google_iam_policy data source that represents the IAM policy that will be applied to the service account. The policy will be merged with any existing policy.

property project 

project?: pulumi.Input<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

interface AccountState

Input properties used for looking up and filtering Account resources.

property accountId 

accountId?: pulumi.Input<string>;

The service account ID. Changing this forces a new service account to be created.

property displayName 

displayName?: pulumi.Input<string>;

The display name for the service account. Can be updated without creating a new resource.

property email 

email?: pulumi.Input<string>;

The e-mail address of the service account. This value should be referenced from any google_iam_policy data sources that would grant the service account privileges.

property name 

name?: pulumi.Input<string>;

The fully-qualified name of the service account.

property policyData 

policyData?: pulumi.Input<string>;

The google_iam_policy data source that represents the IAM policy that will be applied to the service account. The policy will be merged with any existing policy.

property project 

project?: pulumi.Input<string>;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property uniqueId 

uniqueId?: pulumi.Input<string>;

The unique id of the service account.

interface GetAccountArgs

A collection of arguments for invoking getAccount.

property accountId 

accountId: string;

The Service account id.

property project 

project?: string;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

interface GetAccountKeyArgs

A collection of arguments for invoking getAccountKey.

property name 

name?: string;

The name of the service account key. This must have format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{KEYID}, where {ACCOUNT} is the email address or unique id of the service account.

property project 

project?: string;

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

property publicKeyType 

publicKeyType?: string;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId 

serviceAccountId?: string;

interface GetAccountKeyResult

A collection of values returned by getAccountKey.

property id 

id: string;

id is the provider-assigned unique ID for this managed resource.

property keyAlgorithm 

keyAlgorithm: string;

property name 

name: string;

property publicKey 

publicKey: string;

The public key, base64 encoded

interface GetAccountResult

A collection of values returned by getAccount.

property displayName 

displayName: string;

The display name for the service account.

property email 

email: string;

The e-mail address of the service account. This value should be referenced from any google_iam_policy data sources that would grant the service account privileges.

property id 

id: string;

id is the provider-assigned unique ID for this managed resource.

property name 

name: string;

The fully-qualified name of the service account.

property uniqueId 

uniqueId: string;

The unique id of the service account.

interface IAMBindingArgs

The set of arguments for constructing a IAMBinding resource.

property members 

members: pulumi.Input<pulumi.Input<string>[]>;

property role 

role: pulumi.Input<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId 

serviceAccountId: pulumi.Input<string>;

The service account id to apply policy to.

interface IAMBindingState

Input properties used for looking up and filtering IAMBinding resources.

property etag 

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property members 

members?: pulumi.Input<pulumi.Input<string>[]>;

property role 

role?: pulumi.Input<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId 

serviceAccountId?: pulumi.Input<string>;

The service account id to apply policy to.

interface IAMMemberArgs

The set of arguments for constructing a IAMMember resource.

property member 

member: pulumi.Input<string>;

property role 

role: pulumi.Input<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId 

serviceAccountId: pulumi.Input<string>;

The service account id to apply policy to.

interface IAMMemberState

Input properties used for looking up and filtering IAMMember resources.

property etag 

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property member 

member?: pulumi.Input<string>;

property role 

role?: pulumi.Input<string>;

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property serviceAccountId 

serviceAccountId?: pulumi.Input<string>;

The service account id to apply policy to.

interface IAMPolicyArgs

The set of arguments for constructing a IAMPolicy resource.

property policyData 

policyData: pulumi.Input<string>;

The policy data generated by a google_iam_policy data source.

property serviceAccountId 

serviceAccountId: pulumi.Input<string>;

The service account id to apply policy to.

interface IAMPolicyState

Input properties used for looking up and filtering IAMPolicy resources.

property etag 

etag?: pulumi.Input<string>;

(Computed) The etag of the service account IAM policy.

property policyData 

policyData?: pulumi.Input<string>;

The policy data generated by a google_iam_policy data source.

property serviceAccountId 

serviceAccountId?: pulumi.Input<string>;

The service account id to apply policy to.

interface KeyArgs

The set of arguments for constructing a Key resource.

property keyAlgorithm 

keyAlgorithm?: pulumi.Input<string>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property pgpKey 

pgpKey?: pulumi.Input<string>;

An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.

property privateKeyType 

privateKeyType?: pulumi.Input<string>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKeyType 

publicKeyType?: pulumi.Input<string>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId 

serviceAccountId: pulumi.Input<string>;

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

interface KeyState

Input properties used for looking up and filtering Key resources.

property keyAlgorithm 

keyAlgorithm?: pulumi.Input<string>;

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

property name 

name?: pulumi.Input<string>;

The name used for this key pair

property pgpKey 

pgpKey?: pulumi.Input<string>;

An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.

property privateKey 

privateKey?: pulumi.Input<string>;

The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key, and when no pgp_key is provided.

property privateKeyEncrypted 

privateKeyEncrypted?: pulumi.Input<string>;

The private key material, base 64 encoded and encrypted with the given pgp_key. This is only populated when creating a new key and pgp_key is supplied

property privateKeyFingerprint 

privateKeyFingerprint?: pulumi.Input<string>;

The MD5 public key fingerprint for the encrypted private key. This is only populated when creating a new key and pgp_key is supplied

property privateKeyType 

privateKeyType?: pulumi.Input<string>;

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

property publicKey 

publicKey?: pulumi.Input<string>;

The public key, base64 encoded

property publicKeyType 

publicKeyType?: pulumi.Input<string>;

The output format of the public key requested. X509_PEM is the default output format.

property serviceAccountId 

serviceAccountId?: pulumi.Input<string>;

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

property validAfter 

validAfter?: pulumi.Input<string>;

The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

property validBefore 

validBefore?: pulumi.Input<string>;

The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.