service_account

class pulumi_gcp.service_account.Account(resource_name, opts=None, account_id=None, display_name=None, policy_data=None, project=None, __name__=None, __opts__=None)

Allows management of a Google Cloud Platform service account

Parameters:
  • resource_name (str) – The name of the resource.
  • opts (pulumi.ResourceOptions) – Options for the resource.
  • account_id (pulumi.Input[str]) – The service account ID. Changing this forces a new service account to be created.
  • display_name (pulumi.Input[str]) – The display name for the service account. Can be updated without creating a new resource.
  • policy_data (pulumi.Input[str]) – The google_iam_policy data source that represents the IAM policy that will be applied to the service account. The policy will be merged with any existing policy.
  • project (pulumi.Input[str]) – The ID of the project that the service account will be created in. Defaults to the provider project configuration.
account_id = None

The service account ID. Changing this forces a new service account to be created.

display_name = None

The display name for the service account. Can be updated without creating a new resource.

email = None

The e-mail address of the service account. This value should be referenced from any google_iam_policy data sources that would grant the service account privileges.

name = None

The fully-qualified name of the service account.

policy_data = None

The google_iam_policy data source that represents the IAM policy that will be applied to the service account. The policy will be merged with any existing policy.

project = None

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

unique_id = None

The unique id of the service account.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
class pulumi_gcp.service_account.GetAccountKeyResult(key_algorithm=None, name=None, public_key=None, id=None)

A collection of values returned by getAccountKey.

public_key = None

The public key, base64 encoded

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_gcp.service_account.GetAccountResult(display_name=None, email=None, name=None, unique_id=None, id=None)

A collection of values returned by getAccount.

display_name = None

The display name for the service account.

email = None

The e-mail address of the service account. This value should be referenced from any google_iam_policy data sources that would grant the service account privileges.

name = None

The fully-qualified name of the service account.

unique_id = None

The unique id of the service account.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_gcp.service_account.IAMBinding(resource_name, opts=None, members=None, role=None, service_account_id=None, __name__=None, __opts__=None)

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.

Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.

Parameters:
  • resource_name (str) – The name of the resource.
  • opts (pulumi.ResourceOptions) – Options for the resource.
  • role (pulumi.Input[str]) – The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
  • service_account_id (pulumi.Input[str]) – The service account id to apply policy to.
etag = None

(Computed) The etag of the service account IAM policy.

role = None

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

service_account_id = None

The service account id to apply policy to.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
class pulumi_gcp.service_account.IAMMember(resource_name, opts=None, member=None, role=None, service_account_id=None, __name__=None, __opts__=None)

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.

Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.

Parameters:
  • resource_name (str) – The name of the resource.
  • opts (pulumi.ResourceOptions) – Options for the resource.
  • role (pulumi.Input[str]) – The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.
  • service_account_id (pulumi.Input[str]) – The service account id to apply policy to.
etag = None

(Computed) The etag of the service account IAM policy.

role = None

The role that should be applied. Only one google_service_account_iam_binding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

service_account_id = None

The service account id to apply policy to.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
class pulumi_gcp.service_account.IAMPolicy(resource_name, opts=None, policy_data=None, service_account_id=None, __name__=None, __opts__=None)

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource to configure permissions for who can edit the service account. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the google_project_iam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

  • google_service_account_iam_policy: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached.
  • google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.
  • google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Note: google_service_account_iam_policy cannot be used in conjunction with google_service_account_iam_binding and google_service_account_iam_member or they will fight over what your policy should be.

Note: google_service_account_iam_binding resources can be used in conjunction with google_service_account_iam_member resources only if they do not grant privilege to the same role.

Parameters:
  • resource_name (str) – The name of the resource.
  • opts (pulumi.ResourceOptions) – Options for the resource.
  • policy_data (pulumi.Input[str]) – The policy data generated by a google_iam_policy data source.
  • service_account_id (pulumi.Input[str]) – The service account id to apply policy to.
etag = None

(Computed) The etag of the service account IAM policy.

policy_data = None

The policy data generated by a google_iam_policy data source.

service_account_id = None

The service account id to apply policy to.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
class pulumi_gcp.service_account.Key(resource_name, opts=None, key_algorithm=None, pgp_key=None, private_key_type=None, public_key_type=None, service_account_id=None, __name__=None, __opts__=None)

Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see the official documentation and API.

Parameters:
  • resource_name (str) – The name of the resource.
  • opts (pulumi.ResourceOptions) – Options for the resource.
  • key_algorithm (pulumi.Input[str]) – The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
  • pgp_key (pulumi.Input[str]) – An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.
  • private_key_type (pulumi.Input[str]) – The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
  • public_key_type (pulumi.Input[str]) – The output format of the public key requested. X509_PEM is the default output format.
  • service_account_id (pulumi.Input[str]) – The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.
key_algorithm = None

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

name = None

The name used for this key pair

pgp_key = None

An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a keybase:keybaseusername string for looking up in Vault.

private_key = None

The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key, and when no pgp_key is provided.

private_key_encrypted = None

The private key material, base 64 encoded and encrypted with the given pgp_key. This is only populated when creating a new key and pgp_key is supplied

private_key_fingerprint = None

The MD5 public key fingerprint for the encrypted private key. This is only populated when creating a new key and pgp_key is supplied

private_key_type = None

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

public_key = None

The public key, base64 encoded

public_key_type = None

The output format of the public key requested. X509_PEM is the default output format.

service_account_id = None

The Service account id of the Key Pair. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}, where {ACCOUNT} is the email address or unique id of the service account. If the {ACCOUNT} syntax is used, the project will be inferred from the account.

valid_after = None

The key can be used after this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

valid_before = None

The key can be used before this timestamp. A timestamp in RFC3339 UTC “Zulu” format, accurate to nanoseconds. Example: “2014-10-02T15:01:23.045123456Z”.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters:prop (str) – A property name.
Returns:A potentially transformed property name.
Return type:str
pulumi_gcp.service_account.get_account(account_id=None, project=None, opts=None)

Get the service account from a project. For more information see the official API documentation.

pulumi_gcp.service_account.get_account_key(name=None, project=None, public_key_type=None, service_account_id=None, opts=None)

Get service account public key. For more information, see the official documentation and API.