Documentation ¶
Index ¶
- type Account
- type AccountArgs
- type AccountState
- type GetAccountAccessTokenArgs
- type GetAccountAccessTokenResult
- type GetAccountIdTokenArgs
- type GetAccountIdTokenResult
- type GetAccountKeyArgs
- type GetAccountKeyResult
- type IAMBinding
- type IAMBindingArgs
- type IAMBindingCondition
- type IAMBindingConditionArgs
- func (IAMBindingConditionArgs) ElementType() reflect.Type
- func (i IAMBindingConditionArgs) ToIAMBindingConditionOutput() IAMBindingConditionOutput
- func (i IAMBindingConditionArgs) ToIAMBindingConditionOutputWithContext(ctx context.Context) IAMBindingConditionOutput
- func (i IAMBindingConditionArgs) ToIAMBindingConditionPtrOutput() IAMBindingConditionPtrOutput
- func (i IAMBindingConditionArgs) ToIAMBindingConditionPtrOutputWithContext(ctx context.Context) IAMBindingConditionPtrOutput
- type IAMBindingConditionInput
- type IAMBindingConditionOutput
- func (o IAMBindingConditionOutput) Description() pulumi.StringPtrOutput
- func (IAMBindingConditionOutput) ElementType() reflect.Type
- func (o IAMBindingConditionOutput) Expression() pulumi.StringOutput
- func (o IAMBindingConditionOutput) Title() pulumi.StringOutput
- func (o IAMBindingConditionOutput) ToIAMBindingConditionOutput() IAMBindingConditionOutput
- func (o IAMBindingConditionOutput) ToIAMBindingConditionOutputWithContext(ctx context.Context) IAMBindingConditionOutput
- func (o IAMBindingConditionOutput) ToIAMBindingConditionPtrOutput() IAMBindingConditionPtrOutput
- func (o IAMBindingConditionOutput) ToIAMBindingConditionPtrOutputWithContext(ctx context.Context) IAMBindingConditionPtrOutput
- type IAMBindingConditionPtrInput
- type IAMBindingConditionPtrOutput
- func (o IAMBindingConditionPtrOutput) Description() pulumi.StringPtrOutput
- func (o IAMBindingConditionPtrOutput) Elem() IAMBindingConditionOutput
- func (IAMBindingConditionPtrOutput) ElementType() reflect.Type
- func (o IAMBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput
- func (o IAMBindingConditionPtrOutput) Title() pulumi.StringPtrOutput
- func (o IAMBindingConditionPtrOutput) ToIAMBindingConditionPtrOutput() IAMBindingConditionPtrOutput
- func (o IAMBindingConditionPtrOutput) ToIAMBindingConditionPtrOutputWithContext(ctx context.Context) IAMBindingConditionPtrOutput
- type IAMBindingState
- type IAMMember
- type IAMMemberArgs
- type IAMMemberCondition
- type IAMMemberConditionArgs
- func (IAMMemberConditionArgs) ElementType() reflect.Type
- func (i IAMMemberConditionArgs) ToIAMMemberConditionOutput() IAMMemberConditionOutput
- func (i IAMMemberConditionArgs) ToIAMMemberConditionOutputWithContext(ctx context.Context) IAMMemberConditionOutput
- func (i IAMMemberConditionArgs) ToIAMMemberConditionPtrOutput() IAMMemberConditionPtrOutput
- func (i IAMMemberConditionArgs) ToIAMMemberConditionPtrOutputWithContext(ctx context.Context) IAMMemberConditionPtrOutput
- type IAMMemberConditionInput
- type IAMMemberConditionOutput
- func (o IAMMemberConditionOutput) Description() pulumi.StringPtrOutput
- func (IAMMemberConditionOutput) ElementType() reflect.Type
- func (o IAMMemberConditionOutput) Expression() pulumi.StringOutput
- func (o IAMMemberConditionOutput) Title() pulumi.StringOutput
- func (o IAMMemberConditionOutput) ToIAMMemberConditionOutput() IAMMemberConditionOutput
- func (o IAMMemberConditionOutput) ToIAMMemberConditionOutputWithContext(ctx context.Context) IAMMemberConditionOutput
- func (o IAMMemberConditionOutput) ToIAMMemberConditionPtrOutput() IAMMemberConditionPtrOutput
- func (o IAMMemberConditionOutput) ToIAMMemberConditionPtrOutputWithContext(ctx context.Context) IAMMemberConditionPtrOutput
- type IAMMemberConditionPtrInput
- type IAMMemberConditionPtrOutput
- func (o IAMMemberConditionPtrOutput) Description() pulumi.StringPtrOutput
- func (o IAMMemberConditionPtrOutput) Elem() IAMMemberConditionOutput
- func (IAMMemberConditionPtrOutput) ElementType() reflect.Type
- func (o IAMMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput
- func (o IAMMemberConditionPtrOutput) Title() pulumi.StringPtrOutput
- func (o IAMMemberConditionPtrOutput) ToIAMMemberConditionPtrOutput() IAMMemberConditionPtrOutput
- func (o IAMMemberConditionPtrOutput) ToIAMMemberConditionPtrOutputWithContext(ctx context.Context) IAMMemberConditionPtrOutput
- type IAMMemberState
- type IAMPolicy
- type IAMPolicyArgs
- type IAMPolicyState
- type Key
- type KeyArgs
- type KeyState
- type LookupAccountArgs
- type LookupAccountResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Account ¶
type Account struct { pulumi.CustomResourceState // The account id that is used to generate the service // account email address and a stable unique id. It is unique within a project, // must be 6-30 characters long, and match the regular expression `a-z` // to comply with RFC1035. Changing this forces a new service account to be created. AccountId pulumi.StringOutput `pulumi:"accountId"` // A text description of the service account. // Must be less than or equal to 256 UTF-8 bytes. Description pulumi.StringPtrOutput `pulumi:"description"` // The display name for the service account. // Can be updated without creating a new resource. DisplayName pulumi.StringPtrOutput `pulumi:"displayName"` // The e-mail address of the service account. This value // should be referenced from any `organizations.getIAMPolicy` data sources // that would grant the service account privileges. Email pulumi.StringOutput `pulumi:"email"` // The fully-qualified name of the service account. Name pulumi.StringOutput `pulumi:"name"` // The ID of the project that the service account will be created in. // Defaults to the provider project configuration. Project pulumi.StringOutput `pulumi:"project"` // The unique id of the service account. UniqueId pulumi.StringOutput `pulumi:"uniqueId"` }
Allows management of a [Google Cloud Platform service account](https://cloud.google.com/compute/docs/access/service-accounts)
> Creation of service accounts is eventually consistent, and that can lead to errors when you try to apply ACLs to service accounts immediately after creation.
func GetAccount ¶
func GetAccount(ctx *pulumi.Context, name string, id pulumi.IDInput, state *AccountState, opts ...pulumi.ResourceOption) (*Account, error)
GetAccount gets an existing Account resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewAccount ¶
func NewAccount(ctx *pulumi.Context, name string, args *AccountArgs, opts ...pulumi.ResourceOption) (*Account, error)
NewAccount registers a new resource with the given unique name, arguments, and options.
type AccountArgs ¶
type AccountArgs struct { // The account id that is used to generate the service // account email address and a stable unique id. It is unique within a project, // must be 6-30 characters long, and match the regular expression `a-z` // to comply with RFC1035. Changing this forces a new service account to be created. AccountId pulumi.StringInput // A text description of the service account. // Must be less than or equal to 256 UTF-8 bytes. Description pulumi.StringPtrInput // The display name for the service account. // Can be updated without creating a new resource. DisplayName pulumi.StringPtrInput // The ID of the project that the service account will be created in. // Defaults to the provider project configuration. Project pulumi.StringPtrInput }
The set of arguments for constructing a Account resource.
func (AccountArgs) ElementType ¶
func (AccountArgs) ElementType() reflect.Type
type AccountState ¶
type AccountState struct { // The account id that is used to generate the service // account email address and a stable unique id. It is unique within a project, // must be 6-30 characters long, and match the regular expression `a-z` // to comply with RFC1035. Changing this forces a new service account to be created. AccountId pulumi.StringPtrInput // A text description of the service account. // Must be less than or equal to 256 UTF-8 bytes. Description pulumi.StringPtrInput // The display name for the service account. // Can be updated without creating a new resource. DisplayName pulumi.StringPtrInput // The e-mail address of the service account. This value // should be referenced from any `organizations.getIAMPolicy` data sources // that would grant the service account privileges. Email pulumi.StringPtrInput // The fully-qualified name of the service account. Name pulumi.StringPtrInput // The ID of the project that the service account will be created in. // Defaults to the provider project configuration. Project pulumi.StringPtrInput // The unique id of the service account. UniqueId pulumi.StringPtrInput }
func (AccountState) ElementType ¶
func (AccountState) ElementType() reflect.Type
type GetAccountAccessTokenArgs ¶
type GetAccountAccessTokenArgs struct { // Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. `["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]`) Delegates []string `pulumi:"delegates"` // Lifetime of the impersonated token (defaults to its max: `3600s`). Lifetime *string `pulumi:"lifetime"` // The scopes the new credential should have (e.g. `["storage-ro", "cloud-platform"]`) Scopes []string `pulumi:"scopes"` // The service account _to_ impersonate (e.g. `service_B@your-project-id.iam.gserviceaccount.com`) TargetServiceAccount string `pulumi:"targetServiceAccount"` }
A collection of arguments for invoking getAccountAccessToken.
type GetAccountAccessTokenResult ¶
type GetAccountAccessTokenResult struct { // The `accessToken` representing the new generated identity. AccessToken string `pulumi:"accessToken"` Delegates []string `pulumi:"delegates"` // The provider-assigned unique ID for this managed resource. Id string `pulumi:"id"` Lifetime *string `pulumi:"lifetime"` Scopes []string `pulumi:"scopes"` TargetServiceAccount string `pulumi:"targetServiceAccount"` }
A collection of values returned by getAccountAccessToken.
func GetAccountAccessToken ¶
func GetAccountAccessToken(ctx *pulumi.Context, args *GetAccountAccessTokenArgs, opts ...pulumi.InvokeOption) (*GetAccountAccessTokenResult, error)
This data source provides a google `oauth2` `accessToken` for a different service account than the one initially running the script.
For more information see [the official documentation](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials) as well as [iamcredentials.generateAccessToken()](https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken)
type GetAccountIdTokenArgs ¶
type GetAccountIdTokenArgs struct { // Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode. Delegates []string `pulumi:"delegates"` // Include the verified email in the claim. Used only when using impersonation mode. IncludeEmail *bool `pulumi:"includeEmail"` // The audience claim for the `idToken`. TargetAudience string `pulumi:"targetAudience"` // The email of the service account being impersonated. Used only when using impersonation mode. TargetServiceAccount *string `pulumi:"targetServiceAccount"` }
A collection of arguments for invoking getAccountIdToken.
type GetAccountIdTokenResult ¶
type GetAccountIdTokenResult struct { Delegates []string `pulumi:"delegates"` // The provider-assigned unique ID for this managed resource. Id string `pulumi:"id"` // The `idToken` representing the new generated identity. IdToken string `pulumi:"idToken"` IncludeEmail *bool `pulumi:"includeEmail"` TargetAudience string `pulumi:"targetAudience"` TargetServiceAccount *string `pulumi:"targetServiceAccount"` }
A collection of values returned by getAccountIdToken.
func GetAccountIdToken ¶
func GetAccountIdToken(ctx *pulumi.Context, args *GetAccountIdTokenArgs, opts ...pulumi.InvokeOption) (*GetAccountIdTokenResult, error)
type GetAccountKeyArgs ¶
type GetAccountKeyArgs struct { // The name of the service account key. This must have format // `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{KEYID}`, where `{ACCOUNT}` // is the email address or unique id of the service account. Name string `pulumi:"name"` // The ID of the project that the service account will be created in. // Defaults to the provider project configuration. Project *string `pulumi:"project"` // The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format. PublicKeyType *string `pulumi:"publicKeyType"` }
A collection of arguments for invoking getAccountKey.
type GetAccountKeyResult ¶
type GetAccountKeyResult struct { // The provider-assigned unique ID for this managed resource. Id string `pulumi:"id"` KeyAlgorithm string `pulumi:"keyAlgorithm"` Name string `pulumi:"name"` Project *string `pulumi:"project"` // The public key, base64 encoded PublicKey string `pulumi:"publicKey"` PublicKeyType *string `pulumi:"publicKeyType"` }
A collection of values returned by getAccountKey.
func GetAccountKey ¶
func GetAccountKey(ctx *pulumi.Context, args *GetAccountKeyArgs, opts ...pulumi.InvokeOption) (*GetAccountKeyResult, error)
Get service account public key. For more information, see [the official documentation](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and [API](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys/get).
type IAMBinding ¶
type IAMBinding struct { pulumi.CustomResourceState // An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. // Structure is documented below. Condition IAMBindingConditionPtrOutput `pulumi:"condition"` // (Computed) The etag of the service account IAM policy. Etag pulumi.StringOutput `pulumi:"etag"` Members pulumi.StringArrayOutput `pulumi:"members"` // The role that should be applied. Only one // `serviceAccount.IAMBinding` can be used per role. Note that custom roles must be of the format // `[projects|organizations]/{parent-name}/roles/{role-name}`. Role pulumi.StringOutput `pulumi:"role"` // The fully-qualified name of the service account to apply policy to. ServiceAccountId pulumi.StringOutput `pulumi:"serviceAccountId"` }
When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource **to configure permissions for who can edit the service account**. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the googleProjectIam set of resources.
Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:
* `serviceAccount.IAMPolicy`: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached. * `serviceAccount.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved. * `serviceAccount.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.
> **Note:** `serviceAccount.IAMPolicy` **cannot** be used in conjunction with `serviceAccount.IAMBinding` and `serviceAccount.IAMMember` or they will fight over what your policy should be.
> **Note:** `serviceAccount.IAMBinding` resources **can be** used in conjunction with `serviceAccount.IAMMember` resources **only if** they do not grant privilege to the same role.
func GetIAMBinding ¶
func GetIAMBinding(ctx *pulumi.Context, name string, id pulumi.IDInput, state *IAMBindingState, opts ...pulumi.ResourceOption) (*IAMBinding, error)
GetIAMBinding gets an existing IAMBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewIAMBinding ¶
func NewIAMBinding(ctx *pulumi.Context, name string, args *IAMBindingArgs, opts ...pulumi.ResourceOption) (*IAMBinding, error)
NewIAMBinding registers a new resource with the given unique name, arguments, and options.
type IAMBindingArgs ¶
type IAMBindingArgs struct { // An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. // Structure is documented below. Condition IAMBindingConditionPtrInput Members pulumi.StringArrayInput // The role that should be applied. Only one // `serviceAccount.IAMBinding` can be used per role. Note that custom roles must be of the format // `[projects|organizations]/{parent-name}/roles/{role-name}`. Role pulumi.StringInput // The fully-qualified name of the service account to apply policy to. ServiceAccountId pulumi.StringInput }
The set of arguments for constructing a IAMBinding resource.
func (IAMBindingArgs) ElementType ¶
func (IAMBindingArgs) ElementType() reflect.Type
type IAMBindingCondition ¶
type IAMBindingCondition struct { // An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. Description *string `pulumi:"description"` // Textual representation of an expression in Common Expression Language syntax. Expression string `pulumi:"expression"` // A title for the expression, i.e. a short string describing its purpose. Title string `pulumi:"title"` }
type IAMBindingConditionArgs ¶
type IAMBindingConditionArgs struct { // An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. Description pulumi.StringPtrInput `pulumi:"description"` // Textual representation of an expression in Common Expression Language syntax. Expression pulumi.StringInput `pulumi:"expression"` // A title for the expression, i.e. a short string describing its purpose. Title pulumi.StringInput `pulumi:"title"` }
func (IAMBindingConditionArgs) ElementType ¶
func (IAMBindingConditionArgs) ElementType() reflect.Type
func (IAMBindingConditionArgs) ToIAMBindingConditionOutput ¶
func (i IAMBindingConditionArgs) ToIAMBindingConditionOutput() IAMBindingConditionOutput
func (IAMBindingConditionArgs) ToIAMBindingConditionOutputWithContext ¶
func (i IAMBindingConditionArgs) ToIAMBindingConditionOutputWithContext(ctx context.Context) IAMBindingConditionOutput
func (IAMBindingConditionArgs) ToIAMBindingConditionPtrOutput ¶
func (i IAMBindingConditionArgs) ToIAMBindingConditionPtrOutput() IAMBindingConditionPtrOutput
func (IAMBindingConditionArgs) ToIAMBindingConditionPtrOutputWithContext ¶
func (i IAMBindingConditionArgs) ToIAMBindingConditionPtrOutputWithContext(ctx context.Context) IAMBindingConditionPtrOutput
type IAMBindingConditionInput ¶
type IAMBindingConditionInput interface { pulumi.Input ToIAMBindingConditionOutput() IAMBindingConditionOutput ToIAMBindingConditionOutputWithContext(context.Context) IAMBindingConditionOutput }
IAMBindingConditionInput is an input type that accepts IAMBindingConditionArgs and IAMBindingConditionOutput values. You can construct a concrete instance of `IAMBindingConditionInput` via:
IAMBindingConditionArgs{...}
type IAMBindingConditionOutput ¶
type IAMBindingConditionOutput struct{ *pulumi.OutputState }
func (IAMBindingConditionOutput) Description ¶
func (o IAMBindingConditionOutput) Description() pulumi.StringPtrOutput
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
func (IAMBindingConditionOutput) ElementType ¶
func (IAMBindingConditionOutput) ElementType() reflect.Type
func (IAMBindingConditionOutput) Expression ¶
func (o IAMBindingConditionOutput) Expression() pulumi.StringOutput
Textual representation of an expression in Common Expression Language syntax.
func (IAMBindingConditionOutput) Title ¶
func (o IAMBindingConditionOutput) Title() pulumi.StringOutput
A title for the expression, i.e. a short string describing its purpose.
func (IAMBindingConditionOutput) ToIAMBindingConditionOutput ¶
func (o IAMBindingConditionOutput) ToIAMBindingConditionOutput() IAMBindingConditionOutput
func (IAMBindingConditionOutput) ToIAMBindingConditionOutputWithContext ¶
func (o IAMBindingConditionOutput) ToIAMBindingConditionOutputWithContext(ctx context.Context) IAMBindingConditionOutput
func (IAMBindingConditionOutput) ToIAMBindingConditionPtrOutput ¶
func (o IAMBindingConditionOutput) ToIAMBindingConditionPtrOutput() IAMBindingConditionPtrOutput
func (IAMBindingConditionOutput) ToIAMBindingConditionPtrOutputWithContext ¶
func (o IAMBindingConditionOutput) ToIAMBindingConditionPtrOutputWithContext(ctx context.Context) IAMBindingConditionPtrOutput
type IAMBindingConditionPtrInput ¶
type IAMBindingConditionPtrInput interface { pulumi.Input ToIAMBindingConditionPtrOutput() IAMBindingConditionPtrOutput ToIAMBindingConditionPtrOutputWithContext(context.Context) IAMBindingConditionPtrOutput }
IAMBindingConditionPtrInput is an input type that accepts IAMBindingConditionArgs, IAMBindingConditionPtr and IAMBindingConditionPtrOutput values. You can construct a concrete instance of `IAMBindingConditionPtrInput` via:
IAMBindingConditionArgs{...} or: nil
func IAMBindingConditionPtr ¶
func IAMBindingConditionPtr(v *IAMBindingConditionArgs) IAMBindingConditionPtrInput
type IAMBindingConditionPtrOutput ¶
type IAMBindingConditionPtrOutput struct{ *pulumi.OutputState }
func (IAMBindingConditionPtrOutput) Description ¶
func (o IAMBindingConditionPtrOutput) Description() pulumi.StringPtrOutput
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
func (IAMBindingConditionPtrOutput) Elem ¶
func (o IAMBindingConditionPtrOutput) Elem() IAMBindingConditionOutput
func (IAMBindingConditionPtrOutput) ElementType ¶
func (IAMBindingConditionPtrOutput) ElementType() reflect.Type
func (IAMBindingConditionPtrOutput) Expression ¶
func (o IAMBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput
Textual representation of an expression in Common Expression Language syntax.
func (IAMBindingConditionPtrOutput) Title ¶
func (o IAMBindingConditionPtrOutput) Title() pulumi.StringPtrOutput
A title for the expression, i.e. a short string describing its purpose.
func (IAMBindingConditionPtrOutput) ToIAMBindingConditionPtrOutput ¶
func (o IAMBindingConditionPtrOutput) ToIAMBindingConditionPtrOutput() IAMBindingConditionPtrOutput
func (IAMBindingConditionPtrOutput) ToIAMBindingConditionPtrOutputWithContext ¶
func (o IAMBindingConditionPtrOutput) ToIAMBindingConditionPtrOutputWithContext(ctx context.Context) IAMBindingConditionPtrOutput
type IAMBindingState ¶
type IAMBindingState struct { // An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. // Structure is documented below. Condition IAMBindingConditionPtrInput // (Computed) The etag of the service account IAM policy. Etag pulumi.StringPtrInput Members pulumi.StringArrayInput // The role that should be applied. Only one // `serviceAccount.IAMBinding` can be used per role. Note that custom roles must be of the format // `[projects|organizations]/{parent-name}/roles/{role-name}`. Role pulumi.StringPtrInput // The fully-qualified name of the service account to apply policy to. ServiceAccountId pulumi.StringPtrInput }
func (IAMBindingState) ElementType ¶
func (IAMBindingState) ElementType() reflect.Type
type IAMMember ¶
type IAMMember struct { pulumi.CustomResourceState // An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. // Structure is documented below. Condition IAMMemberConditionPtrOutput `pulumi:"condition"` // (Computed) The etag of the service account IAM policy. Etag pulumi.StringOutput `pulumi:"etag"` Member pulumi.StringOutput `pulumi:"member"` // The role that should be applied. Only one // `serviceAccount.IAMBinding` can be used per role. Note that custom roles must be of the format // `[projects|organizations]/{parent-name}/roles/{role-name}`. Role pulumi.StringOutput `pulumi:"role"` // The fully-qualified name of the service account to apply policy to. ServiceAccountId pulumi.StringOutput `pulumi:"serviceAccountId"` }
When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource **to configure permissions for who can edit the service account**. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the googleProjectIam set of resources.
Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:
* `serviceAccount.IAMPolicy`: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached. * `serviceAccount.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved. * `serviceAccount.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.
> **Note:** `serviceAccount.IAMPolicy` **cannot** be used in conjunction with `serviceAccount.IAMBinding` and `serviceAccount.IAMMember` or they will fight over what your policy should be.
> **Note:** `serviceAccount.IAMBinding` resources **can be** used in conjunction with `serviceAccount.IAMMember` resources **only if** they do not grant privilege to the same role.
func GetIAMMember ¶
func GetIAMMember(ctx *pulumi.Context, name string, id pulumi.IDInput, state *IAMMemberState, opts ...pulumi.ResourceOption) (*IAMMember, error)
GetIAMMember gets an existing IAMMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewIAMMember ¶
func NewIAMMember(ctx *pulumi.Context, name string, args *IAMMemberArgs, opts ...pulumi.ResourceOption) (*IAMMember, error)
NewIAMMember registers a new resource with the given unique name, arguments, and options.
type IAMMemberArgs ¶
type IAMMemberArgs struct { // An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. // Structure is documented below. Condition IAMMemberConditionPtrInput Member pulumi.StringInput // The role that should be applied. Only one // `serviceAccount.IAMBinding` can be used per role. Note that custom roles must be of the format // `[projects|organizations]/{parent-name}/roles/{role-name}`. Role pulumi.StringInput // The fully-qualified name of the service account to apply policy to. ServiceAccountId pulumi.StringInput }
The set of arguments for constructing a IAMMember resource.
func (IAMMemberArgs) ElementType ¶
func (IAMMemberArgs) ElementType() reflect.Type
type IAMMemberCondition ¶
type IAMMemberCondition struct { // An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. Description *string `pulumi:"description"` // Textual representation of an expression in Common Expression Language syntax. Expression string `pulumi:"expression"` // A title for the expression, i.e. a short string describing its purpose. Title string `pulumi:"title"` }
type IAMMemberConditionArgs ¶
type IAMMemberConditionArgs struct { // An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. Description pulumi.StringPtrInput `pulumi:"description"` // Textual representation of an expression in Common Expression Language syntax. Expression pulumi.StringInput `pulumi:"expression"` // A title for the expression, i.e. a short string describing its purpose. Title pulumi.StringInput `pulumi:"title"` }
func (IAMMemberConditionArgs) ElementType ¶
func (IAMMemberConditionArgs) ElementType() reflect.Type
func (IAMMemberConditionArgs) ToIAMMemberConditionOutput ¶
func (i IAMMemberConditionArgs) ToIAMMemberConditionOutput() IAMMemberConditionOutput
func (IAMMemberConditionArgs) ToIAMMemberConditionOutputWithContext ¶
func (i IAMMemberConditionArgs) ToIAMMemberConditionOutputWithContext(ctx context.Context) IAMMemberConditionOutput
func (IAMMemberConditionArgs) ToIAMMemberConditionPtrOutput ¶
func (i IAMMemberConditionArgs) ToIAMMemberConditionPtrOutput() IAMMemberConditionPtrOutput
func (IAMMemberConditionArgs) ToIAMMemberConditionPtrOutputWithContext ¶
func (i IAMMemberConditionArgs) ToIAMMemberConditionPtrOutputWithContext(ctx context.Context) IAMMemberConditionPtrOutput
type IAMMemberConditionInput ¶
type IAMMemberConditionInput interface { pulumi.Input ToIAMMemberConditionOutput() IAMMemberConditionOutput ToIAMMemberConditionOutputWithContext(context.Context) IAMMemberConditionOutput }
IAMMemberConditionInput is an input type that accepts IAMMemberConditionArgs and IAMMemberConditionOutput values. You can construct a concrete instance of `IAMMemberConditionInput` via:
IAMMemberConditionArgs{...}
type IAMMemberConditionOutput ¶
type IAMMemberConditionOutput struct{ *pulumi.OutputState }
func (IAMMemberConditionOutput) Description ¶
func (o IAMMemberConditionOutput) Description() pulumi.StringPtrOutput
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
func (IAMMemberConditionOutput) ElementType ¶
func (IAMMemberConditionOutput) ElementType() reflect.Type
func (IAMMemberConditionOutput) Expression ¶
func (o IAMMemberConditionOutput) Expression() pulumi.StringOutput
Textual representation of an expression in Common Expression Language syntax.
func (IAMMemberConditionOutput) Title ¶
func (o IAMMemberConditionOutput) Title() pulumi.StringOutput
A title for the expression, i.e. a short string describing its purpose.
func (IAMMemberConditionOutput) ToIAMMemberConditionOutput ¶
func (o IAMMemberConditionOutput) ToIAMMemberConditionOutput() IAMMemberConditionOutput
func (IAMMemberConditionOutput) ToIAMMemberConditionOutputWithContext ¶
func (o IAMMemberConditionOutput) ToIAMMemberConditionOutputWithContext(ctx context.Context) IAMMemberConditionOutput
func (IAMMemberConditionOutput) ToIAMMemberConditionPtrOutput ¶
func (o IAMMemberConditionOutput) ToIAMMemberConditionPtrOutput() IAMMemberConditionPtrOutput
func (IAMMemberConditionOutput) ToIAMMemberConditionPtrOutputWithContext ¶
func (o IAMMemberConditionOutput) ToIAMMemberConditionPtrOutputWithContext(ctx context.Context) IAMMemberConditionPtrOutput
type IAMMemberConditionPtrInput ¶
type IAMMemberConditionPtrInput interface { pulumi.Input ToIAMMemberConditionPtrOutput() IAMMemberConditionPtrOutput ToIAMMemberConditionPtrOutputWithContext(context.Context) IAMMemberConditionPtrOutput }
IAMMemberConditionPtrInput is an input type that accepts IAMMemberConditionArgs, IAMMemberConditionPtr and IAMMemberConditionPtrOutput values. You can construct a concrete instance of `IAMMemberConditionPtrInput` via:
IAMMemberConditionArgs{...} or: nil
func IAMMemberConditionPtr ¶
func IAMMemberConditionPtr(v *IAMMemberConditionArgs) IAMMemberConditionPtrInput
type IAMMemberConditionPtrOutput ¶
type IAMMemberConditionPtrOutput struct{ *pulumi.OutputState }
func (IAMMemberConditionPtrOutput) Description ¶
func (o IAMMemberConditionPtrOutput) Description() pulumi.StringPtrOutput
An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
func (IAMMemberConditionPtrOutput) Elem ¶
func (o IAMMemberConditionPtrOutput) Elem() IAMMemberConditionOutput
func (IAMMemberConditionPtrOutput) ElementType ¶
func (IAMMemberConditionPtrOutput) ElementType() reflect.Type
func (IAMMemberConditionPtrOutput) Expression ¶
func (o IAMMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput
Textual representation of an expression in Common Expression Language syntax.
func (IAMMemberConditionPtrOutput) Title ¶
func (o IAMMemberConditionPtrOutput) Title() pulumi.StringPtrOutput
A title for the expression, i.e. a short string describing its purpose.
func (IAMMemberConditionPtrOutput) ToIAMMemberConditionPtrOutput ¶
func (o IAMMemberConditionPtrOutput) ToIAMMemberConditionPtrOutput() IAMMemberConditionPtrOutput
func (IAMMemberConditionPtrOutput) ToIAMMemberConditionPtrOutputWithContext ¶
func (o IAMMemberConditionPtrOutput) ToIAMMemberConditionPtrOutputWithContext(ctx context.Context) IAMMemberConditionPtrOutput
type IAMMemberState ¶
type IAMMemberState struct { // An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. // Structure is documented below. Condition IAMMemberConditionPtrInput // (Computed) The etag of the service account IAM policy. Etag pulumi.StringPtrInput Member pulumi.StringPtrInput // The role that should be applied. Only one // `serviceAccount.IAMBinding` can be used per role. Note that custom roles must be of the format // `[projects|organizations]/{parent-name}/roles/{role-name}`. Role pulumi.StringPtrInput // The fully-qualified name of the service account to apply policy to. ServiceAccountId pulumi.StringPtrInput }
func (IAMMemberState) ElementType ¶
func (IAMMemberState) ElementType() reflect.Type
type IAMPolicy ¶
type IAMPolicy struct { pulumi.CustomResourceState // (Computed) The etag of the service account IAM policy. Etag pulumi.StringOutput `pulumi:"etag"` // The policy data generated by // a `organizations.getIAMPolicy` data source. PolicyData pulumi.StringOutput `pulumi:"policyData"` // The fully-qualified name of the service account to apply policy to. ServiceAccountId pulumi.StringOutput `pulumi:"serviceAccountId"` }
When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource **to configure permissions for who can edit the service account**. To configure permissions for a service account to act as an identity that can manage other GCP resources, use the googleProjectIam set of resources.
Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:
* `serviceAccount.IAMPolicy`: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached. * `serviceAccount.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved. * `serviceAccount.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.
> **Note:** `serviceAccount.IAMPolicy` **cannot** be used in conjunction with `serviceAccount.IAMBinding` and `serviceAccount.IAMMember` or they will fight over what your policy should be.
> **Note:** `serviceAccount.IAMBinding` resources **can be** used in conjunction with `serviceAccount.IAMMember` resources **only if** they do not grant privilege to the same role.
func GetIAMPolicy ¶
func GetIAMPolicy(ctx *pulumi.Context, name string, id pulumi.IDInput, state *IAMPolicyState, opts ...pulumi.ResourceOption) (*IAMPolicy, error)
GetIAMPolicy gets an existing IAMPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewIAMPolicy ¶
func NewIAMPolicy(ctx *pulumi.Context, name string, args *IAMPolicyArgs, opts ...pulumi.ResourceOption) (*IAMPolicy, error)
NewIAMPolicy registers a new resource with the given unique name, arguments, and options.
type IAMPolicyArgs ¶
type IAMPolicyArgs struct { // The policy data generated by // a `organizations.getIAMPolicy` data source. PolicyData pulumi.StringInput // The fully-qualified name of the service account to apply policy to. ServiceAccountId pulumi.StringInput }
The set of arguments for constructing a IAMPolicy resource.
func (IAMPolicyArgs) ElementType ¶
func (IAMPolicyArgs) ElementType() reflect.Type
type IAMPolicyState ¶
type IAMPolicyState struct { // (Computed) The etag of the service account IAM policy. Etag pulumi.StringPtrInput // The policy data generated by // a `organizations.getIAMPolicy` data source. PolicyData pulumi.StringPtrInput // The fully-qualified name of the service account to apply policy to. ServiceAccountId pulumi.StringPtrInput }
func (IAMPolicyState) ElementType ¶
func (IAMPolicyState) ElementType() reflect.Type
type Key ¶
type Key struct { pulumi.CustomResourceState // The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. // Valid values are listed at // [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm) // (only used on create) KeyAlgorithm pulumi.StringPtrOutput `pulumi:"keyAlgorithm"` // The name used for this key pair Name pulumi.StringOutput `pulumi:"name"` // The private key in JSON format, base64 encoded. This is what you normally get as a file when creating // service account keys through the CLI or web console. This is only populated when creating a new key. PrivateKey pulumi.StringOutput `pulumi:"privateKey"` // The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format. PrivateKeyType pulumi.StringPtrOutput `pulumi:"privateKeyType"` // The public key, base64 encoded PublicKey pulumi.StringOutput `pulumi:"publicKey"` // Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`. PublicKeyData pulumi.StringPtrOutput `pulumi:"publicKeyData"` // The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format. PublicKeyType pulumi.StringPtrOutput `pulumi:"publicKeyType"` // The Service account id of the Key Pair. This can be a string in the format // `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`, where `{ACCOUNT}` is the email address or // unique id of the service account. If the `{ACCOUNT}` syntax is used, the project will be inferred from the account. ServiceAccountId pulumi.StringOutput `pulumi:"serviceAccountId"` // The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". ValidAfter pulumi.StringOutput `pulumi:"validAfter"` // The key can be used before this timestamp. // A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". ValidBefore pulumi.StringOutput `pulumi:"validBefore"` }
Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see [the official documentation](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and [API](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys).
## Example Usage
func GetKey ¶
func GetKey(ctx *pulumi.Context, name string, id pulumi.IDInput, state *KeyState, opts ...pulumi.ResourceOption) (*Key, error)
GetKey gets an existing Key resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
type KeyArgs ¶
type KeyArgs struct { // The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. // Valid values are listed at // [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm) // (only used on create) KeyAlgorithm pulumi.StringPtrInput // The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format. PrivateKeyType pulumi.StringPtrInput // Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`. PublicKeyData pulumi.StringPtrInput // The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format. PublicKeyType pulumi.StringPtrInput // The Service account id of the Key Pair. This can be a string in the format // `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`, where `{ACCOUNT}` is the email address or // unique id of the service account. If the `{ACCOUNT}` syntax is used, the project will be inferred from the account. ServiceAccountId pulumi.StringInput }
The set of arguments for constructing a Key resource.
func (KeyArgs) ElementType ¶
type KeyState ¶
type KeyState struct { // The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. // Valid values are listed at // [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm) // (only used on create) KeyAlgorithm pulumi.StringPtrInput // The name used for this key pair Name pulumi.StringPtrInput // The private key in JSON format, base64 encoded. This is what you normally get as a file when creating // service account keys through the CLI or web console. This is only populated when creating a new key. PrivateKey pulumi.StringPtrInput // The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format. PrivateKeyType pulumi.StringPtrInput // The public key, base64 encoded PublicKey pulumi.StringPtrInput // Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`. PublicKeyData pulumi.StringPtrInput // The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format. PublicKeyType pulumi.StringPtrInput // The Service account id of the Key Pair. This can be a string in the format // `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`, where `{ACCOUNT}` is the email address or // unique id of the service account. If the `{ACCOUNT}` syntax is used, the project will be inferred from the account. ServiceAccountId pulumi.StringPtrInput // The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". ValidAfter pulumi.StringPtrInput // The key can be used before this timestamp. // A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". ValidBefore pulumi.StringPtrInput }
func (KeyState) ElementType ¶
type LookupAccountArgs ¶
type LookupAccountArgs struct { // The Service account id. (This is the part of the service account's email field that comes before the @ symbol.) AccountId string `pulumi:"accountId"` // The ID of the project that the service account is present in. // Defaults to the provider project configuration. Project *string `pulumi:"project"` }
A collection of arguments for invoking getAccount.
type LookupAccountResult ¶
type LookupAccountResult struct { AccountId string `pulumi:"accountId"` // The display name for the service account. DisplayName string `pulumi:"displayName"` // The e-mail address of the service account. This value // should be referenced from any `organizations.getIAMPolicy` data sources // that would grant the service account privileges. Email string `pulumi:"email"` // The provider-assigned unique ID for this managed resource. Id string `pulumi:"id"` // The fully-qualified name of the service account. Name string `pulumi:"name"` Project *string `pulumi:"project"` // The unique id of the service account. UniqueId string `pulumi:"uniqueId"` }
A collection of values returned by getAccount.
func LookupAccount ¶
func LookupAccount(ctx *pulumi.Context, args *LookupAccountArgs, opts ...pulumi.InvokeOption) (*LookupAccountResult, error)
Get the service account from a project. For more information see the official [API](https://cloud.google.com/compute/docs/access/service-accounts) documentation.