mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-09-19 09:39:59 +00:00
80 lines
3.0 KiB
Markdown
80 lines
3.0 KiB
Markdown
|
---
|
||
|
layout: "google"
|
||
|
page_title: "Google: google_service_account_access_token"
|
||
|
sidebar_current: "docs-google-service-account-access-token"
|
||
|
description: |-
|
||
|
Produces access_token for impersonated service accounts
|
||
|
---
|
||
|
|
||
|
# google\_service\_account\_access\_token
|
||
|
|
||
|
This data source provides a google `oauth2` `access_token` for a different service account than the one initially running the script.
|
||
|
|
||
|
For more information see
|
||
|
[the official documentation](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials) as well as [iamcredentials.generateAccessToken()](https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken)
|
||
|
|
||
|
## Example Usage
|
||
|
|
||
|
To allow `service_A` to impersonate `service_B`, grant the [Service Account Token Creator](https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role) on B to A.
|
||
|
|
||
|
In the IAM policy below, `service_A` is given the Token Creator role impersonate `service_B`
|
||
|
|
||
|
```sh
|
||
|
resource "google_service_account_iam_binding" "token-creator-iam" {
|
||
|
service_account_id = "projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com"
|
||
|
role = "roles/iam.serviceAccountTokenCreator"
|
||
|
members = [
|
||
|
"serviceAccount:service_A@projectA.iam.gserviceaccount.com",
|
||
|
]
|
||
|
}
|
||
|
```
|
||
|
|
||
|
Once the IAM permissions are set, you can apply the new token to a provider bootstrapped with it. Any resources that references the aliased provider will run as the new identity.
|
||
|
|
||
|
In the example below, `google_project` will run as `service_B`.
|
||
|
|
||
|
```hcl
|
||
|
provider "google" {}
|
||
|
|
||
|
data "google_client_config" "default" {
|
||
|
provider = "google"
|
||
|
}
|
||
|
|
||
|
data "google_service_account_access_token" "default" {
|
||
|
provider = "google"
|
||
|
target_service_account = "service_B@projectB.iam.gserviceaccount.com"
|
||
|
scopes = ["userinfo-email", "cloud-platform"]
|
||
|
lifetime = "300s"
|
||
|
}
|
||
|
|
||
|
provider "google" {
|
||
|
alias = "impersonated"
|
||
|
access_token = "${data.google_service_account_access_token.default.access_token}"
|
||
|
}
|
||
|
|
||
|
data "google_client_openid_userinfo" "me" {
|
||
|
provider = "google.impersonated"
|
||
|
}
|
||
|
|
||
|
output "target-email" {
|
||
|
value = "${data.google_client_openid_userinfo.me.email}"
|
||
|
}
|
||
|
```
|
||
|
|
||
|
> *Note*: the generated token is non-refreshable and can have a maximum `lifetime` of `3600` seconds.
|
||
|
|
||
|
## Argument Reference
|
||
|
|
||
|
The following arguments are supported:
|
||
|
|
||
|
* `target_service_account` (Required) - The service account _to_ impersonate (e.g. `service_B@your-project-id.iam.gserviceaccount.com`)
|
||
|
* `scopes` (Required) - The scopes the new credential should have (e.g. `["storage-ro", "cloud-platform"]`)
|
||
|
* `delegates` (Optional) - Deegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. `["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]`)
|
||
|
* `lifetime` (Optional) Lifetime of the impersonated token (defaults to its max: `3600s`).
|
||
|
|
||
|
## Attributes Reference
|
||
|
|
||
|
The following attribute is exported:
|
||
|
|
||
|
* `access_token` - The `access_token` representing the new generated identity.
|