Signed-off-by: Modular Magician <magic-modules@google.com>
3.0 KiB
layout | page_title | sidebar_current | description |
---|---|---|---|
Google: google_service_account_access_token | docs-google-service-account-access-token | Produces access_token for impersonated service accounts |
google_service_account_access_token
This data source provides a google oauth2
access_token
for a different service account than the one initially running the script.
For more information see the official documentation as well as iamcredentials.generateAccessToken()
Example Usage
To allow service_A
to impersonate service_B
, grant the Service Account Token Creator on B to A.
In the IAM policy below, service_A
is given the Token Creator role impersonate service_B
resource "google_service_account_iam_binding" "token-creator-iam" {
service_account_id = "projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com"
role = "roles/iam.serviceAccountTokenCreator"
members = [
"serviceAccount:service_A@projectA.iam.gserviceaccount.com",
]
}
Once the IAM permissions are set, you can apply the new token to a provider bootstrapped with it. Any resources that references the aliased provider will run as the new identity.
In the example below, google_project
will run as service_B
.
provider "google" {}
data "google_client_config" "default" {
provider = "google"
}
data "google_service_account_access_token" "default" {
provider = "google"
target_service_account = "service_B@projectB.iam.gserviceaccount.com"
scopes = ["userinfo-email", "cloud-platform"]
lifetime = "300s"
}
provider "google" {
alias = "impersonated"
access_token = "${data.google_service_account_access_token.default.access_token}"
}
data "google_client_openid_userinfo" "me" {
provider = "google.impersonated"
}
output "target-email" {
value = "${data.google_client_openid_userinfo.me.email}"
}
Note
: the generated token is non-refreshable and can have a maximum
lifetime
of3600
seconds.
Argument Reference
The following arguments are supported:
target_service_account
(Required) - The service account to impersonate (e.g.service_B@your-project-id.iam.gserviceaccount.com
)scopes
(Required) - The scopes the new credential should have (e.g.["storage-ro", "cloud-platform"]
)delegates
(Optional) - Deegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g.["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]
)lifetime
(Optional) Lifetime of the impersonated token (defaults to its max:3600s
).
Attributes Reference
The following attribute is exported:
access_token
- Theaccess_token
representing the new generated identity.