public/terraform-provider-google
0
0
Fork 0
mirror of https://github.com/letic/terraform-provider-google.git synced 2024-07-06 10:12:39 +00:00
Code Issues Projects Releases Wiki Activity
91bca3a4fa
terraform-provider-google/website/docs/d/datasource_google_service_account_access_token.html.markdown
The Magician 6121d539c2 Add google_impersonated_credential datasource (#3357) 
Signed-off-by: Modular Magician <magic-modules@google.com>
2019-04-01 17:21:13 -07:00

3.0 KiB
Raw Blame History

layout page_title sidebar_current description
google Google: google_service_account_access_token docs-google-service-account-access-token Produces access_token for impersonated service accounts

google_service_account_access_token

This data source provides a google oauth2 access_token for a different service account than the one initially running the script.

For more information see the official documentation as well as iamcredentials.generateAccessToken()

Example Usage

To allow service_A to impersonate service_B, grant the Service Account Token Creator on B to A.

In the IAM policy below, service_A is given the Token Creator role impersonate service_B

resource "google_service_account_iam_binding" "token-creator-iam" {
	service_account_id = "projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com"
	role               = "roles/iam.serviceAccountTokenCreator"
	members = [
		"serviceAccount:service_A@projectA.iam.gserviceaccount.com",
	]
}

Once the IAM permissions are set, you can apply the new token to a provider bootstrapped with it. Any resources that references the aliased provider will run as the new identity.

In the example below, google_project will run as service_B.

provider "google" {}

data "google_client_config" "default" {
  provider = "google"
}

data "google_service_account_access_token" "default" {
 provider = "google"
 target_service_account = "service_B@projectB.iam.gserviceaccount.com"
 scopes = ["userinfo-email", "cloud-platform"]
 lifetime = "300s"
}

provider "google" {
   alias  = "impersonated"
   access_token = "${data.google_service_account_access_token.default.access_token}"
}

data "google_client_openid_userinfo" "me" {
  provider = "google.impersonated"
}

output "target-email" {
  value = "${data.google_client_openid_userinfo.me.email}"
}

Note: the generated token is non-refreshable and can have a maximum lifetime of 3600 seconds.

Argument Reference

The following arguments are supported:

  • target_service_account (Required) - The service account to impersonate (e.g. service_B@your-project-id.iam.gserviceaccount.com)
  • scopes (Required) - The scopes the new credential should have (e.g. ["storage-ro", "cloud-platform"])
  • delegates (Optional) - Deegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"])
  • lifetime (Optional) Lifetime of the impersonated token (defaults to its max: 3600s).

Attributes Reference

The following attribute is exported:

  • access_token - The access_token representing the new generated identity.