public/terraform-provider-google
0
0
Fork 0
mirror of https://github.com/letic/terraform-provider-google.git synced 2024-07-24 18:46:00 +00:00
Code Issues Projects Releases Wiki Activity
9f06d8a085
terraform-provider-google/website/docs/d/datasource_google_service_account_access_token.html.markdown
The Magician 6121d539c2 Add google_impersonated_credential datasource (#3357) 
Signed-off-by: Modular Magician <magic-modules@google.com>
2019-04-01 17:21:13 -07:00

80 lines
3.0 KiB
Markdown
Raw Blame History

---
layout: "google"
page_title: "Google: google_service_account_access_token"
sidebar_current: "docs-google-service-account-access-token"
description: |-
Produces access_token for impersonated service accounts
---
# google\_service\_account\_access\_token
This data source provides a google `oauth2` `access_token` for a different service account than the one initially running the script.
For more information see
[the official documentation](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials) as well as [iamcredentials.generateAccessToken()](https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken)
## Example Usage
To allow `service_A` to impersonate `service_B`, grant the [Service Account Token Creator](https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role) on B to A.
In the IAM policy below, `service_A` is given the Token Creator role impersonate `service_B`
```sh
resource "google_service_account_iam_binding" "token-creator-iam" {
service_account_id = "projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com"
role = "roles/iam.serviceAccountTokenCreator"
members = [
"serviceAccount:service_A@projectA.iam.gserviceaccount.com",
]
}
```
Once the IAM permissions are set, you can apply the new token to a provider bootstrapped with it. Any resources that references the aliased provider will run as the new identity.
In the example below, `google_project` will run as `service_B`.
```hcl
provider "google" {}
data "google_client_config" "default" {
provider = "google"
}
data "google_service_account_access_token" "default" {
provider = "google"
target_service_account = "service_B@projectB.iam.gserviceaccount.com"
scopes = ["userinfo-email", "cloud-platform"]
lifetime = "300s"
}
provider "google" {
alias = "impersonated"
access_token = "${data.google_service_account_access_token.default.access_token}"
}
data "google_client_openid_userinfo" "me" {
provider = "google.impersonated"
}
output "target-email" {
value = "${data.google_client_openid_userinfo.me.email}"
}
```
> *Note*: the generated token is non-refreshable and can have a maximum `lifetime` of `3600` seconds.
## Argument Reference
The following arguments are supported:
* `target_service_account` (Required) - The service account _to_ impersonate (e.g. `service_B@your-project-id.iam.gserviceaccount.com`)
* `scopes` (Required) - The scopes the new credential should have (e.g. `["storage-ro", "cloud-platform"]`)
* `delegates` (Optional) - Deegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. `["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]`)
* `lifetime` (Optional) Lifetime of the impersonated token (defaults to its max: `3600s`).
## Attributes Reference
The following attribute is exported:
* `access_token` - The `access_token` representing the new generated identity.
Reference in New Issue View Git Blame Copy Permalink