mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-10-05 02:01:05 +00:00
dff7b250c1
<!-- This change is generated by MagicModules. --> /cc @rileykarson
2.9 KiB
2.9 KiB
layout | page_title | sidebar_current | description |
---|---|---|---|
Google: google_client_openid_userinfo | docs-google-datasource-client-openid-userinfo | Get OpenID userinfo about the credentials used with the Google provider, specifically the email. |
google_client_openid_userinfo
Get OpenID userinfo about the credentials used with the Google provider, specifically the email.
When the https://www.googleapis.com/auth/userinfo.email
scope is enabled in
your provider block, this datasource enables you to export the email of the
account you've authenticated the provider with; this can be used alongside
data.google_client_config
's access_token
to perform OpenID Connect
authentication with GKE and configure an RBAC role for the email used.
~> This resource will only work as expected if the provider is configured to
use the https://www.googleapis.com/auth/userinfo.email
scope! You will
receive an error otherwise.
Example Usage - exporting an email
provider "google" {
scopes = [
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/ndev.clouddns.readwrite",
"https://www.googleapis.com/auth/devstorage.full_control",
"https://www.googleapis.com/auth/userinfo.email",
]
}
data "google_client_openid_userinfo" "me" {}
output "my-email" {
value = "${data.google_client_openid_useremail.me.email}"
}
Example Usage - OpenID Connect w/ Kubernetes provider + RBAC IAM role
provider "google" {
scopes = [
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/ndev.clouddns.readwrite",
"https://www.googleapis.com/auth/devstorage.full_control",
"https://www.googleapis.com/auth/userinfo.email",
]
}
data "google_client_openid_userinfo" "provider_identity" {}
data "google_client_config" "provider" {}
data "google_container_cluster" "my_cluster" {
name = "my-cluster"
zone = "us-east1-a"
}
provider "kubernetes" {
load_config_file = false
host = "https://${data.google_container_cluster.my_cluster.endpoint}"
token = "${data.google_client_config.provider.access_token}"
cluster_ca_certificate = "${base64decode(data.google_container_cluster.my_cluster.master_auth.0.cluster_ca_certificate)}"
}
resource "kubernetes_cluster_role_binding" "user" {
metadata {
name = "provider-user-admin"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
kind = "User"
name = "${data.google_client_openid_useremail.provider_identity.email}"
}
}
Argument Reference
There are no arguments available for this data source.
Attributes Reference
The following attributes are exported:
email
- The email of the account used by the provider to authenticate with GCP.