googleAccessApprovalFolderServiceAccount

Get the email address of a folder's Access Approval service account.

Each Google Cloud folder has a unique service account used by Access Approval. When using Access Approval with a custom signing key, this account needs to be granted the cloudkmsSignerVerifier IAM role on the Cloud KMS key used to sign approvals.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleAccessApprovalFolderServiceAccountServiceAccount =
  new google.dataGoogleAccessApprovalFolderServiceAccount.DataGoogleAccessApprovalFolderServiceAccount(
    this,
    "service_account",
    {
      folder_id: "my-folder",
    }
  );
new google.kmsCryptoKeyIamMember.KmsCryptoKeyIamMember(this, "iam", {
  crypto_key_id: "${google_kms_crypto_key.crypto_key.id}",
  member: `serviceAccount:\${${dataGoogleAccessApprovalFolderServiceAccountServiceAccount.accountEmail}}`,
  role: "roles/cloudkms.signerVerifier",
});

Argument Reference

The following arguments are supported:

folderId - (Required) The folder ID the service account was created for.

Attributes Reference

The following attributes are exported:

name - The Access Approval service account resource name. Format is "folders/{folder_id}/serviceAccount".
accountEmail - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.