googleAccessApprovalOrganizationServiceAccount
Get the email address of an organization's Access Approval service account.
Each Google Cloud organization has a unique service account used by Access Approval. When using Access Approval with a custom signing key, this account needs to be granted the cloudkmsSignerVerifier
IAM role on the Cloud KMS key used to sign approvals.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleAccessApprovalOrganizationServiceAccountServiceAccount =
new google.dataGoogleAccessApprovalOrganizationServiceAccount.DataGoogleAccessApprovalOrganizationServiceAccount(
this,
"service_account",
{
organization_id: "my-organization",
}
);
new google.kmsCryptoKeyIamMember.KmsCryptoKeyIamMember(this, "iam", {
crypto_key_id: "${google_kms_crypto_key.crypto_key.id}",
member: `serviceAccount:\${${dataGoogleAccessApprovalOrganizationServiceAccountServiceAccount.accountEmail}}`,
role: "roles/cloudkms.signerVerifier",
});
Argument Reference
The following arguments are supported:
organizationId
- (Required) The organization ID the service account was created for.
Attributes Reference
The following attributes are exported:
-
name
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount". -
accountEmail
- The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.