Skip to content

googleBigqueryDefaultServiceAccount

Get the email address of a project's unique BigQuery service account.

Each Google Cloud project has a unique service account used by BigQuery. When using BigQuery with customer-managed encryption keys, this account needs to be granted the cloudkmsCryptoKeyEncrypterDecrypter IAM role on the customer-managed Cloud KMS key used to protect the data.

For more information see the API reference.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleBigqueryDefaultServiceAccountBqSa =
  new google.dataGoogleBigqueryDefaultServiceAccount.DataGoogleBigqueryDefaultServiceAccount(
    this,
    "bq_sa",
    {}
  );
new google.kmsCryptoKeyIamMember.KmsCryptoKeyIamMember(this, "key_sa_user", {
  crypto_key_id: "${google_kms_crypto_key.key.id}",
  member: `serviceAccount:\${${dataGoogleBigqueryDefaultServiceAccountBqSa.email}}`,
  role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
});

Argument Reference

The following arguments are supported:

  • project - (Optional) The project the unique service account was created for. If it is not provided, the provider project is used.

Attributes Reference

The following attributes are exported:

  • email - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

  • member - The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.