Skip to content

googleClientOpenidUserinfo

Get OpenID userinfo about the credentials used with the Google provider, specifically the email.

This datasource enables you to export the email of the account you've authenticated the provider with; this can be used alongside dataGoogleClientConfig's accessToken to perform OpenID Connect authentication with GKE and configure an RBAC role for the email used.

\~> This resource will only work as expected if the provider is configured to use the https://wwwGoogleapisCom/auth/userinfoEmail scope! You will receive an error otherwise. The provider uses this scope by default.

Example Usage - exporting an email

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleClientOpenidUserinfoMe =
  new google.dataGoogleClientOpenidUserinfo.DataGoogleClientOpenidUserinfo(
    this,
    "me",
    {}
  );
new cdktf.TerraformOutput(this, "my-email", {
  value: dataGoogleClientOpenidUserinfoMe.email,
});

Example Usage - OpenID Connect w/ Kubernetes provider + RBAC IAM role

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as kubernetes from "./.gen/providers/kubernetes";
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: kubernetes, google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleClientConfigProvider =
  new google.dataGoogleClientConfig.DataGoogleClientConfig(
    this,
    "provider",
    {}
  );
const dataGoogleClientOpenidUserinfoProviderIdentity =
  new google.dataGoogleClientOpenidUserinfo.DataGoogleClientOpenidUserinfo(
    this,
    "provider_identity",
    {}
  );
const dataGoogleContainerClusterMyCluster =
  new google.dataGoogleContainerCluster.DataGoogleContainerCluster(
    this,
    "my_cluster",
    {
      name: "my-cluster",
      zone: "us-east1-a",
    }
  );
new kubernetes.provider.KubernetesProvider(this, "kubernetes", {
  cluster_ca_certificate: `\${base64decode(
    ${dataGoogleContainerClusterMyCluster.masterAuth.fqn}[0].cluster_ca_certificate,
  )}`,
  host: `https://\${${dataGoogleContainerClusterMyCluster.endpoint}}`,
  token: dataGoogleClientConfigProvider.accessToken,
});
new kubernetes.clusterRoleBinding.ClusterRoleBinding(this, "user", {
  metadata: [
    {
      name: "provider-user-admin",
    },
  ],
  role_ref: [
    {
      api_group: "rbac.authorization.k8s.io",
      kind: "ClusterRole",
      name: "cluster-admin",
    },
  ],
  subject: [
    {
      kind: "User",
      name: dataGoogleClientOpenidUserinfoProviderIdentity.email,
    },
  ],
});

Argument Reference

There are no arguments available for this data source.

Attributes Reference

The following attributes are exported:

  • email - The email of the account used by the provider to authenticate with GCP.