googleServiceAccountAccessToken

This data source provides a google oauth2 accessToken for a different service account than the one initially running the script.

For more information see the official documentation as well as iamcredentials.generateAccessToken()

Example Usage

To allow serviceA to impersonate serviceB, grant the Service Account Token Creator on B to A.

In the IAM policy below, serviceA is given the Token Creator role impersonate serviceB

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.serviceAccountIamBinding.ServiceAccountIamBinding(
  this,
  "token-creator-iam",
  {
    members: ["serviceAccount:service_A@projectA.iam.gserviceaccount.com"],
    role: "roles/iam.serviceAccountTokenCreator",
    service_account_id:
      "projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com",
  }
);

Once the IAM permissions are set, you can apply the new token to a provider bootstrapped with it. Any resources that references the aliased provider will run as the new identity.

In the example below, googleProject will run as serviceB.

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {});
new google.dataGoogleClientConfig.DataGoogleClientConfig(this, "default", {
  provider: "${google}",
});
const dataGoogleServiceAccountAccessTokenDefault =
  new google.dataGoogleServiceAccountAccessToken.DataGoogleServiceAccountAccessToken(
    this,
    "default_2",
    {
      lifetime: "300s",
      provider: "${google}",
      scopes: ["userinfo-email", "cloud-platform"],
      target_service_account: "service_B@projectB.iam.gserviceaccount.com",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataGoogleServiceAccountAccessTokenDefault.overrideLogicalId("default");
const googleImpersonated = new google.provider.GoogleProvider(
  this,
  "google_3",
  {
    access_token: dataGoogleServiceAccountAccessTokenDefault.accessToken,
    alias: "impersonated",
  }
);
const dataGoogleClientOpenidUserinfoMe =
  new google.dataGoogleClientOpenidUserinfo.DataGoogleClientOpenidUserinfo(
    this,
    "me",
    {
      provider: `\${${googleImpersonated.fqn}}`,
    }
  );
new cdktf.TerraformOutput(this, "target-email", {
  value: dataGoogleClientOpenidUserinfoMe.email,
});

Note: the generated token is non-refreshable and can have a maximum lifetime of 3600 seconds.

Argument Reference

The following arguments are supported:

targetServiceAccount (Required) - The service account to impersonate (e.g. serviceB@yourProjectIdIamGserviceaccountCom)
scopes (Required) - The scopes the new credential should have (e.g. ["cloudPlatform"])
delegates (Optional) - Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/delegateSvcAccount@projectIdIamGserviceaccountCom"])
lifetime (Optional) Lifetime of the impersonated token (defaults to its max: 3600S).

Attributes Reference

The following attribute is exported:

accessToken - The accessToken representing the new generated identity.