googleServiceAccountAccessToken
This data source provides a google oauth2
accessToken
for a different service account than the one initially running the script.
For more information see the official documentation as well as iamcredentials.generateAccessToken()
Example Usage
To allow serviceA
to impersonate serviceB
, grant the Service Account Token Creator on B to A.
In the IAM policy below, serviceA
is given the Token Creator role impersonate serviceB
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.serviceAccountIamBinding.ServiceAccountIamBinding(
this,
"token-creator-iam",
{
members: ["serviceAccount:service_A@projectA.iam.gserviceaccount.com"],
role: "roles/iam.serviceAccountTokenCreator",
service_account_id:
"projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com",
}
);
Once the IAM permissions are set, you can apply the new token to a provider bootstrapped with it. Any resources that references the aliased provider will run as the new identity.
In the example below, googleProject
will run as serviceB
.
import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.provider.GoogleProvider(this, "google", {});
new google.dataGoogleClientConfig.DataGoogleClientConfig(this, "default", {
provider: "${google}",
});
const dataGoogleServiceAccountAccessTokenDefault =
new google.dataGoogleServiceAccountAccessToken.DataGoogleServiceAccountAccessToken(
this,
"default_2",
{
lifetime: "300s",
provider: "${google}",
scopes: ["userinfo-email", "cloud-platform"],
target_service_account: "service_B@projectB.iam.gserviceaccount.com",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataGoogleServiceAccountAccessTokenDefault.overrideLogicalId("default");
const googleImpersonated = new google.provider.GoogleProvider(
this,
"google_3",
{
access_token: dataGoogleServiceAccountAccessTokenDefault.accessToken,
alias: "impersonated",
}
);
const dataGoogleClientOpenidUserinfoMe =
new google.dataGoogleClientOpenidUserinfo.DataGoogleClientOpenidUserinfo(
this,
"me",
{
provider: `\${${googleImpersonated.fqn}}`,
}
);
new cdktf.TerraformOutput(this, "target-email", {
value: dataGoogleClientOpenidUserinfoMe.email,
});
Note: the generated token is non-refreshable and can have a maximum
lifetime
of3600
seconds.
Argument Reference
The following arguments are supported:
targetServiceAccount
(Required) - The service account to impersonate (e.g.serviceB@yourProjectIdIamGserviceaccountCom
)scopes
(Required) - The scopes the new credential should have (e.g.["cloudPlatform"]
)delegates
(Optional) - Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g.["projects/-/serviceAccounts/delegateSvcAccount@projectIdIamGserviceaccountCom"]
)lifetime
(Optional) Lifetime of the impersonated token (defaults to its max:3600S
).
Attributes Reference
The following attribute is exported:
accessToken
- TheaccessToken
representing the new generated identity.