Skip to content

googleServiceAccountIdToken

This data source provides a Google OpenID Connect (oidc) idToken. Tokens issued from this data source are typically used to call external services that accept OIDC tokens for authentication (e.g. Google Cloud Run).

For more information see OpenID Connect.

Example Usage - ServiceAccount JSON credential file.

googleServiceAccountIdToken will use the configured provider credentials

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleServiceAccountIdTokenOidc =
  new google.dataGoogleServiceAccountIdToken.DataGoogleServiceAccountIdToken(
    this,
    "oidc",
    {
      target_audience: "https://foo.bar/",
    }
  );
new cdktf.TerraformOutput(this, "oidc_token", {
  value: dataGoogleServiceAccountIdTokenOidc.idToken,
});

Example Usage - Service Account Impersonation.

googleServiceAccountAccessToken will use background impersonated credentials provided by google_service_account_access_token.

Note: to use the following, you must grant targetServiceAccount the roles/iamServiceAccountTokenCreator role on itself.

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleServiceAccountAccessTokenImpersonated =
  new google.dataGoogleServiceAccountAccessToken.DataGoogleServiceAccountAccessToken(
    this,
    "impersonated",
    {
      delegates: [],
      lifetime: "300s",
      provider: "${google}",
      scopes: ["userinfo-email", "cloud-platform"],
      target_service_account:
        "impersonated-account@project.iam.gserviceaccount.com",
    }
  );
const googleImpersonated = new google.provider.GoogleProvider(this, "google", {
  access_token: dataGoogleServiceAccountAccessTokenImpersonated.accessToken,
  alias: "impersonated",
});
const dataGoogleServiceAccountIdTokenOidc =
  new google.dataGoogleServiceAccountIdToken.DataGoogleServiceAccountIdToken(
    this,
    "oidc",
    {
      delegates: [],
      include_email: true,
      provider: `\${${googleImpersonated.fqn}}`,
      target_audience: "https://foo.bar/",
      target_service_account:
        "impersonated-account@project.iam.gserviceaccount.com",
    }
  );
new cdktf.TerraformOutput(this, "oidc_token", {
  value: dataGoogleServiceAccountIdTokenOidc.idToken,
});

Example Usage - Invoking Cloud Run Endpoint

The following configuration will invoke Cloud Run endpoint where the service account for Terraform has been granted roles/runInvoker role previously.

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
import * as http from "./.gen/providers/http";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google, http.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleServiceAccountIdTokenOidc =
  new google.dataGoogleServiceAccountIdToken.DataGoogleServiceAccountIdToken(
    this,
    "oidc",
    {
      target_audience: "https://your.cloud.run.app/",
    }
  );
const dataHttpCloudrun = new http.dataHttp.DataHttp(this, "cloudrun", {
  request_headers: [
    {
      Authorization: `Bearer \${${dataGoogleServiceAccountIdTokenOidc.idToken}}`,
    },
  ],
  url: "https://your.cloud.run.app/",
});
new cdktf.TerraformOutput(this, "cloud_run_response", {
  value: dataHttpCloudrun.body,
});

Argument Reference

The following arguments are supported:

  • targetAudience (Required) - The audience claim for the idToken.
  • targetServiceAccount (Optional) - The email of the service account being impersonated. Used only when using impersonation mode.
  • delegates (Optional) - Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
  • includeEmail (Optional) Include the verified email in the claim. Used only when using impersonation mode.

Attributes Reference

The following attribute is exported:

  • idToken - The idToken representing the new generated identity.