googleServiceAccountIdToken
This data source provides a Google OpenID Connect (oidc
) idToken
. Tokens issued from this data source are typically used to call external services that accept OIDC tokens for authentication (e.g. Google Cloud Run).
For more information see OpenID Connect.
Example Usage - ServiceAccount JSON credential file.
googleServiceAccountIdToken
will use the configured provider credentials
import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleServiceAccountIdTokenOidc =
new google.dataGoogleServiceAccountIdToken.DataGoogleServiceAccountIdToken(
this,
"oidc",
{
target_audience: "https://foo.bar/",
}
);
new cdktf.TerraformOutput(this, "oidc_token", {
value: dataGoogleServiceAccountIdTokenOidc.idToken,
});
Example Usage - Service Account Impersonation.
googleServiceAccountAccessToken
will use background impersonated credentials provided by google_service_account_access_token.
Note: to use the following, you must grant targetServiceAccount
the roles/iamServiceAccountTokenCreator
role on itself.
import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleServiceAccountAccessTokenImpersonated =
new google.dataGoogleServiceAccountAccessToken.DataGoogleServiceAccountAccessToken(
this,
"impersonated",
{
delegates: [],
lifetime: "300s",
provider: "${google}",
scopes: ["userinfo-email", "cloud-platform"],
target_service_account:
"impersonated-account@project.iam.gserviceaccount.com",
}
);
const googleImpersonated = new google.provider.GoogleProvider(this, "google", {
access_token: dataGoogleServiceAccountAccessTokenImpersonated.accessToken,
alias: "impersonated",
});
const dataGoogleServiceAccountIdTokenOidc =
new google.dataGoogleServiceAccountIdToken.DataGoogleServiceAccountIdToken(
this,
"oidc",
{
delegates: [],
include_email: true,
provider: `\${${googleImpersonated.fqn}}`,
target_audience: "https://foo.bar/",
target_service_account:
"impersonated-account@project.iam.gserviceaccount.com",
}
);
new cdktf.TerraformOutput(this, "oidc_token", {
value: dataGoogleServiceAccountIdTokenOidc.idToken,
});
Example Usage - Invoking Cloud Run Endpoint
The following configuration will invoke Cloud Run endpoint where the service account for Terraform has been granted roles/runInvoker
role previously.
import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
import * as http from "./.gen/providers/http";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google, http.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleServiceAccountIdTokenOidc =
new google.dataGoogleServiceAccountIdToken.DataGoogleServiceAccountIdToken(
this,
"oidc",
{
target_audience: "https://your.cloud.run.app/",
}
);
const dataHttpCloudrun = new http.dataHttp.DataHttp(this, "cloudrun", {
request_headers: [
{
Authorization: `Bearer \${${dataGoogleServiceAccountIdTokenOidc.idToken}}`,
},
],
url: "https://your.cloud.run.app/",
});
new cdktf.TerraformOutput(this, "cloud_run_response", {
value: dataHttpCloudrun.body,
});
Argument Reference
The following arguments are supported:
targetAudience
(Required) - The audience claim for theidToken
.targetServiceAccount
(Optional) - The email of the service account being impersonated. Used only when using impersonation mode.delegates
(Optional) - Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.includeEmail
(Optional) Include the verified email in the claim. Used only when using impersonation mode.
Attributes Reference
The following attribute is exported:
idToken
- TheidToken
representing the new generated identity.