Skip to content

googleServiceAccountJwt

This data source provides a self-signed JWT. Tokens issued from this data source are typically used to call external services that accept JWTs for authentication.

Example Usage

Note: in order to use the following, the caller must have at least roles/iamServiceAccountTokenCreator on the targetServiceAccount.

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleServiceAccountJwtFoo =
  new google.dataGoogleServiceAccountJwt.DataGoogleServiceAccountJwt(
    this,
    "foo",
    {
      expires_in: 60,
      payload: '${jsonencode({\n    foo: "bar",\n    sub: "subject",\n  })}',
      target_service_account:
        "impersonated-account@project.iam.gserviceaccount.com",
    }
  );
new cdktf.TerraformOutput(this, "jwt", {
  value: dataGoogleServiceAccountJwtFoo.jwt,
});

Argument Reference

The following arguments are supported:

  • targetServiceAccount (Required) - The email of the service account that will sign the JWT.
  • payload (Required) - The JSON-encoded JWT claims set to include in the self-signed JWT.
  • expiresIn (Optional) - Number of seconds until the JWT expires. If set and non-zero an exp claim will be added to the payload derived from the current timestamp plus expires_in seconds.
  • delegates (Optional) - Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.

Attributes Reference

The following attribute is exported:

  • jwt - The signed JWT containing the JWT Claims Set from the payload.