googleServiceAccountJwt
This data source provides a self-signed JWT. Tokens issued from this data source are typically used to call external services that accept JWTs for authentication.
Example Usage
Note: in order to use the following, the caller must have at least roles/iamServiceAccountTokenCreator
on the targetServiceAccount
.
import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const dataGoogleServiceAccountJwtFoo =
new google.dataGoogleServiceAccountJwt.DataGoogleServiceAccountJwt(
this,
"foo",
{
expires_in: 60,
payload: '${jsonencode({\n foo: "bar",\n sub: "subject",\n })}',
target_service_account:
"impersonated-account@project.iam.gserviceaccount.com",
}
);
new cdktf.TerraformOutput(this, "jwt", {
value: dataGoogleServiceAccountJwtFoo.jwt,
});
Argument Reference
The following arguments are supported:
targetServiceAccount
(Required) - The email of the service account that will sign the JWT.payload
(Required) - The JSON-encoded JWT claims set to include in the self-signed JWT.expiresIn
(Optional) - Number of seconds until the JWT expires. If set and non-zero anexp
claim will be added to the payload derived from the current timestamp plus expires_in seconds.delegates
(Optional) - Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
Attributes Reference
The following attribute is exported:
jwt
- The signed JWT containing the JWT Claims Set from thepayload
.