gcp.accessapproval.getOrganizationServiceAccount
Explore with Pulumi AI
Get the email address of an organization’s Access Approval service account.
Each Google Cloud organization has a unique service account used by Access Approval.
When using Access Approval with a
custom signing key,
this account needs to be granted the cloudkms.signerVerifier
IAM role on the
Cloud KMS key used to sign approvals.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const serviceAccount = gcp.accessapproval.getOrganizationServiceAccount({
organizationId: "my-organization",
});
const iam = new gcp.kms.CryptoKeyIAMMember("iam", {
cryptoKeyId: cryptoKey.id,
role: "roles/cloudkms.signerVerifier",
member: serviceAccount.then(serviceAccount => `serviceAccount:${serviceAccount.accountEmail}`),
});
import pulumi
import pulumi_gcp as gcp
service_account = gcp.accessapproval.get_organization_service_account(organization_id="my-organization")
iam = gcp.kms.CryptoKeyIAMMember("iam",
crypto_key_id=crypto_key["id"],
role="roles/cloudkms.signerVerifier",
member=f"serviceAccount:{service_account.account_email}")
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/accessapproval"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceAccount, err := accessapproval.GetOrganizationServiceAccount(ctx, &accessapproval.GetOrganizationServiceAccountArgs{
OrganizationId: "my-organization",
}, nil)
if err != nil {
return err
}
_, err = kms.NewCryptoKeyIAMMember(ctx, "iam", &kms.CryptoKeyIAMMemberArgs{
CryptoKeyId: pulumi.Any(cryptoKey.Id),
Role: pulumi.String("roles/cloudkms.signerVerifier"),
Member: pulumi.Sprintf("serviceAccount:%v", serviceAccount.AccountEmail),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var serviceAccount = Gcp.AccessApproval.GetOrganizationServiceAccount.Invoke(new()
{
OrganizationId = "my-organization",
});
var iam = new Gcp.Kms.CryptoKeyIAMMember("iam", new()
{
CryptoKeyId = cryptoKey.Id,
Role = "roles/cloudkms.signerVerifier",
Member = $"serviceAccount:{serviceAccount.Apply(getOrganizationServiceAccountResult => getOrganizationServiceAccountResult.AccountEmail)}",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.accessapproval.AccessapprovalFunctions;
import com.pulumi.gcp.accessapproval.inputs.GetOrganizationServiceAccountArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var serviceAccount = AccessapprovalFunctions.getOrganizationServiceAccount(GetOrganizationServiceAccountArgs.builder()
.organizationId("my-organization")
.build());
var iam = new CryptoKeyIAMMember("iam", CryptoKeyIAMMemberArgs.builder()
.cryptoKeyId(cryptoKey.id())
.role("roles/cloudkms.signerVerifier")
.member(String.format("serviceAccount:%s", serviceAccount.applyValue(getOrganizationServiceAccountResult -> getOrganizationServiceAccountResult.accountEmail())))
.build());
}
}
resources:
iam:
type: gcp:kms:CryptoKeyIAMMember
properties:
cryptoKeyId: ${cryptoKey.id}
role: roles/cloudkms.signerVerifier
member: serviceAccount:${serviceAccount.accountEmail}
variables:
serviceAccount:
fn::invoke:
Function: gcp:accessapproval:getOrganizationServiceAccount
Arguments:
organizationId: my-organization
Using getOrganizationServiceAccount
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getOrganizationServiceAccount(args: GetOrganizationServiceAccountArgs, opts?: InvokeOptions): Promise<GetOrganizationServiceAccountResult>
function getOrganizationServiceAccountOutput(args: GetOrganizationServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetOrganizationServiceAccountResult>
def get_organization_service_account(organization_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetOrganizationServiceAccountResult
def get_organization_service_account_output(organization_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetOrganizationServiceAccountResult]
func GetOrganizationServiceAccount(ctx *Context, args *GetOrganizationServiceAccountArgs, opts ...InvokeOption) (*GetOrganizationServiceAccountResult, error)
func GetOrganizationServiceAccountOutput(ctx *Context, args *GetOrganizationServiceAccountOutputArgs, opts ...InvokeOption) GetOrganizationServiceAccountResultOutput
> Note: This function is named GetOrganizationServiceAccount
in the Go SDK.
public static class GetOrganizationServiceAccount
{
public static Task<GetOrganizationServiceAccountResult> InvokeAsync(GetOrganizationServiceAccountArgs args, InvokeOptions? opts = null)
public static Output<GetOrganizationServiceAccountResult> Invoke(GetOrganizationServiceAccountInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetOrganizationServiceAccountResult> getOrganizationServiceAccount(GetOrganizationServiceAccountArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: gcp:accessapproval/getOrganizationServiceAccount:getOrganizationServiceAccount
arguments:
# arguments dictionary
The following arguments are supported:
- Organization
Id string - The organization ID the service account was created for.
- Organization
Id string - The organization ID the service account was created for.
- organization
Id String - The organization ID the service account was created for.
- organization
Id string - The organization ID the service account was created for.
- organization_
id str - The organization ID the service account was created for.
- organization
Id String - The organization ID the service account was created for.
getOrganizationServiceAccount Result
The following output properties are available:
- Account
Email string - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- Organization
Id string
- Account
Email string - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- Organization
Id string
- account
Email String - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- organization
Id String
- account
Email string - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- organization
Id string
- account_
email str - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- organization_
id str
- account
Email String - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- organization
Id String
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-beta
Terraform Provider.