getAccountIdToken

This data source provides a Google OpenID Connect (oidc) id_token. Tokens issued from this data source are typically used to call external services that accept OIDC tokens for authentication (e.g. Google Cloud Run). For more information see OpenID Connect.

Example Usage

ServiceAccount JSON Credential File.

gcp.serviceAccount.getAccountIdToken will use the configured provider credentials

data "google_service_account_id_token" "oidc" {
target_audience = "https://foo.bar/"
}
output "oidc_token" {
value = data.google_service_account_id_token.oidc.id_token
}

Service Account Impersonation.

gcp.serviceAccount.getAccountAccessToken will use background impersonated credentials provided by gcp.serviceAccount.getAccountAccessToken. Note: to use the following, you must grant target_service_account the roles/iam.serviceAccountTokenCreator role on itself.

data "google_service_account_access_token" "impersonated" {
provider = google
target_service_account = "impersonated-account@project.iam.gserviceaccount.com"
delegates = []
scopes = ["userinfo-email", "cloud-platform"]
lifetime = "300s"
}
provider "google" {
alias = "impersonated"
access_token = data.google_service_account_access_token.impersonated.access_token
}
data "google_service_account_id_token" "oidc" {
provider = google.impersonated
target_service_account = "impersonated-account@project.iam.gserviceaccount.com"
delegates = []
include_email = true
target_audience = "https://foo.bar/"
}
output "oidc_token" {
value = data.google_service_account_id_token.oidc.id_token
}

Invoking Cloud Run Endpoint

The following configuration will invoke Cloud Run endpoint where the service account for the provider has been granted roles/run.invoker role previously.

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceAccount.ServiceAccountFunctions;
import com.pulumi.gcp.serviceAccount.inputs.GetAccountIdTokenArgs;
import com.pulumi.http.HttpFunctions;
import com.pulumi.http.inputs.GetHttpArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var oidc = ServiceAccountFunctions.getAccountIdToken(GetAccountIdTokenArgs.builder()
.targetAudience("https://your.cloud.run.app/")
.build());
final var cloudrun = HttpFunctions.getHttp(GetHttpArgs.builder()
.url("https://your.cloud.run.app/")
.requestHeaders(Map.of("Authorization", String.format("Bearer %s", oidc.applyValue(getAccountIdTokenResult -> getAccountIdTokenResult.idToken()))))
.build());
ctx.export("cloudRunResponse", cloudrun.applyValue(getHttpResult -> getHttpResult.body()));
}
}

Return

A collection of values returned by getAccountIdToken.

Parameters

argument

A collection of arguments for invoking getAccountIdToken.


suspend fun getAccountIdToken(delegates: List<String>? = null, includeEmail: Boolean? = null, targetAudience: String, targetServiceAccount: String? = null): GetAccountIdTokenResult

Return

A collection of values returned by getAccountIdToken.

Parameters

delegates

Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.

includeEmail

Include the verified email in the claim. Used only when using impersonation mode.

targetAudience

The audience claim for the id_token.

targetServiceAccount

The email of the service account being impersonated. Used only when using impersonation mode.

See also


Return

A collection of values returned by getAccountIdToken.

Parameters

argument

Builder for com.pulumi.gcp.serviceAccount.kotlin.inputs.GetAccountIdTokenPlainArgs.

See also