get
This data source provides a Google OpenID Connect (oidc) id_token. Tokens issued from this data source are typically used to call external services that accept OIDC tokens for authentication (e.g. Google Cloud Run). For more information see OpenID Connect.
Example Usage
ServiceAccount JSON Credential File.
gcp.serviceaccount.getAccountIdToken will use the configured provider credentials
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const oidc = gcp.serviceaccount.getAccountIdToken({
targetAudience: "https://foo.bar/",
});
export const oidcToken = oidc.then(oidc => oidc.idToken);Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
oidc = gcp.serviceaccount.get_account_id_token(target_audience="https://foo.bar/")
pulumi.export("oidcToken", oidc.id_token)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var oidc = Gcp.ServiceAccount.GetAccountIdToken.Invoke(new()
{
TargetAudience = "https://foo.bar/",
});
return new Dictionary<string, object?>
{
["oidcToken"] = oidc.Apply(getAccountIdTokenResult => getAccountIdTokenResult.IdToken),
};
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
TargetAudience: "https://foo.bar/",
}, nil)
if err != nil {
return err
}
ctx.Export("oidcToken", oidc.IdToken)
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountIdTokenArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var oidc = ServiceaccountFunctions.getAccountIdToken(GetAccountIdTokenArgs.builder()
.targetAudience("https://foo.bar/")
.build());
ctx.export("oidcToken", oidc.applyValue(getAccountIdTokenResult -> getAccountIdTokenResult.idToken()));
}
}Content copied to clipboard
variables:
oidc:
fn::invoke:
Function: gcp:serviceaccount:getAccountIdToken
Arguments:
targetAudience: https://foo.bar/
outputs:
oidcToken: ${oidc.idToken}Content copied to clipboard
Service Account Impersonation.
gcp.serviceaccount.getAccountAccessToken will use background impersonated credentials provided by gcp.serviceaccount.getAccountAccessToken. Note: to use the following, you must grant target_service_account the roles/iam.serviceAccountTokenCreator role on itself.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const impersonated = gcp.serviceaccount.getAccountAccessToken({
targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
delegates: [],
scopes: [
"userinfo-email",
"cloud-platform",
],
lifetime: "300s",
});
const oidc = gcp.serviceaccount.getAccountIdToken({
targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
delegates: [],
includeEmail: true,
targetAudience: "https://foo.bar/",
});
export const oidcToken = oidc.then(oidc => oidc.idToken);Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
impersonated = gcp.serviceaccount.get_account_access_token(target_service_account="impersonated-account@project.iam.gserviceaccount.com",
delegates=[],
scopes=[
"userinfo-email",
"cloud-platform",
],
lifetime="300s")
oidc = gcp.serviceaccount.get_account_id_token(target_service_account="impersonated-account@project.iam.gserviceaccount.com",
delegates=[],
include_email=True,
target_audience="https://foo.bar/")
pulumi.export("oidcToken", oidc.id_token)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var impersonated = Gcp.ServiceAccount.GetAccountAccessToken.Invoke(new()
{
TargetServiceAccount = "impersonated-account@project.iam.gserviceaccount.com",
Delegates = new() { },
Scopes = new[]
{
"userinfo-email",
"cloud-platform",
},
Lifetime = "300s",
});
var oidc = Gcp.ServiceAccount.GetAccountIdToken.Invoke(new()
{
TargetServiceAccount = "impersonated-account@project.iam.gserviceaccount.com",
Delegates = new() { },
IncludeEmail = true,
TargetAudience = "https://foo.bar/",
});
return new Dictionary<string, object?>
{
["oidcToken"] = oidc.Apply(getAccountIdTokenResult => getAccountIdTokenResult.IdToken),
};
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := serviceaccount.GetAccountAccessToken(ctx, &serviceaccount.GetAccountAccessTokenArgs{
TargetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
Delegates: []interface{}{},
Scopes: []string{
"userinfo-email",
"cloud-platform",
},
Lifetime: pulumi.StringRef("300s"),
}, nil)
if err != nil {
return err
}
oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
TargetServiceAccount: pulumi.StringRef("impersonated-account@project.iam.gserviceaccount.com"),
Delegates: []interface{}{},
IncludeEmail: pulumi.BoolRef(true),
TargetAudience: "https://foo.bar/",
}, nil)
if err != nil {
return err
}
ctx.Export("oidcToken", oidc.IdToken)
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountAccessTokenArgs;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountIdTokenArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var impersonated = ServiceaccountFunctions.getAccountAccessToken(GetAccountAccessTokenArgs.builder()
.targetServiceAccount("impersonated-account@project.iam.gserviceaccount.com")
.delegates()
.scopes(
"userinfo-email",
"cloud-platform")
.lifetime("300s")
.build());
final var oidc = ServiceaccountFunctions.getAccountIdToken(GetAccountIdTokenArgs.builder()
.targetServiceAccount("impersonated-account@project.iam.gserviceaccount.com")
.delegates()
.includeEmail(true)
.targetAudience("https://foo.bar/")
.build());
ctx.export("oidcToken", oidc.applyValue(getAccountIdTokenResult -> getAccountIdTokenResult.idToken()));
}
}Content copied to clipboard
variables:
impersonated:
fn::invoke:
Function: gcp:serviceaccount:getAccountAccessToken
Arguments:
targetServiceAccount: impersonated-account@project.iam.gserviceaccount.com
delegates: []
scopes:
- userinfo-email
- cloud-platform
lifetime: 300s
oidc:
fn::invoke:
Function: gcp:serviceaccount:getAccountIdToken
Arguments:
targetServiceAccount: impersonated-account@project.iam.gserviceaccount.com
delegates: []
includeEmail: true
targetAudience: https://foo.bar/
outputs:
oidcToken: ${oidc.idToken}Content copied to clipboard
Invoking Cloud Run Endpoint
The following configuration will invoke Cloud Run endpoint where the service account for the provider has been granted roles/run.invoker role previously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as http from "@pulumi/http";
const oidc = gcp.serviceaccount.getAccountIdToken({
targetAudience: "https://your.cloud.run.app/",
});
const cloudrun = oidc.then(oidc => http.getHttp({
url: "https://your.cloud.run.app/",
requestHeaders: {
Authorization: `Bearer ${oidc.idToken}`,
},
}));
export const cloudRunResponse = cloudrun.then(cloudrun => cloudrun.body);Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
import pulumi_http as http
oidc = gcp.serviceaccount.get_account_id_token(target_audience="https://your.cloud.run.app/")
cloudrun = http.get_http(url="https://your.cloud.run.app/",
request_headers={
"Authorization": f"Bearer {oidc.id_token}",
})
pulumi.export("cloudRunResponse", cloudrun.body)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Http = Pulumi.Http;
return await Deployment.RunAsync(() =>
{
var oidc = Gcp.ServiceAccount.GetAccountIdToken.Invoke(new()
{
TargetAudience = "https://your.cloud.run.app/",
});
var cloudrun = Http.GetHttp.Invoke(new()
{
Url = "https://your.cloud.run.app/",
RequestHeaders =
{
{ "Authorization", $"Bearer {oidc.Apply(getAccountIdTokenResult => getAccountIdTokenResult.IdToken)}" },
},
});
return new Dictionary<string, object?>
{
["cloudRunResponse"] = cloudrun.Apply(getHttpResult => getHttpResult.Body),
};
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi-http/sdk/go/http"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
TargetAudience: "https://your.cloud.run.app/",
}, nil)
if err != nil {
return err
}
cloudrun, err := http.GetHttp(ctx, &http.GetHttpArgs{
Url: "https://your.cloud.run.app/",
RequestHeaders: map[string]interface{}{
"Authorization": fmt.Sprintf("Bearer %v", oidc.IdToken),
},
}, nil)
if err != nil {
return err
}
ctx.Export("cloudRunResponse", cloudrun.Body)
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountIdTokenArgs;
import com.pulumi.http.HttpFunctions;
import com.pulumi.http.inputs.GetHttpArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var oidc = ServiceaccountFunctions.getAccountIdToken(GetAccountIdTokenArgs.builder()
.targetAudience("https://your.cloud.run.app/")
.build());
final var cloudrun = HttpFunctions.getHttp(GetHttpArgs.builder()
.url("https://your.cloud.run.app/")
.requestHeaders(Map.of("Authorization", String.format("Bearer %s", oidc.applyValue(getAccountIdTokenResult -> getAccountIdTokenResult.idToken()))))
.build());
ctx.export("cloudRunResponse", cloudrun.applyValue(getHttpResult -> getHttpResult.body()));
}
}Content copied to clipboard
variables:
oidc:
fn::invoke:
Function: gcp:serviceaccount:getAccountIdToken
Arguments:
targetAudience: https://your.cloud.run.app/
cloudrun:
fn::invoke:
Function: http:getHttp
Arguments:
url: https://your.cloud.run.app/
requestHeaders:
Authorization: Bearer ${oidc.idToken}
outputs:
cloudRunResponse: ${cloudrun.body}Content copied to clipboard
Return
A collection of values returned by getAccountIdToken.
Parameters
argument
A collection of arguments for invoking getAccountIdToken.
suspend fun getAccountIdToken(delegates: List<String>? = null, includeEmail: Boolean? = null, targetAudience: String, targetServiceAccount: String? = null): GetAccountIdTokenResult
Return
A collection of values returned by getAccountIdToken.
Parameters
delegates
Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
include
Include the verified email in the claim. Used only when using impersonation mode.
target
The audience claim for the id_token.
target
The email of the service account being impersonated. Used only when using impersonation mode.
See also
suspend fun getAccountIdToken(argument: suspend GetAccountIdTokenPlainArgsBuilder.() -> Unit): GetAccountIdTokenResult
Return
A collection of values returned by getAccountIdToken.
Parameters
argument
Builder for com.pulumi.gcp.serviceaccount.kotlin.inputs.GetAccountIdTokenPlainArgs.