Secret
data class SecretImpersonatedAccountArgs(val backend: Output<String>? = null, val impersonatedAccount: Output<String>? = null, val namespace: Output<String>? = null, val serviceAccountEmail: Output<String>? = null, val tokenScopes: Output<List<String>>? = null, val ttl: Output<String>? = null) : ConvertibleToJava<SecretImpersonatedAccountArgs>
Creates a Impersonated Account in the GCP Secrets Engine for Vault. Each impersonated account is tied to a separately managed Service Account.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as google from "@pulumi/google";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const _this = new google.index.ServiceAccount("this", {accountId: "my-awesome-account"});
const gcp = new vault.gcp.SecretBackend("gcp", {
path: "gcp",
credentials: std.file({
input: "credentials.json",
}).then(invoke => invoke.result),
});
const impersonatedAccount = new vault.gcp.SecretImpersonatedAccount("impersonated_account", {
backend: gcp.path,
impersonatedAccount: "this",
serviceAccountEmail: _this.email,
tokenScopes: ["https://www.googleapis.com/auth/cloud-platform"],
});Content copied to clipboard
import pulumi
import pulumi_google as google
import pulumi_std as std
import pulumi_vault as vault
this = google.index.ServiceAccount("this", account_id=my-awesome-account)
gcp = vault.gcp.SecretBackend("gcp",
path="gcp",
credentials=std.file(input="credentials.json").result)
impersonated_account = vault.gcp.SecretImpersonatedAccount("impersonated_account",
backend=gcp.path,
impersonated_account="this",
service_account_email=this["email"],
token_scopes=["https://www.googleapis.com/auth/cloud-platform"])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Google = Pulumi.Google;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var @this = new Google.Index.ServiceAccount("this", new()
{
AccountId = "my-awesome-account",
});
var gcp = new Vault.Gcp.SecretBackend("gcp", new()
{
Path = "gcp",
Credentials = Std.File.Invoke(new()
{
Input = "credentials.json",
}).Apply(invoke => invoke.Result),
});
var impersonatedAccount = new Vault.Gcp.SecretImpersonatedAccount("impersonated_account", new()
{
Backend = gcp.Path,
ImpersonatedAccount = "this",
ServiceAccountEmail = @this.Email,
TokenScopes = new[]
{
"https://www.googleapis.com/auth/cloud-platform",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-google/sdk/go/google"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := google.NewServiceAccount(ctx, "this", &google.ServiceAccountArgs{
AccountId: "my-awesome-account",
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "credentials.json",
}, nil)
if err != nil {
return err
}
gcp, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
Path: pulumi.String("gcp"),
Credentials: pulumi.String(invokeFile.Result),
})
if err != nil {
return err
}
_, err = gcp.NewSecretImpersonatedAccount(ctx, "impersonated_account", &gcp.SecretImpersonatedAccountArgs{
Backend: gcp.Path,
ImpersonatedAccount: pulumi.String("this"),
ServiceAccountEmail: this.Email,
TokenScopes: pulumi.StringArray{
pulumi.String("https://www.googleapis.com/auth/cloud-platform"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.google.serviceAccount;
import com.pulumi.google.ServiceAccountArgs;
import com.pulumi.vault.gcp.SecretBackend;
import com.pulumi.vault.gcp.SecretBackendArgs;
import com.pulumi.vault.gcp.SecretImpersonatedAccount;
import com.pulumi.vault.gcp.SecretImpersonatedAccountArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var this_ = new ServiceAccount("this", ServiceAccountArgs.builder()
.accountId("my-awesome-account")
.build());
var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()
.path("gcp")
.credentials(StdFunctions.file(FileArgs.builder()
.input("credentials.json")
.build()).result())
.build());
var impersonatedAccount = new SecretImpersonatedAccount("impersonatedAccount", SecretImpersonatedAccountArgs.builder()
.backend(gcp.path())
.impersonatedAccount("this")
.serviceAccountEmail(this_.email())
.tokenScopes("https://www.googleapis.com/auth/cloud-platform")
.build());
}
}Content copied to clipboard
resources:
this:
type: google:serviceAccount
properties:
accountId: my-awesome-account
gcp:
type: vault:gcp:SecretBackend
properties:
path: gcp
credentials:
fn::invoke:
function: std:file
arguments:
input: credentials.json
return: result
impersonatedAccount:
type: vault:gcp:SecretImpersonatedAccount
name: impersonated_account
properties:
backend: ${gcp.path}
impersonatedAccount: this
serviceAccountEmail: ${this.email}
tokenScopes:
- https://www.googleapis.com/auth/cloud-platformContent copied to clipboard
Import
A impersonated account can be imported using its Vault Path. For example, referencing the example above,
$ pulumi import vault:gcp/secretImpersonatedAccount:SecretImpersonatedAccount impersonated_account gcp/impersonated-account/project_viewerContent copied to clipboard