Secret
Creates a Static Account in the GCP Secrets Engine for Vault. Each static account is tied to a separately managed Service Account, and can have one or more bindings associated with it.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as google from "@pulumi/google";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const _this = new google.index.ServiceAccount("this", {accountId: "my-awesome-account"});
const gcp = new vault.gcp.SecretBackend("gcp", {
path: "gcp",
credentials: std.file({
input: "credentials.json",
}).then(invoke => invoke.result),
});
const staticAccount = new vault.gcp.SecretStaticAccount("static_account", {
backend: gcp.path,
staticAccount: "project_viewer",
secretType: "access_token",
tokenScopes: ["https://www.googleapis.com/auth/cloud-platform"],
serviceAccountEmail: _this.email,
bindings: [{
resource: `//cloudresourcemanager.googleapis.com/projects/${_this.project}`,
roles: ["roles/viewer"],
}],
});Content copied to clipboard
import pulumi
import pulumi_google as google
import pulumi_std as std
import pulumi_vault as vault
this = google.index.ServiceAccount("this", account_id=my-awesome-account)
gcp = vault.gcp.SecretBackend("gcp",
path="gcp",
credentials=std.file(input="credentials.json").result)
static_account = vault.gcp.SecretStaticAccount("static_account",
backend=gcp.path,
static_account="project_viewer",
secret_type="access_token",
token_scopes=["https://www.googleapis.com/auth/cloud-platform"],
service_account_email=this["email"],
bindings=[{
"resource": f"//cloudresourcemanager.googleapis.com/projects/{this['project']}",
"roles": ["roles/viewer"],
}])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Google = Pulumi.Google;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var @this = new Google.Index.ServiceAccount("this", new()
{
AccountId = "my-awesome-account",
});
var gcp = new Vault.Gcp.SecretBackend("gcp", new()
{
Path = "gcp",
Credentials = Std.File.Invoke(new()
{
Input = "credentials.json",
}).Apply(invoke => invoke.Result),
});
var staticAccount = new Vault.Gcp.SecretStaticAccount("static_account", new()
{
Backend = gcp.Path,
StaticAccount = "project_viewer",
SecretType = "access_token",
TokenScopes = new[]
{
"https://www.googleapis.com/auth/cloud-platform",
},
ServiceAccountEmail = @this.Email,
Bindings = new[]
{
new Vault.Gcp.Inputs.SecretStaticAccountBindingArgs
{
Resource = $"//cloudresourcemanager.googleapis.com/projects/{@this.Project}",
Roles = new[]
{
"roles/viewer",
},
},
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-google/sdk/go/google"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := google.NewServiceAccount(ctx, "this", &google.ServiceAccountArgs{
AccountId: "my-awesome-account",
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "credentials.json",
}, nil)
if err != nil {
return err
}
gcp, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
Path: pulumi.String("gcp"),
Credentials: pulumi.String(invokeFile.Result),
})
if err != nil {
return err
}
_, err = gcp.NewSecretStaticAccount(ctx, "static_account", &gcp.SecretStaticAccountArgs{
Backend: gcp.Path,
StaticAccount: pulumi.String("project_viewer"),
SecretType: pulumi.String("access_token"),
TokenScopes: pulumi.StringArray{
pulumi.String("https://www.googleapis.com/auth/cloud-platform"),
},
ServiceAccountEmail: this.Email,
Bindings: gcp.SecretStaticAccountBindingArray{
&gcp.SecretStaticAccountBindingArgs{
Resource: pulumi.Sprintf("//cloudresourcemanager.googleapis.com/projects/%v", this.Project),
Roles: pulumi.StringArray{
pulumi.String("roles/viewer"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.google.serviceAccount;
import com.pulumi.google.ServiceAccountArgs;
import com.pulumi.vault.gcp.SecretBackend;
import com.pulumi.vault.gcp.SecretBackendArgs;
import com.pulumi.vault.gcp.SecretStaticAccount;
import com.pulumi.vault.gcp.SecretStaticAccountArgs;
import com.pulumi.vault.gcp.inputs.SecretStaticAccountBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var this_ = new ServiceAccount("this", ServiceAccountArgs.builder()
.accountId("my-awesome-account")
.build());
var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()
.path("gcp")
.credentials(StdFunctions.file(FileArgs.builder()
.input("credentials.json")
.build()).result())
.build());
var staticAccount = new SecretStaticAccount("staticAccount", SecretStaticAccountArgs.builder()
.backend(gcp.path())
.staticAccount("project_viewer")
.secretType("access_token")
.tokenScopes("https://www.googleapis.com/auth/cloud-platform")
.serviceAccountEmail(this_.email())
.bindings(SecretStaticAccountBindingArgs.builder()
.resource(String.format("//cloudresourcemanager.googleapis.com/projects/%s", this_.project()))
.roles("roles/viewer")
.build())
.build());
}
}Content copied to clipboard
resources:
this:
type: google:serviceAccount
properties:
accountId: my-awesome-account
gcp:
type: vault:gcp:SecretBackend
properties:
path: gcp
credentials:
fn::invoke:
function: std:file
arguments:
input: credentials.json
return: result
staticAccount:
type: vault:gcp:SecretStaticAccount
name: static_account
properties:
backend: ${gcp.path}
staticAccount: project_viewer
secretType: access_token
tokenScopes:
- https://www.googleapis.com/auth/cloud-platform
serviceAccountEmail: ${this.email}
bindings:
- resource: //cloudresourcemanager.googleapis.com/projects/${this.project}
roles:
- roles/viewerContent copied to clipboard
Import
A static account can be imported using its Vault Path. For example, referencing the example above,
$ pulumi import vault:gcp/secretStaticAccount:SecretStaticAccount static_account gcp/static-account/project_viewerContent copied to clipboard
Properties
Link copied to clipboard
Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
Link copied to clipboard
Email of the GCP service account to manage.
Link copied to clipboard
Project the service account belongs to.
Link copied to clipboard
Name of the Static Account to create
Link copied to clipboard
List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).