pulumi-vault-kotlin/com.pulumi.vault.gcp.kotlin/SecretImpersonatedAccountArgs

SecretImpersonatedAccountArgs

data class SecretImpersonatedAccountArgs(val backend: Output<String>? = null, val impersonatedAccount: Output<String>? = null, val namespace: Output<String>? = null, val serviceAccountEmail: Output<String>? = null, val tokenScopes: Output<List<String>>? = null, val ttl: Output<String>? = null) : ConvertibleToJava<SecretImpersonatedAccountArgs>

Creates a Impersonated Account in the GCP Secrets Engine for Vault. Each impersonated account is tied to a separately managed Service Account.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as google from "@pulumi/google";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const _this = new google.index.ServiceAccount("this", {accountId: "my-awesome-account"});
const gcp = new vault.gcp.SecretBackend("gcp", {
    path: "gcp",
    credentials: std.file({
        input: "credentials.json",
    }).then(invoke => invoke.result),
});
const impersonatedAccount = new vault.gcp.SecretImpersonatedAccount("impersonated_account", {
    backend: gcp.path,
    impersonatedAccount: "this",
    serviceAccountEmail: _this.email,
    tokenScopes: ["https://www&#46;googleapis&#46;com/auth/cloud-platform"],
});
Content copied to clipboard
import pulumi
import pulumi_google as google
import pulumi_std as std
import pulumi_vault as vault
this = google.index.ServiceAccount("this", account_id=my-awesome-account)
gcp = vault.gcp.SecretBackend("gcp",
    path="gcp",
    credentials=std.file(input="credentials.json").result)
impersonated_account = vault.gcp.SecretImpersonatedAccount("impersonated_account",
    backend=gcp.path,
    impersonated_account="this",
    service_account_email=this["email"],
    token_scopes=["https://www&#46;googleapis&#46;com/auth/cloud-platform"])
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Google = Pulumi.Google;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
    var @this = new Google.Index.ServiceAccount("this", new()
    {
        AccountId = "my-awesome-account",
    });
    var gcp = new Vault.Gcp.SecretBackend("gcp", new()
    {
        Path = "gcp",
        Credentials = Std.File.Invoke(new()
        {
            Input = "credentials.json",
        }).Apply(invoke => invoke.Result),
    });
    var impersonatedAccount = new Vault.Gcp.SecretImpersonatedAccount("impersonated_account", new()
    {
        Backend = gcp.Path,
        ImpersonatedAccount = "this",
        ServiceAccountEmail = @this.Email,
        TokenScopes = new[]
        {
            "https://www.googleapis.com/auth/cloud-platform",
        },
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-google/sdk/go/google"
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		this, err := google.NewServiceAccount(ctx, "this", &google.ServiceAccountArgs{
			AccountId: "my-awesome-account",
		})
		if err != nil {
			return err
		}
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "credentials.json",
		}, nil)
		if err != nil {
			return err
		}
		gcp, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
			Path:        pulumi.String("gcp"),
			Credentials: pulumi.String(invokeFile.Result),
		})
		if err != nil {
			return err
		}
		_, err = gcp.NewSecretImpersonatedAccount(ctx, "impersonated_account", &gcp.SecretImpersonatedAccountArgs{
			Backend:             gcp.Path,
			ImpersonatedAccount: pulumi.String("this"),
			ServiceAccountEmail: this.Email,
			TokenScopes: pulumi.StringArray{
				pulumi.String("https://www.googleapis.com/auth/cloud-platform"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.google.serviceAccount;
import com.pulumi.google.serviceAccountArgs;
import com.pulumi.vault.gcp.SecretBackend;
import com.pulumi.vault.gcp.SecretBackendArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.vault.gcp.SecretImpersonatedAccount;
import com.pulumi.vault.gcp.SecretImpersonatedAccountArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var this_ = new ServiceAccount("this", ServiceAccountArgs.builder()
            .accountId("my-awesome-account")
            .build());
        var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()
            .path("gcp")
            .credentials(StdFunctions.file(FileArgs.builder()
                .input("credentials.json")
                .build()).result())
            .build());
        var impersonatedAccount = new SecretImpersonatedAccount("impersonatedAccount", SecretImpersonatedAccountArgs.builder()
            .backend(gcp.path())
            .impersonatedAccount("this")
            .serviceAccountEmail(this_.email())
            .tokenScopes("https://www.googleapis.com/auth/cloud-platform")
            .build());
    }
}
Content copied to clipboard
resources:
  this:
    type: google:serviceAccount
    properties:
      accountId: my-awesome-account
  gcp:
    type: vault:gcp:SecretBackend
    properties:
      path: gcp
      credentials:
        fn::invoke:
          function: std:file
          arguments:
            input: credentials.json
          return: result
  impersonatedAccount:
    type: vault:gcp:SecretImpersonatedAccount
    name: impersonated_account
    properties:
      backend: ${gcp.path}
      impersonatedAccount: this
      serviceAccountEmail: ${this.email}
      tokenScopes:
        - https://www.googleapis.com/auth/cloud-platform
Content copied to clipboard

Import

A impersonated account can be imported using its Vault Path. For example, referencing the example above,

$ pulumi import vault:gcp/secretImpersonatedAccount:SecretImpersonatedAccount impersonated_account gcp/impersonated-account/project_viewer
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(backend: Output<String>? = null, impersonatedAccount: Output<String>? = null, namespace: Output<String>? = null, serviceAccountEmail: Output<String>? = null, tokenScopes: Output<List<String>>? = null, ttl: Output<String>? = null)

Properties

Link copied to clipboard
val backend: Output<String>? = null

Path where the GCP Secrets Engine is mounted

Link copied to clipboard
val impersonatedAccount: Output<String>? = null

Name of the Impersonated Account to create

Link copied to clipboard
val namespace: Output<String>? = null

Target namespace. (requires Enterprise)

Link copied to clipboard
val serviceAccountEmail: Output<String>? = null

Email of the GCP service account to impersonate.

Link copied to clipboard
val tokenScopes: Output<List<String>>? = null

List of OAuth scopes to assign to access tokens generated under this impersonated account.

Link copied to clipboard
val ttl: Output<String>? = null

Specifies the default TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.

Functions

Link copied to clipboard
open override fun toJava(): SecretImpersonatedAccountArgs