Secret
Creates a Impersonated Account in the GCP Secrets Engine for Vault. Each impersonated account is tied to a separately managed Service Account.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as google from "@pulumi/google";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const _this = new google.index.ServiceAccount("this", {accountId: "my-awesome-account"});
const gcp = new vault.gcp.SecretBackend("gcp", {
path: "gcp",
credentials: std.file({
input: "credentials.json",
}).then(invoke => invoke.result),
});
const impersonatedAccount = new vault.gcp.SecretImpersonatedAccount("impersonated_account", {
backend: gcp.path,
impersonatedAccount: "this",
serviceAccountEmail: _this.email,
tokenScopes: ["https://www.googleapis.com/auth/cloud-platform"],
});Content copied to clipboard
import pulumi
import pulumi_google as google
import pulumi_std as std
import pulumi_vault as vault
this = google.index.ServiceAccount("this", account_id=my-awesome-account)
gcp = vault.gcp.SecretBackend("gcp",
path="gcp",
credentials=std.file(input="credentials.json").result)
impersonated_account = vault.gcp.SecretImpersonatedAccount("impersonated_account",
backend=gcp.path,
impersonated_account="this",
service_account_email=this["email"],
token_scopes=["https://www.googleapis.com/auth/cloud-platform"])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Google = Pulumi.Google;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var @this = new Google.Index.ServiceAccount("this", new()
{
AccountId = "my-awesome-account",
});
var gcp = new Vault.Gcp.SecretBackend("gcp", new()
{
Path = "gcp",
Credentials = Std.File.Invoke(new()
{
Input = "credentials.json",
}).Apply(invoke => invoke.Result),
});
var impersonatedAccount = new Vault.Gcp.SecretImpersonatedAccount("impersonated_account", new()
{
Backend = gcp.Path,
ImpersonatedAccount = "this",
ServiceAccountEmail = @this.Email,
TokenScopes = new[]
{
"https://www.googleapis.com/auth/cloud-platform",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-google/sdk/go/google"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := google.NewServiceAccount(ctx, "this", &google.ServiceAccountArgs{
AccountId: "my-awesome-account",
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "credentials.json",
}, nil)
if err != nil {
return err
}
gcp, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
Path: pulumi.String("gcp"),
Credentials: pulumi.String(invokeFile.Result),
})
if err != nil {
return err
}
_, err = gcp.NewSecretImpersonatedAccount(ctx, "impersonated_account", &gcp.SecretImpersonatedAccountArgs{
Backend: gcp.Path,
ImpersonatedAccount: pulumi.String("this"),
ServiceAccountEmail: this.Email,
TokenScopes: pulumi.StringArray{
pulumi.String("https://www.googleapis.com/auth/cloud-platform"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.google.serviceAccount;
import com.pulumi.google.serviceAccountArgs;
import com.pulumi.vault.gcp.SecretBackend;
import com.pulumi.vault.gcp.SecretBackendArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.vault.gcp.SecretImpersonatedAccount;
import com.pulumi.vault.gcp.SecretImpersonatedAccountArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var this_ = new ServiceAccount("this", ServiceAccountArgs.builder()
.accountId("my-awesome-account")
.build());
var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()
.path("gcp")
.credentials(StdFunctions.file(FileArgs.builder()
.input("credentials.json")
.build()).result())
.build());
var impersonatedAccount = new SecretImpersonatedAccount("impersonatedAccount", SecretImpersonatedAccountArgs.builder()
.backend(gcp.path())
.impersonatedAccount("this")
.serviceAccountEmail(this_.email())
.tokenScopes("https://www.googleapis.com/auth/cloud-platform")
.build());
}
}Content copied to clipboard
resources:
this:
type: google:serviceAccount
properties:
accountId: my-awesome-account
gcp:
type: vault:gcp:SecretBackend
properties:
path: gcp
credentials:
fn::invoke:
function: std:file
arguments:
input: credentials.json
return: result
impersonatedAccount:
type: vault:gcp:SecretImpersonatedAccount
name: impersonated_account
properties:
backend: ${gcp.path}
impersonatedAccount: this
serviceAccountEmail: ${this.email}
tokenScopes:
- https://www.googleapis.com/auth/cloud-platformContent copied to clipboard
Import
A impersonated account can be imported using its Vault Path. For example, referencing the example above,
$ pulumi import vault:gcp/secretImpersonatedAccount:SecretImpersonatedAccount impersonated_account gcp/impersonated-account/project_viewerContent copied to clipboard
Properties
Link copied to clipboard
Name of the Impersonated Account to create
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Email of the GCP service account to impersonate.
Link copied to clipboard
Project the service account belongs to.
Link copied to clipboard
List of OAuth scopes to assign to access tokens generated under this impersonated account.