Skip to content

Latest commit

 

History

History
84 lines (62 loc) · 3.11 KB

google_impersonated_credential.html.markdown

File metadata and controls

84 lines (62 loc) · 3.11 KB
Raw
layout page_title sidebar_current description
google
Google: google_impersonated_credential
docs-google-impersonated-credential
Produces access_token for impersonated service accounts

google_impersonated_credential

This data source provides a google oauth2 access_token for a different service account than the one initially running the script. You can then use this new token to access resources the original caller would not have permissions on otherwise.

For more information see the official documentation as well as iamcredentials.generateAccessToken()

Example Usage

To allow service_A to impersonate service_B, grant the Service Account Token Creator on B to A.

In the IAM policy below, service_A is given the Token Creator role impersonate service_B

$ cat service_policy.json 
{ 
"bindings": [
    {
      "members": [
        "[email protected] "
      ],
      "role": "roles/iam.serviceAccountTokenCreator",    
    }
  ]
}

$ gcloud iam service-accounts set-iam-policy  service_B@projectB.iam.gserviceaccount.com  service_policy.json

Once the IAM permissions are set, you can apply the new token to a provider bootstrapped with it. Any resources that references the new provider will run as the new identity.

In the example below, google_project will run as service_B.

provider "google" {}

data "google_client_config" "default" {
  provider = "google"
}

data "google_impersonated_credential" "default" {
 provider = "google"
 target_service_account = "[email protected]"
 scopes = ["devstorage.read_only", "cloud-platform"]
 lifetime = "300s"
}

provider "google" {
   alias  = "impersonated"
   access_token = "${data.google_impersonated_credential.default.access_token}"
}

data "google_project" "project" {
  provider = "google.impersonated"
  project_id = "target-project"
}

Note: the generated token is non-refreshable and can have a maximum lifetime of 3600 seconds.

Argument Reference

The following arguments are supported:

  • target_service_account (Required) - The service account to impersonate (e.g. [email protected])
  • scopes (Required) - The scopes the new credential should have (e.g. ["devstorage.read_only", "cloud-platform"])
  • delegates (Optional) - Deegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/[email protected]"])
  • lifetime (Optional) Lifetime of the impersonated token (defaults to its max: 3600s).
  • source_access_token (Optional) - The source token to bootstrap this module.

Attributes Reference

The following attribute is exported:

  • access_token - The access_token representing the new generated identity.