This data source provides a google oauth2
access_token
for a different service account than the one initially running the script.
For more information see the official documentation as well as iamcredentials.generateAccessToken()
To allow service_A
to impersonate service_B
, grant the Service Account Token Creator on B to A.
In the IAM policy below, service_A
is given the Token Creator role impersonate service_B
resource "google_service_account_iam_binding" "token-creator-iam" {
service_account_id = "projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com"
role = "roles/iam.serviceAccountTokenCreator"
members = [
"serviceAccount:service_A@projectA.iam.gserviceaccount.com",
]
}
Once the IAM permissions are set, you can apply the new token to a provider bootstrapped with it. Any resources that references the aliased provider will run as the new identity.
In the example below, google_project
will run as service_B
.
provider "google" {
}
data "google_client_config" "default" {
provider = google
}
data "google_service_account_access_token" "default" {
provider = google
target_service_account = "service_B@projectB.iam.gserviceaccount.com"
scopes = ["userinfo-email", "cloud-platform"]
lifetime = "300s"
}
provider "google" {
alias = "impersonated"
access_token = data.google_service_account_access_token.default.access_token
}
data "google_client_openid_userinfo" "me" {
provider = google.impersonated
}
output "target-email" {
value = data.google_client_openid_userinfo.me.email
}
Note: the generated token is non-refreshable and can have a maximum
lifetime
of3600
seconds.
The following arguments are supported:
target_service_account
(Required) - The service account _to_ impersonate (e.g. service_B@your-project-id.iam.gserviceaccount.com
)scopes
(Required) - The scopes the new credential should have (e.g. ["cloud-platform"]
)delegates
(Optional) - Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. (e.g. ["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]
)lifetime
(Optional) Lifetime of the impersonated token (defaults to its max: 3600s
).The following attribute is exported:
access_token
- The access_token
representing the new generated identity.