google_service_account_access_token

This data source provides a google oauth2 access_token for a different service account than the one initially running the script.

For more information see the official documentation as well as iamcredentials.generateAccessToken()

Example Usage

To allow service_A to impersonate service_B, grant the Service Account Token Creator on B to A.

In the IAM policy below, service_A is given the Token Creator role impersonate service_B

resource "google_service_account_iam_binding" "token-creator-iam" {
    service_account_id = "projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com"
    role               = "roles/iam.serviceAccountTokenCreator"
    members = [
        "serviceAccount:service_A@projectA.iam.gserviceaccount.com",
    ]
}

Once the IAM permissions are set, you can apply the new token to a provider bootstrapped with it. Any resources that references the aliased provider will run as the new identity.

In the example below, google_project will run as service_B.

provider "google" {
}

data "google_client_config" "default" {
  provider = google
}

data "google_service_account_access_token" "default" {
  provider               = google
  target_service_account = "service_B@projectB.iam.gserviceaccount.com"
  scopes                 = ["userinfo-email", "cloud-platform"]
  lifetime               = "300s"
}

provider "google" {
  alias        = "impersonated"
  access_token = data.google_service_account_access_token.default.access_token
}

data "google_client_openid_userinfo" "me" {
  provider = google.impersonated
}

output "target-email" {
  value = data.google_client_openid_userinfo.me.email
}

Note: the generated token is non-refreshable and can have a maximum lifetime of 3600 seconds.

Argument Reference

The following arguments are supported:

Attributes Reference

The following attribute is exported: