This data source provides a self-signed JWT. Tokens issued from this data source are typically used to call external services that accept JWTs for authentication.
Note: in order to use the following, the caller must have _at least_ roles/iam.serviceAccountTokenCreator
on the target_service_account
.
data "google_service_account_jwt" "foo" {
target_service_account = "impersonated-account@project.iam.gserviceaccount.com"
payload = jsonencode({
foo: "bar",
sub: "subject",
})
expires_in = 60
}
output "jwt" {
value = data.google_service_account_jwt.foo.jwt
}
The following arguments are supported:
target_service_account
(Required) - The email of the service account that will sign the JWT.payload
(Required) - The JSON-encoded JWT claims set to include in the self-signed JWT.expires_in
(Optional) - Number of seconds until the JWT expires. If set and non-zero an exp
claim will be added to the payload derived from the current timestamp plus expires_in seconds.delegates
(Optional) - Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.The following attribute is exported:
jwt
- The signed JWT containing the JWT Claims Set from the payload
.