serviceaccount

package
v7.20.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Account 

type Account struct {
	pulumi.CustomResourceState

	// The account id that is used to generate the service
	// account email address and a stable unique id. It is unique within a project,
	// must be 6-30 characters long, and match the regular expression `a-z`
	// to comply with RFC1035. Changing this forces a new service account to be created.
	AccountId pulumi.StringOutput `pulumi:"accountId"`
	// If set to true, skip service account creation if a service account with the same email already exists.
	CreateIgnoreAlreadyExists pulumi.BoolPtrOutput `pulumi:"createIgnoreAlreadyExists"`
	// A text description of the service account.
	// Must be less than or equal to 256 UTF-8 bytes.
	Description pulumi.StringPtrOutput `pulumi:"description"`
	// Whether a service account is disabled or not. Defaults to `false`. This field has no effect during creation.
	// Must be set after creation to disable a service account.
	Disabled pulumi.BoolPtrOutput `pulumi:"disabled"`
	// The display name for the service account.
	// Can be updated without creating a new resource.
	DisplayName pulumi.StringPtrOutput `pulumi:"displayName"`
	// The e-mail address of the service account. This value
	// should be referenced from any `organizations.getIAMPolicy` data sources
	// that would grant the service account privileges.
	Email pulumi.StringOutput `pulumi:"email"`
	// The Identity of the service account in the form `serviceAccount:{email}`. This value is often used to refer to the service account in order to grant IAM permissions.
	Member pulumi.StringOutput `pulumi:"member"`
	// The fully-qualified name of the service account.
	Name pulumi.StringOutput `pulumi:"name"`
	// The ID of the project that the service account will be created in.
	// Defaults to the provider project configuration.
	Project pulumi.StringOutput `pulumi:"project"`
	// The unique id of the service account.
	UniqueId pulumi.StringOutput `pulumi:"uniqueId"`
}

Allows management of a Google Cloud service account.

* [API documentation](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts) * How-to Guides

> **Warning:** If you delete and recreate a service account, you must reapply any IAM roles that it had before.

> Creation of service accounts is eventually consistent, and that can lead to errors when you try to apply ACLs to service accounts immediately after creation.

## Example Usage

This snippet creates a service account in a project.

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := serviceaccount.NewAccount(ctx, "service_account", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("service-account-id"),
			DisplayName: pulumi.String("Service Account"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Service accounts can be imported using their URI, e.g.

* `projects/{{project_id}}/serviceAccounts/{{email}}`

When using the `pulumi import` command, service accounts can be imported using one of the formats above. For example:

```sh $ pulumi import gcp:serviceaccount/account:Account default projects/{{project_id}}/serviceAccounts/{{email}} ```

func GetAccount 

func GetAccount(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AccountState, opts ...pulumi.ResourceOption) (*Account, error)

GetAccount gets an existing Account resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAccount 

func NewAccount(ctx *pulumi.Context,
	name string, args *AccountArgs, opts ...pulumi.ResourceOption) (*Account, error)

NewAccount registers a new resource with the given unique name, arguments, and options.

func (*Account) ElementType 

func (*Account) ElementType() reflect.Type

func (*Account) ToAccountOutput 

func (i *Account) ToAccountOutput() AccountOutput

func (*Account) ToAccountOutputWithContext 

func (i *Account) ToAccountOutputWithContext(ctx context.Context) AccountOutput

type AccountArgs 

type AccountArgs struct {
	// The account id that is used to generate the service
	// account email address and a stable unique id. It is unique within a project,
	// must be 6-30 characters long, and match the regular expression `a-z`
	// to comply with RFC1035. Changing this forces a new service account to be created.
	AccountId pulumi.StringInput
	// If set to true, skip service account creation if a service account with the same email already exists.
	CreateIgnoreAlreadyExists pulumi.BoolPtrInput
	// A text description of the service account.
	// Must be less than or equal to 256 UTF-8 bytes.
	Description pulumi.StringPtrInput
	// Whether a service account is disabled or not. Defaults to `false`. This field has no effect during creation.
	// Must be set after creation to disable a service account.
	Disabled pulumi.BoolPtrInput
	// The display name for the service account.
	// Can be updated without creating a new resource.
	DisplayName pulumi.StringPtrInput
	// The ID of the project that the service account will be created in.
	// Defaults to the provider project configuration.
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a Account resource.

func (AccountArgs) ElementType 

func (AccountArgs) ElementType() reflect.Type

type AccountArray 

type AccountArray []AccountInput

func (AccountArray) ElementType 

func (AccountArray) ElementType() reflect.Type

func (AccountArray) ToAccountArrayOutput 

func (i AccountArray) ToAccountArrayOutput() AccountArrayOutput

func (AccountArray) ToAccountArrayOutputWithContext 

func (i AccountArray) ToAccountArrayOutputWithContext(ctx context.Context) AccountArrayOutput

type AccountArrayInput 

type AccountArrayInput interface {
	pulumi.Input

	ToAccountArrayOutput() AccountArrayOutput
	ToAccountArrayOutputWithContext(context.Context) AccountArrayOutput
}

AccountArrayInput is an input type that accepts AccountArray and AccountArrayOutput values. You can construct a concrete instance of `AccountArrayInput` via: 

AccountArray{ AccountArgs{...} }

type AccountArrayOutput 

type AccountArrayOutput struct{ *pulumi.OutputState }

func (AccountArrayOutput) ElementType 

func (AccountArrayOutput) ElementType() reflect.Type

func (AccountArrayOutput) Index 

func (o AccountArrayOutput) Index(i pulumi.IntInput) AccountOutput

func (AccountArrayOutput) ToAccountArrayOutput 

func (o AccountArrayOutput) ToAccountArrayOutput() AccountArrayOutput

func (AccountArrayOutput) ToAccountArrayOutputWithContext 

func (o AccountArrayOutput) ToAccountArrayOutputWithContext(ctx context.Context) AccountArrayOutput

type AccountInput 

type AccountInput interface {
	pulumi.Input

	ToAccountOutput() AccountOutput
	ToAccountOutputWithContext(ctx context.Context) AccountOutput
}

type AccountMap 

type AccountMap map[string]AccountInput

func (AccountMap) ElementType 

func (AccountMap) ElementType() reflect.Type

func (AccountMap) ToAccountMapOutput 

func (i AccountMap) ToAccountMapOutput() AccountMapOutput

func (AccountMap) ToAccountMapOutputWithContext 

func (i AccountMap) ToAccountMapOutputWithContext(ctx context.Context) AccountMapOutput

type AccountMapInput 

type AccountMapInput interface {
	pulumi.Input

	ToAccountMapOutput() AccountMapOutput
	ToAccountMapOutputWithContext(context.Context) AccountMapOutput
}

AccountMapInput is an input type that accepts AccountMap and AccountMapOutput values. You can construct a concrete instance of `AccountMapInput` via: 

AccountMap{ "key": AccountArgs{...} }

type AccountMapOutput 

type AccountMapOutput struct{ *pulumi.OutputState }

func (AccountMapOutput) ElementType 

func (AccountMapOutput) ElementType() reflect.Type

func (AccountMapOutput) MapIndex 

func (o AccountMapOutput) MapIndex(k pulumi.StringInput) AccountOutput

func (AccountMapOutput) ToAccountMapOutput 

func (o AccountMapOutput) ToAccountMapOutput() AccountMapOutput

func (AccountMapOutput) ToAccountMapOutputWithContext 

func (o AccountMapOutput) ToAccountMapOutputWithContext(ctx context.Context) AccountMapOutput

type AccountOutput 

type AccountOutput struct{ *pulumi.OutputState }

func (AccountOutput) AccountId 

func (o AccountOutput) AccountId() pulumi.StringOutput

The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression `a-z` to comply with RFC1035. Changing this forces a new service account to be created.

func (AccountOutput) CreateIgnoreAlreadyExists added in v7.6.0 

func (o AccountOutput) CreateIgnoreAlreadyExists() pulumi.BoolPtrOutput

If set to true, skip service account creation if a service account with the same email already exists.

func (AccountOutput) Description 

func (o AccountOutput) Description() pulumi.StringPtrOutput

A text description of the service account. Must be less than or equal to 256 UTF-8 bytes.

func (AccountOutput) Disabled 

func (o AccountOutput) Disabled() pulumi.BoolPtrOutput

Whether a service account is disabled or not. Defaults to `false`. This field has no effect during creation. Must be set after creation to disable a service account.

func (AccountOutput) DisplayName 

func (o AccountOutput) DisplayName() pulumi.StringPtrOutput

The display name for the service account. Can be updated without creating a new resource.

func (AccountOutput) ElementType 

func (AccountOutput) ElementType() reflect.Type

func (AccountOutput) Email 

func (o AccountOutput) Email() pulumi.StringOutput

The e-mail address of the service account. This value should be referenced from any `organizations.getIAMPolicy` data sources that would grant the service account privileges.

func (AccountOutput) Member 

func (o AccountOutput) Member() pulumi.StringOutput

The Identity of the service account in the form `serviceAccount:{email}`. This value is often used to refer to the service account in order to grant IAM permissions.

func (AccountOutput) Name 

func (o AccountOutput) Name() pulumi.StringOutput

The fully-qualified name of the service account.

func (AccountOutput) Project 

func (o AccountOutput) Project() pulumi.StringOutput

The ID of the project that the service account will be created in. Defaults to the provider project configuration.

func (AccountOutput) ToAccountOutput 

func (o AccountOutput) ToAccountOutput() AccountOutput

func (AccountOutput) ToAccountOutputWithContext 

func (o AccountOutput) ToAccountOutputWithContext(ctx context.Context) AccountOutput

func (AccountOutput) UniqueId 

func (o AccountOutput) UniqueId() pulumi.StringOutput

The unique id of the service account.

type AccountState 

type AccountState struct {
	// The account id that is used to generate the service
	// account email address and a stable unique id. It is unique within a project,
	// must be 6-30 characters long, and match the regular expression `a-z`
	// to comply with RFC1035. Changing this forces a new service account to be created.
	AccountId pulumi.StringPtrInput
	// If set to true, skip service account creation if a service account with the same email already exists.
	CreateIgnoreAlreadyExists pulumi.BoolPtrInput
	// A text description of the service account.
	// Must be less than or equal to 256 UTF-8 bytes.
	Description pulumi.StringPtrInput
	// Whether a service account is disabled or not. Defaults to `false`. This field has no effect during creation.
	// Must be set after creation to disable a service account.
	Disabled pulumi.BoolPtrInput
	// The display name for the service account.
	// Can be updated without creating a new resource.
	DisplayName pulumi.StringPtrInput
	// The e-mail address of the service account. This value
	// should be referenced from any `organizations.getIAMPolicy` data sources
	// that would grant the service account privileges.
	Email pulumi.StringPtrInput
	// The Identity of the service account in the form `serviceAccount:{email}`. This value is often used to refer to the service account in order to grant IAM permissions.
	Member pulumi.StringPtrInput
	// The fully-qualified name of the service account.
	Name pulumi.StringPtrInput
	// The ID of the project that the service account will be created in.
	// Defaults to the provider project configuration.
	Project pulumi.StringPtrInput
	// The unique id of the service account.
	UniqueId pulumi.StringPtrInput
}

func (AccountState) ElementType 

func (AccountState) ElementType() reflect.Type

type GetAccountAccessTokenArgs 

type GetAccountAccessTokenArgs struct {
	// Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.  (e.g. `["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]`)
	Delegates []string `pulumi:"delegates"`
	// Lifetime of the impersonated token (defaults to its max: `3600s`).
	Lifetime *string `pulumi:"lifetime"`
	// The scopes the new credential should have (e.g. `["cloud-platform"]`)
	Scopes []string `pulumi:"scopes"`
	// The service account _to_ impersonate (e.g. `service_B@your-project-id.iam.gserviceaccount.com`)
	TargetServiceAccount string `pulumi:"targetServiceAccount"`
}

A collection of arguments for invoking getAccountAccessToken.

type GetAccountAccessTokenOutputArgs 

type GetAccountAccessTokenOutputArgs struct {
	// Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.  (e.g. `["projects/-/serviceAccounts/delegate-svc-account@project-id.iam.gserviceaccount.com"]`)
	Delegates pulumi.StringArrayInput `pulumi:"delegates"`
	// Lifetime of the impersonated token (defaults to its max: `3600s`).
	Lifetime pulumi.StringPtrInput `pulumi:"lifetime"`
	// The scopes the new credential should have (e.g. `["cloud-platform"]`)
	Scopes pulumi.StringArrayInput `pulumi:"scopes"`
	// The service account _to_ impersonate (e.g. `service_B@your-project-id.iam.gserviceaccount.com`)
	TargetServiceAccount pulumi.StringInput `pulumi:"targetServiceAccount"`
}

A collection of arguments for invoking getAccountAccessToken.

func (GetAccountAccessTokenOutputArgs) ElementType 

func (GetAccountAccessTokenOutputArgs) ElementType() reflect.Type

type GetAccountAccessTokenResult 

type GetAccountAccessTokenResult struct {
	// The `accessToken` representing the new generated identity.
	AccessToken string   `pulumi:"accessToken"`
	Delegates   []string `pulumi:"delegates"`
	// The provider-assigned unique ID for this managed resource.
	Id                   string   `pulumi:"id"`
	Lifetime             *string  `pulumi:"lifetime"`
	Scopes               []string `pulumi:"scopes"`
	TargetServiceAccount string   `pulumi:"targetServiceAccount"`
}

A collection of values returned by getAccountAccessToken.

func GetAccountAccessToken 

func GetAccountAccessToken(ctx *pulumi.Context, args *GetAccountAccessTokenArgs, opts ...pulumi.InvokeOption) (*GetAccountAccessTokenResult, error)

This data source provides a google `oauth2` `accessToken` for a different service account than the one initially running the script.

For more information see [the official documentation](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials) as well as [iamcredentials.generateAccessToken()](https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken)

## Example Usage

To allow `service_A` to impersonate `service_B`, grant the [Service Account Token Creator](https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role) on B to A.

In the IAM policy below, `service_A` is given the Token Creator role impersonate `service_B`

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := serviceaccount.NewIAMBinding(ctx, "token-creator-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: pulumi.String("projects/-/serviceAccounts/service_B@projectB.iam.gserviceaccount.com"),
			Role:             pulumi.String("roles/iam.serviceAccountTokenCreator"),
			Members: pulumi.StringArray{
				pulumi.String("serviceAccount:service_A@projectA.iam.gserviceaccount.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

Once the IAM permissions are set, you can apply the new token to a provider bootstrapped with it. Any resources that references the aliased provider will run as the new identity.

In the example below, `organizations.Project` will run as `service_B`.

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := organizations.GetClientConfig(ctx, nil, nil)
		if err != nil {
			return err
		}
		_, err = serviceaccount.GetAccountAccessToken(ctx, &serviceaccount.GetAccountAccessTokenArgs{
			TargetServiceAccount: "service_B@projectB.iam.gserviceaccount.com",
			Scopes: []string{
				"userinfo-email",
				"cloud-platform",
			},
			Lifetime: pulumi.StringRef("300s"),
		}, nil)
		if err != nil {
			return err
		}
		me, err := organizations.GetClientOpenIdUserInfo(ctx, nil, nil)
		if err != nil {
			return err
		}
		ctx.Export("target-email", me.Email)
		return nil
	})
}

```

> *Note*: the generated token is non-refreshable and can have a maximum `lifetime` of `3600` seconds.

type GetAccountAccessTokenResultOutput 

type GetAccountAccessTokenResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAccountAccessToken.

func GetAccountAccessTokenOutput 

func GetAccountAccessTokenOutput(ctx *pulumi.Context, args GetAccountAccessTokenOutputArgs, opts ...pulumi.InvokeOption) GetAccountAccessTokenResultOutput

func (GetAccountAccessTokenResultOutput) AccessToken 

func (o GetAccountAccessTokenResultOutput) AccessToken() pulumi.StringOutput

The `accessToken` representing the new generated identity.

func (GetAccountAccessTokenResultOutput) Delegates 

func (o GetAccountAccessTokenResultOutput) Delegates() pulumi.StringArrayOutput

func (GetAccountAccessTokenResultOutput) ElementType 

func (GetAccountAccessTokenResultOutput) ElementType() reflect.Type

func (GetAccountAccessTokenResultOutput) Id 

func (o GetAccountAccessTokenResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (GetAccountAccessTokenResultOutput) Lifetime 

func (o GetAccountAccessTokenResultOutput) Lifetime() pulumi.StringPtrOutput

func (GetAccountAccessTokenResultOutput) Scopes 

func (o GetAccountAccessTokenResultOutput) Scopes() pulumi.StringArrayOutput

func (GetAccountAccessTokenResultOutput) TargetServiceAccount 

func (o GetAccountAccessTokenResultOutput) TargetServiceAccount() pulumi.StringOutput

func (GetAccountAccessTokenResultOutput) ToGetAccountAccessTokenResultOutput 

func (o GetAccountAccessTokenResultOutput) ToGetAccountAccessTokenResultOutput() GetAccountAccessTokenResultOutput

func (GetAccountAccessTokenResultOutput) ToGetAccountAccessTokenResultOutputWithContext 

func (o GetAccountAccessTokenResultOutput) ToGetAccountAccessTokenResultOutputWithContext(ctx context.Context) GetAccountAccessTokenResultOutput

type GetAccountIdTokenArgs 

type GetAccountIdTokenArgs struct {
	// Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.   Used only when using impersonation mode.
	Delegates []string `pulumi:"delegates"`
	// Include the verified email in the claim. Used only when using impersonation mode.
	IncludeEmail *bool `pulumi:"includeEmail"`
	// The audience claim for the `idToken`.
	TargetAudience string `pulumi:"targetAudience"`
	// The email of the service account being impersonated.  Used only when using impersonation mode.
	TargetServiceAccount *string `pulumi:"targetServiceAccount"`
}

A collection of arguments for invoking getAccountIdToken.

type GetAccountIdTokenOutputArgs 

type GetAccountIdTokenOutputArgs struct {
	// Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.   Used only when using impersonation mode.
	Delegates pulumi.StringArrayInput `pulumi:"delegates"`
	// Include the verified email in the claim. Used only when using impersonation mode.
	IncludeEmail pulumi.BoolPtrInput `pulumi:"includeEmail"`
	// The audience claim for the `idToken`.
	TargetAudience pulumi.StringInput `pulumi:"targetAudience"`
	// The email of the service account being impersonated.  Used only when using impersonation mode.
	TargetServiceAccount pulumi.StringPtrInput `pulumi:"targetServiceAccount"`
}

A collection of arguments for invoking getAccountIdToken.

func (GetAccountIdTokenOutputArgs) ElementType 

func (GetAccountIdTokenOutputArgs) ElementType() reflect.Type

type GetAccountIdTokenResult 

type GetAccountIdTokenResult struct {
	Delegates []string `pulumi:"delegates"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// The `idToken` representing the new generated identity.
	IdToken              string  `pulumi:"idToken"`
	IncludeEmail         *bool   `pulumi:"includeEmail"`
	TargetAudience       string  `pulumi:"targetAudience"`
	TargetServiceAccount *string `pulumi:"targetServiceAccount"`
}

A collection of values returned by getAccountIdToken.

func GetAccountIdToken 

func GetAccountIdToken(ctx *pulumi.Context, args *GetAccountIdTokenArgs, opts ...pulumi.InvokeOption) (*GetAccountIdTokenResult, error)

This data source provides a Google OpenID Connect (`oidc`) `idToken`. Tokens issued from this data source are typically used to call external services that accept OIDC tokens for authentication (e.g. [Google Cloud Run](https://cloud.google.com/run/docs/authenticating/service-to-service)).

For more information see [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#IDToken).

## Example Usage

### ServiceAccount JSON Credential File. 

`serviceaccount.getAccountIdToken` will use the configured provider credentials

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
  pulumi.Run(func(ctx *pulumi.Context) error {
      oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
          TargetAudience: "https://foo.bar/",
      }, nil)
      if err != nil {
          return err
      }
      ctx.Export("oidcToken", oidc.IdToken)
      return nil
  })
}

```

### Service Account Impersonation. 

`serviceaccount.getAccountAccessToken` will use background impersonated credentials provided by `serviceaccount.getAccountAccessToken`.

Note: to use the following, you must grant `targetServiceAccount` the
`roles/iam.serviceAccountTokenCreator` role on itself.

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
  pulumi.Run(func(ctx *pulumi.Context) error {
      _, err := serviceaccount.GetAccountAccessToken(ctx, &serviceaccount.GetAccountAccessTokenArgs{
          TargetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
          Delegates:            []interface{}{},
          Scopes: []string{
              "userinfo-email",
              "cloud-platform",
          },
          Lifetime: pulumi.StringRef("300s"),
      }, nil)
      if err != nil {
          return err
      }
      oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
          TargetServiceAccount: pulumi.StringRef("impersonated-account@project.iam.gserviceaccount.com"),
          Delegates:            []interface{}{},
          IncludeEmail:         pulumi.BoolRef(true),
          TargetAudience:       "https://foo.bar/",
      }, nil)
      if err != nil {
          return err
      }
      ctx.Export("oidcToken", oidc.IdToken)
      return nil
  })
}

```

### Invoking Cloud Run Endpoint 

The following configuration will invoke [Cloud Run](https://cloud.google.com/run/docs/authenticating/service-to-service) endpoint where the service account for the provider has been granted `roles/run.invoker` role previously.

```go package main

import ( 

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi-http/sdk/go/http"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
			TargetAudience: "https://your.cloud.run.app/",
		}, nil)
		if err != nil {
			return err
		}
		cloudrun, err := http.GetHttp(ctx, &http.GetHttpArgs{
			Url: "https://your.cloud.run.app/",
			RequestHeaders: map[string]interface{}{
				"Authorization": fmt.Sprintf("Bearer %v", oidc.IdToken),
			},
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("cloudRunResponse", cloudrun.Body)
		return nil
	})
}

```

type GetAccountIdTokenResultOutput 

type GetAccountIdTokenResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAccountIdToken.

func GetAccountIdTokenOutput 

func GetAccountIdTokenOutput(ctx *pulumi.Context, args GetAccountIdTokenOutputArgs, opts ...pulumi.InvokeOption) GetAccountIdTokenResultOutput

func (GetAccountIdTokenResultOutput) Delegates 

func (o GetAccountIdTokenResultOutput) Delegates() pulumi.StringArrayOutput

func (GetAccountIdTokenResultOutput) ElementType 

func (GetAccountIdTokenResultOutput) ElementType() reflect.Type

func (GetAccountIdTokenResultOutput) Id 

func (o GetAccountIdTokenResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (GetAccountIdTokenResultOutput) IdToken 

func (o GetAccountIdTokenResultOutput) IdToken() pulumi.StringOutput

The `idToken` representing the new generated identity.

func (GetAccountIdTokenResultOutput) IncludeEmail 

func (o GetAccountIdTokenResultOutput) IncludeEmail() pulumi.BoolPtrOutput

func (GetAccountIdTokenResultOutput) TargetAudience 

func (o GetAccountIdTokenResultOutput) TargetAudience() pulumi.StringOutput

func (GetAccountIdTokenResultOutput) TargetServiceAccount 

func (o GetAccountIdTokenResultOutput) TargetServiceAccount() pulumi.StringPtrOutput

func (GetAccountIdTokenResultOutput) ToGetAccountIdTokenResultOutput 

func (o GetAccountIdTokenResultOutput) ToGetAccountIdTokenResultOutput() GetAccountIdTokenResultOutput

func (GetAccountIdTokenResultOutput) ToGetAccountIdTokenResultOutputWithContext 

func (o GetAccountIdTokenResultOutput) ToGetAccountIdTokenResultOutputWithContext(ctx context.Context) GetAccountIdTokenResultOutput

type GetAccountJwtArgs 

type GetAccountJwtArgs struct {
	// Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
	Delegates []string `pulumi:"delegates"`
	// Number of seconds until the JWT expires. If set and non-zero an `exp` claim will be added to the payload derived from the current timestamp plus expiresIn seconds.
	ExpiresIn *int `pulumi:"expiresIn"`
	// The JSON-encoded JWT claims set to include in the self-signed JWT.
	Payload string `pulumi:"payload"`
	// The email of the service account that will sign the JWT.
	TargetServiceAccount string `pulumi:"targetServiceAccount"`
}

A collection of arguments for invoking getAccountJwt.

type GetAccountJwtOutputArgs 

type GetAccountJwtOutputArgs struct {
	// Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
	Delegates pulumi.StringArrayInput `pulumi:"delegates"`
	// Number of seconds until the JWT expires. If set and non-zero an `exp` claim will be added to the payload derived from the current timestamp plus expiresIn seconds.
	ExpiresIn pulumi.IntPtrInput `pulumi:"expiresIn"`
	// The JSON-encoded JWT claims set to include in the self-signed JWT.
	Payload pulumi.StringInput `pulumi:"payload"`
	// The email of the service account that will sign the JWT.
	TargetServiceAccount pulumi.StringInput `pulumi:"targetServiceAccount"`
}

A collection of arguments for invoking getAccountJwt.

func (GetAccountJwtOutputArgs) ElementType 

func (GetAccountJwtOutputArgs) ElementType() reflect.Type

type GetAccountJwtResult 

type GetAccountJwtResult struct {
	Delegates []string `pulumi:"delegates"`
	ExpiresIn *int     `pulumi:"expiresIn"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// The signed JWT containing the JWT Claims Set from the `payload`.
	Jwt                  string `pulumi:"jwt"`
	Payload              string `pulumi:"payload"`
	TargetServiceAccount string `pulumi:"targetServiceAccount"`
}

A collection of values returned by getAccountJwt.

func GetAccountJwt 

func GetAccountJwt(ctx *pulumi.Context, args *GetAccountJwtArgs, opts ...pulumi.InvokeOption) (*GetAccountJwtResult, error)

This data source provides a [self-signed JWT](https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-jwt). Tokens issued from this data source are typically used to call external services that accept JWTs for authentication.

## Example Usage

Note: in order to use the following, the caller must have _at least_ `roles/iam.serviceAccountTokenCreator` on the `targetServiceAccount`.

```go package main

import ( 

"encoding/json"

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"foo": "bar",
			"sub": "subject",
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		foo, err := serviceaccount.GetAccountJwt(ctx, &serviceaccount.GetAccountJwtArgs{
			TargetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
			Payload:              json0,
			ExpiresIn:            pulumi.IntRef(60),
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("jwt", foo.Jwt)
		return nil
	})
}

```

type GetAccountJwtResultOutput 

type GetAccountJwtResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAccountJwt.

func GetAccountJwtOutput 

func GetAccountJwtOutput(ctx *pulumi.Context, args GetAccountJwtOutputArgs, opts ...pulumi.InvokeOption) GetAccountJwtResultOutput

func (GetAccountJwtResultOutput) Delegates 

func (o GetAccountJwtResultOutput) Delegates() pulumi.StringArrayOutput

func (GetAccountJwtResultOutput) ElementType 

func (GetAccountJwtResultOutput) ElementType() reflect.Type

func (GetAccountJwtResultOutput) ExpiresIn 

func (o GetAccountJwtResultOutput) ExpiresIn() pulumi.IntPtrOutput

func (GetAccountJwtResultOutput) Id 

func (o GetAccountJwtResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (GetAccountJwtResultOutput) Jwt 

func (o GetAccountJwtResultOutput) Jwt() pulumi.StringOutput

The signed JWT containing the JWT Claims Set from the `payload`.

func (GetAccountJwtResultOutput) Payload 

func (o GetAccountJwtResultOutput) Payload() pulumi.StringOutput

func (GetAccountJwtResultOutput) TargetServiceAccount 

func (o GetAccountJwtResultOutput) TargetServiceAccount() pulumi.StringOutput

func (GetAccountJwtResultOutput) ToGetAccountJwtResultOutput 

func (o GetAccountJwtResultOutput) ToGetAccountJwtResultOutput() GetAccountJwtResultOutput

func (GetAccountJwtResultOutput) ToGetAccountJwtResultOutputWithContext 

func (o GetAccountJwtResultOutput) ToGetAccountJwtResultOutputWithContext(ctx context.Context) GetAccountJwtResultOutput

type GetAccountKeyArgs 

type GetAccountKeyArgs struct {
	// The name of the service account key. This must have format
	// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{KEYID}`, where `{ACCOUNT}`
	// is the email address or unique id of the service account.
	Name string `pulumi:"name"`
	// The ID of the project that the service account will be created in.
	// Defaults to the provider project configuration.
	Project *string `pulumi:"project"`
	// The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
	PublicKeyType *string `pulumi:"publicKeyType"`
}

A collection of arguments for invoking getAccountKey.

type GetAccountKeyOutputArgs 

type GetAccountKeyOutputArgs struct {
	// The name of the service account key. This must have format
	// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{KEYID}`, where `{ACCOUNT}`
	// is the email address or unique id of the service account.
	Name pulumi.StringInput `pulumi:"name"`
	// The ID of the project that the service account will be created in.
	// Defaults to the provider project configuration.
	Project pulumi.StringPtrInput `pulumi:"project"`
	// The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
	PublicKeyType pulumi.StringPtrInput `pulumi:"publicKeyType"`
}

A collection of arguments for invoking getAccountKey.

func (GetAccountKeyOutputArgs) ElementType 

func (GetAccountKeyOutputArgs) ElementType() reflect.Type

type GetAccountKeyResult 

type GetAccountKeyResult struct {
	// The provider-assigned unique ID for this managed resource.
	Id           string  `pulumi:"id"`
	KeyAlgorithm string  `pulumi:"keyAlgorithm"`
	Name         string  `pulumi:"name"`
	Project      *string `pulumi:"project"`
	// The public key, base64 encoded
	PublicKey     string  `pulumi:"publicKey"`
	PublicKeyType *string `pulumi:"publicKeyType"`
}

A collection of values returned by getAccountKey.

func GetAccountKey 

func GetAccountKey(ctx *pulumi.Context, args *GetAccountKeyArgs, opts ...pulumi.InvokeOption) (*GetAccountKeyResult, error)

Get service account public key. For more information, see [the official documentation](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and [API](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys/get).

## Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
			AccountId: pulumi.String("dev-foo-account"),
		})
		if err != nil {
			return err
		}
		mykeyKey, err := serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
			ServiceAccountId: myaccount.Name,
		})
		if err != nil {
			return err
		}
		_ = serviceaccount.GetAccountKeyOutput(ctx, serviceaccount.GetAccountKeyOutputArgs{
			Name:          mykeyKey.Name,
			PublicKeyType: pulumi.String("TYPE_X509_PEM_FILE"),
		}, nil)
		return nil
	})
}

```

type GetAccountKeyResultOutput 

type GetAccountKeyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAccountKey.

func GetAccountKeyOutput 

func GetAccountKeyOutput(ctx *pulumi.Context, args GetAccountKeyOutputArgs, opts ...pulumi.InvokeOption) GetAccountKeyResultOutput

func (GetAccountKeyResultOutput) ElementType 

func (GetAccountKeyResultOutput) ElementType() reflect.Type

func (GetAccountKeyResultOutput) Id 

func (o GetAccountKeyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (GetAccountKeyResultOutput) KeyAlgorithm 

func (o GetAccountKeyResultOutput) KeyAlgorithm() pulumi.StringOutput

func (GetAccountKeyResultOutput) Name 

func (o GetAccountKeyResultOutput) Name() pulumi.StringOutput

func (GetAccountKeyResultOutput) Project 

func (o GetAccountKeyResultOutput) Project() pulumi.StringPtrOutput

func (GetAccountKeyResultOutput) PublicKey 

func (o GetAccountKeyResultOutput) PublicKey() pulumi.StringOutput

The public key, base64 encoded

func (GetAccountKeyResultOutput) PublicKeyType 

func (o GetAccountKeyResultOutput) PublicKeyType() pulumi.StringPtrOutput

func (GetAccountKeyResultOutput) ToGetAccountKeyResultOutput 

func (o GetAccountKeyResultOutput) ToGetAccountKeyResultOutput() GetAccountKeyResultOutput

func (GetAccountKeyResultOutput) ToGetAccountKeyResultOutputWithContext 

func (o GetAccountKeyResultOutput) ToGetAccountKeyResultOutputWithContext(ctx context.Context) GetAccountKeyResultOutput

type GetIamPolicyArgs 

type GetIamPolicyArgs struct {
	// The fully-qualified name of the service account to apply policy to.
	ServiceAccountId string `pulumi:"serviceAccountId"`
}

A collection of arguments for invoking getIamPolicy.

type GetIamPolicyOutputArgs 

type GetIamPolicyOutputArgs struct {
	// The fully-qualified name of the service account to apply policy to.
	ServiceAccountId pulumi.StringInput `pulumi:"serviceAccountId"`
}

A collection of arguments for invoking getIamPolicy.

func (GetIamPolicyOutputArgs) ElementType 

func (GetIamPolicyOutputArgs) ElementType() reflect.Type

type GetIamPolicyResult 

type GetIamPolicyResult struct {
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Computed) The policy data
	PolicyData       string `pulumi:"policyData"`
	ServiceAccountId string `pulumi:"serviceAccountId"`
}

A collection of values returned by getIamPolicy.

func GetIamPolicy 

func GetIamPolicy(ctx *pulumi.Context, args *GetIamPolicyArgs, opts ...pulumi.InvokeOption) (*GetIamPolicyResult, error)

Retrieves the current IAM policy data for a service account.

## example

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := serviceaccount.GetIamPolicy(ctx, &serviceaccount.GetIamPolicyArgs{
			ServiceAccountId: testAccount.Name,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type GetIamPolicyResultOutput 

type GetIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getIamPolicy.

func GetIamPolicyOutput 

func GetIamPolicyOutput(ctx *pulumi.Context, args GetIamPolicyOutputArgs, opts ...pulumi.InvokeOption) GetIamPolicyResultOutput

func (GetIamPolicyResultOutput) ElementType 

func (GetIamPolicyResultOutput) ElementType() reflect.Type

func (GetIamPolicyResultOutput) Etag 

func (o GetIamPolicyResultOutput) Etag() pulumi.StringOutput

(Computed) The etag of the IAM policy.

func (GetIamPolicyResultOutput) Id 

func (o GetIamPolicyResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (GetIamPolicyResultOutput) PolicyData 

func (o GetIamPolicyResultOutput) PolicyData() pulumi.StringOutput

(Computed) The policy data

func (GetIamPolicyResultOutput) ServiceAccountId 

func (o GetIamPolicyResultOutput) ServiceAccountId() pulumi.StringOutput

func (GetIamPolicyResultOutput) ToGetIamPolicyResultOutput 

func (o GetIamPolicyResultOutput) ToGetIamPolicyResultOutput() GetIamPolicyResultOutput

func (GetIamPolicyResultOutput) ToGetIamPolicyResultOutputWithContext 

func (o GetIamPolicyResultOutput) ToGetIamPolicyResultOutputWithContext(ctx context.Context) GetIamPolicyResultOutput

type IAMBinding 

type IAMBinding struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition IAMBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the service account IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The role that should be applied. Only one
	// `serviceaccount.IAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// The fully-qualified name of the service account to apply policy to.
	ServiceAccountId pulumi.StringOutput `pulumi:"serviceAccountId"`
}

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource, such as allowing the members to run operations as or modify the service account. To configure permissions for a service account on other GCP resources, use the googleProjectIam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

* `serviceaccount.IAMPolicy`: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached. * `serviceaccount.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved. * `serviceaccount.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

> **Note:** `serviceaccount.IAMPolicy` **cannot** be used in conjunction with `serviceaccount.IAMBinding` and `serviceaccount.IAMMember` or they will fight over what your policy should be.

> **Note:** `serviceaccount.IAMBinding` resources **can be** used in conjunction with `serviceaccount.IAMMember` resources **only if** they do not grant privilege to the same role.

## Example Usage

### Service Account IAM Policy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iam.serviceAccountUser",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can interact with"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMPolicy(ctx, "admin-account-iam", &serviceaccount.IAMPolicyArgs{
			ServiceAccountId: sa.Name,
			PolicyData:       pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &serviceaccount.IAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member

```go package main

import ( 

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_default, err := compute.GetDefaultServiceAccount(ctx, nil, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		// Allow SA service account use the default GCE account
		_, err = serviceaccount.NewIAMMember(ctx, "gce-default-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: pulumi.String(_default.Name),
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member: sa.Email.ApplyT(func(email string) (string, error) {
				return fmt.Sprintf("serviceAccount:%v", email), nil
			}).(pulumi.StringOutput),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
			Condition: &serviceaccount.IAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Additional Examples

### Service Account IAM Policy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iam.serviceAccountUser",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can interact with"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMPolicy(ctx, "admin-account-iam", &serviceaccount.IAMPolicyArgs{
			ServiceAccountId: sa.Name,
			PolicyData:       pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &serviceaccount.IAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member

```go package main

import ( 

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_default, err := compute.GetDefaultServiceAccount(ctx, nil, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		// Allow SA service account use the default GCE account
		_, err = serviceaccount.NewIAMMember(ctx, "gce-default-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: pulumi.String(_default.Name),
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member: sa.Email.ApplyT(func(email string) (string, error) {
				return fmt.Sprintf("serviceAccount:%v", email), nil
			}).(pulumi.StringOutput),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
			Condition: &serviceaccount.IAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

### Importing with conditions:

Here are examples of importing IAM memberships and bindings that include conditions:

```sh $ pulumi import gcp:serviceaccount/iAMBinding:IAMBinding admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser expires_after_2019_12_31" ```

```sh $ pulumi import gcp:serviceaccount/iAMBinding:IAMBinding admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser user:foo@example.com expires_after_2019_12_31" ```

func GetIAMBinding 

func GetIAMBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *IAMBindingState, opts ...pulumi.ResourceOption) (*IAMBinding, error)

GetIAMBinding gets an existing IAMBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewIAMBinding 

func NewIAMBinding(ctx *pulumi.Context,
	name string, args *IAMBindingArgs, opts ...pulumi.ResourceOption) (*IAMBinding, error)

NewIAMBinding registers a new resource with the given unique name, arguments, and options.

func (*IAMBinding) ElementType 

func (*IAMBinding) ElementType() reflect.Type

func (*IAMBinding) ToIAMBindingOutput 

func (i *IAMBinding) ToIAMBindingOutput() IAMBindingOutput

func (*IAMBinding) ToIAMBindingOutputWithContext 

func (i *IAMBinding) ToIAMBindingOutputWithContext(ctx context.Context) IAMBindingOutput

type IAMBindingArgs 

type IAMBindingArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition IAMBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	Members pulumi.StringArrayInput
	// The role that should be applied. Only one
	// `serviceaccount.IAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// The fully-qualified name of the service account to apply policy to.
	ServiceAccountId pulumi.StringInput
}

The set of arguments for constructing a IAMBinding resource.

func (IAMBindingArgs) ElementType 

func (IAMBindingArgs) ElementType() reflect.Type

type IAMBindingArray 

type IAMBindingArray []IAMBindingInput

func (IAMBindingArray) ElementType 

func (IAMBindingArray) ElementType() reflect.Type

func (IAMBindingArray) ToIAMBindingArrayOutput 

func (i IAMBindingArray) ToIAMBindingArrayOutput() IAMBindingArrayOutput

func (IAMBindingArray) ToIAMBindingArrayOutputWithContext 

func (i IAMBindingArray) ToIAMBindingArrayOutputWithContext(ctx context.Context) IAMBindingArrayOutput

type IAMBindingArrayInput 

type IAMBindingArrayInput interface {
	pulumi.Input

	ToIAMBindingArrayOutput() IAMBindingArrayOutput
	ToIAMBindingArrayOutputWithContext(context.Context) IAMBindingArrayOutput
}

IAMBindingArrayInput is an input type that accepts IAMBindingArray and IAMBindingArrayOutput values. You can construct a concrete instance of `IAMBindingArrayInput` via: 

IAMBindingArray{ IAMBindingArgs{...} }

type IAMBindingArrayOutput 

type IAMBindingArrayOutput struct{ *pulumi.OutputState }

func (IAMBindingArrayOutput) ElementType 

func (IAMBindingArrayOutput) ElementType() reflect.Type

func (IAMBindingArrayOutput) Index 

func (o IAMBindingArrayOutput) Index(i pulumi.IntInput) IAMBindingOutput

func (IAMBindingArrayOutput) ToIAMBindingArrayOutput 

func (o IAMBindingArrayOutput) ToIAMBindingArrayOutput() IAMBindingArrayOutput

func (IAMBindingArrayOutput) ToIAMBindingArrayOutputWithContext 

func (o IAMBindingArrayOutput) ToIAMBindingArrayOutputWithContext(ctx context.Context) IAMBindingArrayOutput

type IAMBindingCondition 

type IAMBindingCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type IAMBindingConditionArgs 

type IAMBindingConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (IAMBindingConditionArgs) ElementType 

func (IAMBindingConditionArgs) ElementType() reflect.Type

func (IAMBindingConditionArgs) ToIAMBindingConditionOutput 

func (i IAMBindingConditionArgs) ToIAMBindingConditionOutput() IAMBindingConditionOutput

func (IAMBindingConditionArgs) ToIAMBindingConditionOutputWithContext 

func (i IAMBindingConditionArgs) ToIAMBindingConditionOutputWithContext(ctx context.Context) IAMBindingConditionOutput

func (IAMBindingConditionArgs) ToIAMBindingConditionPtrOutput 

func (i IAMBindingConditionArgs) ToIAMBindingConditionPtrOutput() IAMBindingConditionPtrOutput

func (IAMBindingConditionArgs) ToIAMBindingConditionPtrOutputWithContext 

func (i IAMBindingConditionArgs) ToIAMBindingConditionPtrOutputWithContext(ctx context.Context) IAMBindingConditionPtrOutput

type IAMBindingConditionInput 

type IAMBindingConditionInput interface {
	pulumi.Input

	ToIAMBindingConditionOutput() IAMBindingConditionOutput
	ToIAMBindingConditionOutputWithContext(context.Context) IAMBindingConditionOutput
}

IAMBindingConditionInput is an input type that accepts IAMBindingConditionArgs and IAMBindingConditionOutput values. You can construct a concrete instance of `IAMBindingConditionInput` via: 

IAMBindingConditionArgs{...}

type IAMBindingConditionOutput 

type IAMBindingConditionOutput struct{ *pulumi.OutputState }

func (IAMBindingConditionOutput) Description 

func (o IAMBindingConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (IAMBindingConditionOutput) ElementType 

func (IAMBindingConditionOutput) ElementType() reflect.Type

func (IAMBindingConditionOutput) Expression 

func (o IAMBindingConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (IAMBindingConditionOutput) Title 

func (o IAMBindingConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (IAMBindingConditionOutput) ToIAMBindingConditionOutput 

func (o IAMBindingConditionOutput) ToIAMBindingConditionOutput() IAMBindingConditionOutput

func (IAMBindingConditionOutput) ToIAMBindingConditionOutputWithContext 

func (o IAMBindingConditionOutput) ToIAMBindingConditionOutputWithContext(ctx context.Context) IAMBindingConditionOutput

func (IAMBindingConditionOutput) ToIAMBindingConditionPtrOutput 

func (o IAMBindingConditionOutput) ToIAMBindingConditionPtrOutput() IAMBindingConditionPtrOutput

func (IAMBindingConditionOutput) ToIAMBindingConditionPtrOutputWithContext 

func (o IAMBindingConditionOutput) ToIAMBindingConditionPtrOutputWithContext(ctx context.Context) IAMBindingConditionPtrOutput

type IAMBindingConditionPtrInput 

type IAMBindingConditionPtrInput interface {
	pulumi.Input

	ToIAMBindingConditionPtrOutput() IAMBindingConditionPtrOutput
	ToIAMBindingConditionPtrOutputWithContext(context.Context) IAMBindingConditionPtrOutput
}

IAMBindingConditionPtrInput is an input type that accepts IAMBindingConditionArgs, IAMBindingConditionPtr and IAMBindingConditionPtrOutput values. You can construct a concrete instance of `IAMBindingConditionPtrInput` via: 

        IAMBindingConditionArgs{...}

or:

        nil

func IAMBindingConditionPtr 

func IAMBindingConditionPtr(v *IAMBindingConditionArgs) IAMBindingConditionPtrInput

type IAMBindingConditionPtrOutput 

type IAMBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (IAMBindingConditionPtrOutput) Description 

func (o IAMBindingConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (IAMBindingConditionPtrOutput) Elem 

func (o IAMBindingConditionPtrOutput) Elem() IAMBindingConditionOutput

func (IAMBindingConditionPtrOutput) ElementType 

func (IAMBindingConditionPtrOutput) ElementType() reflect.Type

func (IAMBindingConditionPtrOutput) Expression 

func (o IAMBindingConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (IAMBindingConditionPtrOutput) Title 

func (o IAMBindingConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (IAMBindingConditionPtrOutput) ToIAMBindingConditionPtrOutput 

func (o IAMBindingConditionPtrOutput) ToIAMBindingConditionPtrOutput() IAMBindingConditionPtrOutput

func (IAMBindingConditionPtrOutput) ToIAMBindingConditionPtrOutputWithContext 

func (o IAMBindingConditionPtrOutput) ToIAMBindingConditionPtrOutputWithContext(ctx context.Context) IAMBindingConditionPtrOutput

type IAMBindingInput 

type IAMBindingInput interface {
	pulumi.Input

	ToIAMBindingOutput() IAMBindingOutput
	ToIAMBindingOutputWithContext(ctx context.Context) IAMBindingOutput
}

type IAMBindingMap 

type IAMBindingMap map[string]IAMBindingInput

func (IAMBindingMap) ElementType 

func (IAMBindingMap) ElementType() reflect.Type

func (IAMBindingMap) ToIAMBindingMapOutput 

func (i IAMBindingMap) ToIAMBindingMapOutput() IAMBindingMapOutput

func (IAMBindingMap) ToIAMBindingMapOutputWithContext 

func (i IAMBindingMap) ToIAMBindingMapOutputWithContext(ctx context.Context) IAMBindingMapOutput

type IAMBindingMapInput 

type IAMBindingMapInput interface {
	pulumi.Input

	ToIAMBindingMapOutput() IAMBindingMapOutput
	ToIAMBindingMapOutputWithContext(context.Context) IAMBindingMapOutput
}

IAMBindingMapInput is an input type that accepts IAMBindingMap and IAMBindingMapOutput values. You can construct a concrete instance of `IAMBindingMapInput` via: 

IAMBindingMap{ "key": IAMBindingArgs{...} }

type IAMBindingMapOutput 

type IAMBindingMapOutput struct{ *pulumi.OutputState }

func (IAMBindingMapOutput) ElementType 

func (IAMBindingMapOutput) ElementType() reflect.Type

func (IAMBindingMapOutput) MapIndex 

func (o IAMBindingMapOutput) MapIndex(k pulumi.StringInput) IAMBindingOutput

func (IAMBindingMapOutput) ToIAMBindingMapOutput 

func (o IAMBindingMapOutput) ToIAMBindingMapOutput() IAMBindingMapOutput

func (IAMBindingMapOutput) ToIAMBindingMapOutputWithContext 

func (o IAMBindingMapOutput) ToIAMBindingMapOutputWithContext(ctx context.Context) IAMBindingMapOutput

type IAMBindingOutput 

type IAMBindingOutput struct{ *pulumi.OutputState }

func (IAMBindingOutput) Condition 

func (o IAMBindingOutput) Condition() IAMBindingConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (IAMBindingOutput) ElementType 

func (IAMBindingOutput) ElementType() reflect.Type

func (IAMBindingOutput) Etag 

func (o IAMBindingOutput) Etag() pulumi.StringOutput

(Computed) The etag of the service account IAM policy.

func (IAMBindingOutput) Members 

func (o IAMBindingOutput) Members() pulumi.StringArrayOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

func (IAMBindingOutput) Role 

func (o IAMBindingOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `serviceaccount.IAMBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (IAMBindingOutput) ServiceAccountId 

func (o IAMBindingOutput) ServiceAccountId() pulumi.StringOutput

The fully-qualified name of the service account to apply policy to.

func (IAMBindingOutput) ToIAMBindingOutput 

func (o IAMBindingOutput) ToIAMBindingOutput() IAMBindingOutput

func (IAMBindingOutput) ToIAMBindingOutputWithContext 

func (o IAMBindingOutput) ToIAMBindingOutputWithContext(ctx context.Context) IAMBindingOutput

type IAMBindingState 

type IAMBindingState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition IAMBindingConditionPtrInput
	// (Computed) The etag of the service account IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	Members pulumi.StringArrayInput
	// The role that should be applied. Only one
	// `serviceaccount.IAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// The fully-qualified name of the service account to apply policy to.
	ServiceAccountId pulumi.StringPtrInput
}

func (IAMBindingState) ElementType 

func (IAMBindingState) ElementType() reflect.Type

type IAMMember 

type IAMMember struct {
	pulumi.CustomResourceState

	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition IAMMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the service account IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	Member pulumi.StringOutput `pulumi:"member"`
	// The role that should be applied. Only one
	// `serviceaccount.IAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
	// The fully-qualified name of the service account to apply policy to.
	ServiceAccountId pulumi.StringOutput `pulumi:"serviceAccountId"`
}

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource, such as allowing the members to run operations as or modify the service account. To configure permissions for a service account on other GCP resources, use the googleProjectIam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

* `serviceaccount.IAMPolicy`: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached. * `serviceaccount.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved. * `serviceaccount.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

> **Note:** `serviceaccount.IAMPolicy` **cannot** be used in conjunction with `serviceaccount.IAMBinding` and `serviceaccount.IAMMember` or they will fight over what your policy should be.

> **Note:** `serviceaccount.IAMBinding` resources **can be** used in conjunction with `serviceaccount.IAMMember` resources **only if** they do not grant privilege to the same role.

## Example Usage

### Service Account IAM Policy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iam.serviceAccountUser",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can interact with"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMPolicy(ctx, "admin-account-iam", &serviceaccount.IAMPolicyArgs{
			ServiceAccountId: sa.Name,
			PolicyData:       pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &serviceaccount.IAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member

```go package main

import ( 

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_default, err := compute.GetDefaultServiceAccount(ctx, nil, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		// Allow SA service account use the default GCE account
		_, err = serviceaccount.NewIAMMember(ctx, "gce-default-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: pulumi.String(_default.Name),
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member: sa.Email.ApplyT(func(email string) (string, error) {
				return fmt.Sprintf("serviceAccount:%v", email), nil
			}).(pulumi.StringOutput),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
			Condition: &serviceaccount.IAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Additional Examples

### Service Account IAM Policy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iam.serviceAccountUser",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can interact with"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMPolicy(ctx, "admin-account-iam", &serviceaccount.IAMPolicyArgs{
			ServiceAccountId: sa.Name,
			PolicyData:       pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &serviceaccount.IAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member

```go package main

import ( 

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_default, err := compute.GetDefaultServiceAccount(ctx, nil, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		// Allow SA service account use the default GCE account
		_, err = serviceaccount.NewIAMMember(ctx, "gce-default-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: pulumi.String(_default.Name),
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member: sa.Email.ApplyT(func(email string) (string, error) {
				return fmt.Sprintf("serviceAccount:%v", email), nil
			}).(pulumi.StringOutput),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
			Condition: &serviceaccount.IAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

### Importing with conditions:

Here are examples of importing IAM memberships and bindings that include conditions:

```sh $ pulumi import gcp:serviceaccount/iAMMember:IAMMember admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser expires_after_2019_12_31" ```

```sh $ pulumi import gcp:serviceaccount/iAMMember:IAMMember admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser user:foo@example.com expires_after_2019_12_31" ```

func GetIAMMember 

func GetIAMMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *IAMMemberState, opts ...pulumi.ResourceOption) (*IAMMember, error)

GetIAMMember gets an existing IAMMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewIAMMember 

func NewIAMMember(ctx *pulumi.Context,
	name string, args *IAMMemberArgs, opts ...pulumi.ResourceOption) (*IAMMember, error)

NewIAMMember registers a new resource with the given unique name, arguments, and options.

func (*IAMMember) ElementType 

func (*IAMMember) ElementType() reflect.Type

func (*IAMMember) ToIAMMemberOutput 

func (i *IAMMember) ToIAMMemberOutput() IAMMemberOutput

func (*IAMMember) ToIAMMemberOutputWithContext 

func (i *IAMMember) ToIAMMemberOutputWithContext(ctx context.Context) IAMMemberOutput

type IAMMemberArgs 

type IAMMemberArgs struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition IAMMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	Member pulumi.StringInput
	// The role that should be applied. Only one
	// `serviceaccount.IAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
	// The fully-qualified name of the service account to apply policy to.
	ServiceAccountId pulumi.StringInput
}

The set of arguments for constructing a IAMMember resource.

func (IAMMemberArgs) ElementType 

func (IAMMemberArgs) ElementType() reflect.Type

type IAMMemberArray 

type IAMMemberArray []IAMMemberInput

func (IAMMemberArray) ElementType 

func (IAMMemberArray) ElementType() reflect.Type

func (IAMMemberArray) ToIAMMemberArrayOutput 

func (i IAMMemberArray) ToIAMMemberArrayOutput() IAMMemberArrayOutput

func (IAMMemberArray) ToIAMMemberArrayOutputWithContext 

func (i IAMMemberArray) ToIAMMemberArrayOutputWithContext(ctx context.Context) IAMMemberArrayOutput

type IAMMemberArrayInput 

type IAMMemberArrayInput interface {
	pulumi.Input

	ToIAMMemberArrayOutput() IAMMemberArrayOutput
	ToIAMMemberArrayOutputWithContext(context.Context) IAMMemberArrayOutput
}

IAMMemberArrayInput is an input type that accepts IAMMemberArray and IAMMemberArrayOutput values. You can construct a concrete instance of `IAMMemberArrayInput` via: 

IAMMemberArray{ IAMMemberArgs{...} }

type IAMMemberArrayOutput 

type IAMMemberArrayOutput struct{ *pulumi.OutputState }

func (IAMMemberArrayOutput) ElementType 

func (IAMMemberArrayOutput) ElementType() reflect.Type

func (IAMMemberArrayOutput) Index 

func (o IAMMemberArrayOutput) Index(i pulumi.IntInput) IAMMemberOutput

func (IAMMemberArrayOutput) ToIAMMemberArrayOutput 

func (o IAMMemberArrayOutput) ToIAMMemberArrayOutput() IAMMemberArrayOutput

func (IAMMemberArrayOutput) ToIAMMemberArrayOutputWithContext 

func (o IAMMemberArrayOutput) ToIAMMemberArrayOutputWithContext(ctx context.Context) IAMMemberArrayOutput

type IAMMemberCondition 

type IAMMemberCondition struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description *string `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression string `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title string `pulumi:"title"`
}

type IAMMemberConditionArgs 

type IAMMemberConditionArgs struct {
	// An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
	//
	// > **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the
	// identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will
	// consider it to be an entirely different resource and will treat it as such.
	Description pulumi.StringPtrInput `pulumi:"description"`
	// Textual representation of an expression in Common Expression Language syntax.
	Expression pulumi.StringInput `pulumi:"expression"`
	// A title for the expression, i.e. a short string describing its purpose.
	Title pulumi.StringInput `pulumi:"title"`
}

func (IAMMemberConditionArgs) ElementType 

func (IAMMemberConditionArgs) ElementType() reflect.Type

func (IAMMemberConditionArgs) ToIAMMemberConditionOutput 

func (i IAMMemberConditionArgs) ToIAMMemberConditionOutput() IAMMemberConditionOutput

func (IAMMemberConditionArgs) ToIAMMemberConditionOutputWithContext 

func (i IAMMemberConditionArgs) ToIAMMemberConditionOutputWithContext(ctx context.Context) IAMMemberConditionOutput

func (IAMMemberConditionArgs) ToIAMMemberConditionPtrOutput 

func (i IAMMemberConditionArgs) ToIAMMemberConditionPtrOutput() IAMMemberConditionPtrOutput

func (IAMMemberConditionArgs) ToIAMMemberConditionPtrOutputWithContext 

func (i IAMMemberConditionArgs) ToIAMMemberConditionPtrOutputWithContext(ctx context.Context) IAMMemberConditionPtrOutput

type IAMMemberConditionInput 

type IAMMemberConditionInput interface {
	pulumi.Input

	ToIAMMemberConditionOutput() IAMMemberConditionOutput
	ToIAMMemberConditionOutputWithContext(context.Context) IAMMemberConditionOutput
}

IAMMemberConditionInput is an input type that accepts IAMMemberConditionArgs and IAMMemberConditionOutput values. You can construct a concrete instance of `IAMMemberConditionInput` via: 

IAMMemberConditionArgs{...}

type IAMMemberConditionOutput 

type IAMMemberConditionOutput struct{ *pulumi.OutputState }

func (IAMMemberConditionOutput) Description 

func (o IAMMemberConditionOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (IAMMemberConditionOutput) ElementType 

func (IAMMemberConditionOutput) ElementType() reflect.Type

func (IAMMemberConditionOutput) Expression 

func (o IAMMemberConditionOutput) Expression() pulumi.StringOutput

Textual representation of an expression in Common Expression Language syntax.

func (IAMMemberConditionOutput) Title 

func (o IAMMemberConditionOutput) Title() pulumi.StringOutput

A title for the expression, i.e. a short string describing its purpose.

func (IAMMemberConditionOutput) ToIAMMemberConditionOutput 

func (o IAMMemberConditionOutput) ToIAMMemberConditionOutput() IAMMemberConditionOutput

func (IAMMemberConditionOutput) ToIAMMemberConditionOutputWithContext 

func (o IAMMemberConditionOutput) ToIAMMemberConditionOutputWithContext(ctx context.Context) IAMMemberConditionOutput

func (IAMMemberConditionOutput) ToIAMMemberConditionPtrOutput 

func (o IAMMemberConditionOutput) ToIAMMemberConditionPtrOutput() IAMMemberConditionPtrOutput

func (IAMMemberConditionOutput) ToIAMMemberConditionPtrOutputWithContext 

func (o IAMMemberConditionOutput) ToIAMMemberConditionPtrOutputWithContext(ctx context.Context) IAMMemberConditionPtrOutput

type IAMMemberConditionPtrInput 

type IAMMemberConditionPtrInput interface {
	pulumi.Input

	ToIAMMemberConditionPtrOutput() IAMMemberConditionPtrOutput
	ToIAMMemberConditionPtrOutputWithContext(context.Context) IAMMemberConditionPtrOutput
}

IAMMemberConditionPtrInput is an input type that accepts IAMMemberConditionArgs, IAMMemberConditionPtr and IAMMemberConditionPtrOutput values. You can construct a concrete instance of `IAMMemberConditionPtrInput` via: 

        IAMMemberConditionArgs{...}

or:

        nil

func IAMMemberConditionPtr 

func IAMMemberConditionPtr(v *IAMMemberConditionArgs) IAMMemberConditionPtrInput

type IAMMemberConditionPtrOutput 

type IAMMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (IAMMemberConditionPtrOutput) Description 

func (o IAMMemberConditionPtrOutput) Description() pulumi.StringPtrOutput

An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

> **Warning:** This provider considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, the provider will consider it to be an entirely different resource and will treat it as such.

func (IAMMemberConditionPtrOutput) Elem 

func (o IAMMemberConditionPtrOutput) Elem() IAMMemberConditionOutput

func (IAMMemberConditionPtrOutput) ElementType 

func (IAMMemberConditionPtrOutput) ElementType() reflect.Type

func (IAMMemberConditionPtrOutput) Expression 

func (o IAMMemberConditionPtrOutput) Expression() pulumi.StringPtrOutput

Textual representation of an expression in Common Expression Language syntax.

func (IAMMemberConditionPtrOutput) Title 

func (o IAMMemberConditionPtrOutput) Title() pulumi.StringPtrOutput

A title for the expression, i.e. a short string describing its purpose.

func (IAMMemberConditionPtrOutput) ToIAMMemberConditionPtrOutput 

func (o IAMMemberConditionPtrOutput) ToIAMMemberConditionPtrOutput() IAMMemberConditionPtrOutput

func (IAMMemberConditionPtrOutput) ToIAMMemberConditionPtrOutputWithContext 

func (o IAMMemberConditionPtrOutput) ToIAMMemberConditionPtrOutputWithContext(ctx context.Context) IAMMemberConditionPtrOutput

type IAMMemberInput 

type IAMMemberInput interface {
	pulumi.Input

	ToIAMMemberOutput() IAMMemberOutput
	ToIAMMemberOutputWithContext(ctx context.Context) IAMMemberOutput
}

type IAMMemberMap 

type IAMMemberMap map[string]IAMMemberInput

func (IAMMemberMap) ElementType 

func (IAMMemberMap) ElementType() reflect.Type

func (IAMMemberMap) ToIAMMemberMapOutput 

func (i IAMMemberMap) ToIAMMemberMapOutput() IAMMemberMapOutput

func (IAMMemberMap) ToIAMMemberMapOutputWithContext 

func (i IAMMemberMap) ToIAMMemberMapOutputWithContext(ctx context.Context) IAMMemberMapOutput

type IAMMemberMapInput 

type IAMMemberMapInput interface {
	pulumi.Input

	ToIAMMemberMapOutput() IAMMemberMapOutput
	ToIAMMemberMapOutputWithContext(context.Context) IAMMemberMapOutput
}

IAMMemberMapInput is an input type that accepts IAMMemberMap and IAMMemberMapOutput values. You can construct a concrete instance of `IAMMemberMapInput` via: 

IAMMemberMap{ "key": IAMMemberArgs{...} }

type IAMMemberMapOutput 

type IAMMemberMapOutput struct{ *pulumi.OutputState }

func (IAMMemberMapOutput) ElementType 

func (IAMMemberMapOutput) ElementType() reflect.Type

func (IAMMemberMapOutput) MapIndex 

func (o IAMMemberMapOutput) MapIndex(k pulumi.StringInput) IAMMemberOutput

func (IAMMemberMapOutput) ToIAMMemberMapOutput 

func (o IAMMemberMapOutput) ToIAMMemberMapOutput() IAMMemberMapOutput

func (IAMMemberMapOutput) ToIAMMemberMapOutputWithContext 

func (o IAMMemberMapOutput) ToIAMMemberMapOutputWithContext(ctx context.Context) IAMMemberMapOutput

type IAMMemberOutput 

type IAMMemberOutput struct{ *pulumi.OutputState }

func (IAMMemberOutput) Condition 

func (o IAMMemberOutput) Condition() IAMMemberConditionPtrOutput

An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding. Structure is documented below.

func (IAMMemberOutput) ElementType 

func (IAMMemberOutput) ElementType() reflect.Type

func (IAMMemberOutput) Etag 

func (o IAMMemberOutput) Etag() pulumi.StringOutput

(Computed) The etag of the service account IAM policy.

func (IAMMemberOutput) Member 

func (o IAMMemberOutput) Member() pulumi.StringOutput

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

func (IAMMemberOutput) Role 

func (o IAMMemberOutput) Role() pulumi.StringOutput

The role that should be applied. Only one `serviceaccount.IAMBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (IAMMemberOutput) ServiceAccountId 

func (o IAMMemberOutput) ServiceAccountId() pulumi.StringOutput

The fully-qualified name of the service account to apply policy to.

func (IAMMemberOutput) ToIAMMemberOutput 

func (o IAMMemberOutput) ToIAMMemberOutput() IAMMemberOutput

func (IAMMemberOutput) ToIAMMemberOutputWithContext 

func (o IAMMemberOutput) ToIAMMemberOutputWithContext(ctx context.Context) IAMMemberOutput

type IAMMemberState 

type IAMMemberState struct {
	// An [IAM Condition](https://cloud.google.com/iam/docs/conditions-overview) for a given binding.
	// Structure is documented below.
	Condition IAMMemberConditionPtrInput
	// (Computed) The etag of the service account IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	Member pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `serviceaccount.IAMBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
	// The fully-qualified name of the service account to apply policy to.
	ServiceAccountId pulumi.StringPtrInput
}

func (IAMMemberState) ElementType 

func (IAMMemberState) ElementType() reflect.Type

type IAMPolicy 

type IAMPolicy struct {
	pulumi.CustomResourceState

	// (Computed) The etag of the service account IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The fully-qualified name of the service account to apply policy to.
	ServiceAccountId pulumi.StringOutput `pulumi:"serviceAccountId"`
}

When managing IAM roles, you can treat a service account either as a resource or as an identity. This resource is to add iam policy bindings to a service account resource, such as allowing the members to run operations as or modify the service account. To configure permissions for a service account on other GCP resources, use the googleProjectIam set of resources.

Three different resources help you manage your IAM policy for a service account. Each of these resources serves a different use case:

* `serviceaccount.IAMPolicy`: Authoritative. Sets the IAM policy for the service account and replaces any existing policy already attached. * `serviceaccount.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved. * `serviceaccount.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

> **Note:** `serviceaccount.IAMPolicy` **cannot** be used in conjunction with `serviceaccount.IAMBinding` and `serviceaccount.IAMMember` or they will fight over what your policy should be.

> **Note:** `serviceaccount.IAMBinding` resources **can be** used in conjunction with `serviceaccount.IAMMember` resources **only if** they do not grant privilege to the same role.

## Example Usage

### Service Account IAM Policy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iam.serviceAccountUser",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can interact with"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMPolicy(ctx, "admin-account-iam", &serviceaccount.IAMPolicyArgs{
			ServiceAccountId: sa.Name,
			PolicyData:       pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &serviceaccount.IAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member

```go package main

import ( 

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_default, err := compute.GetDefaultServiceAccount(ctx, nil, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		// Allow SA service account use the default GCE account
		_, err = serviceaccount.NewIAMMember(ctx, "gce-default-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: pulumi.String(_default.Name),
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member: sa.Email.ApplyT(func(email string) (string, error) {
				return fmt.Sprintf("serviceAccount:%v", email), nil
			}).(pulumi.StringOutput),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
			Condition: &serviceaccount.IAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Additional Examples

### Service Account IAM Policy

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/iam.serviceAccountUser",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can interact with"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMPolicy(ctx, "admin-account-iam", &serviceaccount.IAMPolicyArgs{
			ServiceAccountId: sa.Name,
			PolicyData:       pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Binding With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that only Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMBinding(ctx, "admin-account-iam", &serviceaccount.IAMBindingArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &serviceaccount.IAMBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member

```go package main

import ( 

"fmt"

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_default, err := compute.GetDefaultServiceAccount(ctx, nil, nil)
		if err != nil {
			return err
		}
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		// Allow SA service account use the default GCE account
		_, err = serviceaccount.NewIAMMember(ctx, "gce-default-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: pulumi.String(_default.Name),
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member: sa.Email.ApplyT(func(email string) (string, error) {
				return fmt.Sprintf("serviceAccount:%v", email), nil
			}).(pulumi.StringOutput),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Service Account IAM Member With IAM Conditions:

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		sa, err := serviceaccount.NewAccount(ctx, "sa", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("my-service-account"),
			DisplayName: pulumi.String("A service account that Jane can use"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewIAMMember(ctx, "admin-account-iam", &serviceaccount.IAMMemberArgs{
			ServiceAccountId: sa.Name,
			Role:             pulumi.String("roles/iam.serviceAccountUser"),
			Member:           pulumi.String("user:jane@example.com"),
			Condition: &serviceaccount.IAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

### Importing with conditions:

Here are examples of importing IAM memberships and bindings that include conditions:

```sh $ pulumi import gcp:serviceaccount/iAMPolicy:IAMPolicy admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser expires_after_2019_12_31" ```

```sh $ pulumi import gcp:serviceaccount/iAMPolicy:IAMPolicy admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/iam.serviceAccountUser user:foo@example.com expires_after_2019_12_31" ```

func GetIAMPolicy 

func GetIAMPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *IAMPolicyState, opts ...pulumi.ResourceOption) (*IAMPolicy, error)

GetIAMPolicy gets an existing IAMPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewIAMPolicy 

func NewIAMPolicy(ctx *pulumi.Context,
	name string, args *IAMPolicyArgs, opts ...pulumi.ResourceOption) (*IAMPolicy, error)

NewIAMPolicy registers a new resource with the given unique name, arguments, and options.

func (*IAMPolicy) ElementType 

func (*IAMPolicy) ElementType() reflect.Type

func (*IAMPolicy) ToIAMPolicyOutput 

func (i *IAMPolicy) ToIAMPolicyOutput() IAMPolicyOutput

func (*IAMPolicy) ToIAMPolicyOutputWithContext 

func (i *IAMPolicy) ToIAMPolicyOutputWithContext(ctx context.Context) IAMPolicyOutput

type IAMPolicyArgs 

type IAMPolicyArgs struct {
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The fully-qualified name of the service account to apply policy to.
	ServiceAccountId pulumi.StringInput
}

The set of arguments for constructing a IAMPolicy resource.

func (IAMPolicyArgs) ElementType 

func (IAMPolicyArgs) ElementType() reflect.Type

type IAMPolicyArray 

type IAMPolicyArray []IAMPolicyInput

func (IAMPolicyArray) ElementType 

func (IAMPolicyArray) ElementType() reflect.Type

func (IAMPolicyArray) ToIAMPolicyArrayOutput 

func (i IAMPolicyArray) ToIAMPolicyArrayOutput() IAMPolicyArrayOutput

func (IAMPolicyArray) ToIAMPolicyArrayOutputWithContext 

func (i IAMPolicyArray) ToIAMPolicyArrayOutputWithContext(ctx context.Context) IAMPolicyArrayOutput

type IAMPolicyArrayInput 

type IAMPolicyArrayInput interface {
	pulumi.Input

	ToIAMPolicyArrayOutput() IAMPolicyArrayOutput
	ToIAMPolicyArrayOutputWithContext(context.Context) IAMPolicyArrayOutput
}

IAMPolicyArrayInput is an input type that accepts IAMPolicyArray and IAMPolicyArrayOutput values. You can construct a concrete instance of `IAMPolicyArrayInput` via: 

IAMPolicyArray{ IAMPolicyArgs{...} }

type IAMPolicyArrayOutput 

type IAMPolicyArrayOutput struct{ *pulumi.OutputState }

func (IAMPolicyArrayOutput) ElementType 

func (IAMPolicyArrayOutput) ElementType() reflect.Type

func (IAMPolicyArrayOutput) Index 

func (o IAMPolicyArrayOutput) Index(i pulumi.IntInput) IAMPolicyOutput

func (IAMPolicyArrayOutput) ToIAMPolicyArrayOutput 

func (o IAMPolicyArrayOutput) ToIAMPolicyArrayOutput() IAMPolicyArrayOutput

func (IAMPolicyArrayOutput) ToIAMPolicyArrayOutputWithContext 

func (o IAMPolicyArrayOutput) ToIAMPolicyArrayOutputWithContext(ctx context.Context) IAMPolicyArrayOutput

type IAMPolicyInput 

type IAMPolicyInput interface {
	pulumi.Input

	ToIAMPolicyOutput() IAMPolicyOutput
	ToIAMPolicyOutputWithContext(ctx context.Context) IAMPolicyOutput
}

type IAMPolicyMap 

type IAMPolicyMap map[string]IAMPolicyInput

func (IAMPolicyMap) ElementType 

func (IAMPolicyMap) ElementType() reflect.Type

func (IAMPolicyMap) ToIAMPolicyMapOutput 

func (i IAMPolicyMap) ToIAMPolicyMapOutput() IAMPolicyMapOutput

func (IAMPolicyMap) ToIAMPolicyMapOutputWithContext 

func (i IAMPolicyMap) ToIAMPolicyMapOutputWithContext(ctx context.Context) IAMPolicyMapOutput

type IAMPolicyMapInput 

type IAMPolicyMapInput interface {
	pulumi.Input

	ToIAMPolicyMapOutput() IAMPolicyMapOutput
	ToIAMPolicyMapOutputWithContext(context.Context) IAMPolicyMapOutput
}

IAMPolicyMapInput is an input type that accepts IAMPolicyMap and IAMPolicyMapOutput values. You can construct a concrete instance of `IAMPolicyMapInput` via: 

IAMPolicyMap{ "key": IAMPolicyArgs{...} }

type IAMPolicyMapOutput 

type IAMPolicyMapOutput struct{ *pulumi.OutputState }

func (IAMPolicyMapOutput) ElementType 

func (IAMPolicyMapOutput) ElementType() reflect.Type

func (IAMPolicyMapOutput) MapIndex 

func (o IAMPolicyMapOutput) MapIndex(k pulumi.StringInput) IAMPolicyOutput

func (IAMPolicyMapOutput) ToIAMPolicyMapOutput 

func (o IAMPolicyMapOutput) ToIAMPolicyMapOutput() IAMPolicyMapOutput

func (IAMPolicyMapOutput) ToIAMPolicyMapOutputWithContext 

func (o IAMPolicyMapOutput) ToIAMPolicyMapOutputWithContext(ctx context.Context) IAMPolicyMapOutput

type IAMPolicyOutput 

type IAMPolicyOutput struct{ *pulumi.OutputState }

func (IAMPolicyOutput) ElementType 

func (IAMPolicyOutput) ElementType() reflect.Type

func (IAMPolicyOutput) Etag 

func (o IAMPolicyOutput) Etag() pulumi.StringOutput

(Computed) The etag of the service account IAM policy.

func (IAMPolicyOutput) PolicyData 

func (o IAMPolicyOutput) PolicyData() pulumi.StringOutput

The policy data generated by a `organizations.getIAMPolicy` data source.

func (IAMPolicyOutput) ServiceAccountId 

func (o IAMPolicyOutput) ServiceAccountId() pulumi.StringOutput

The fully-qualified name of the service account to apply policy to.

func (IAMPolicyOutput) ToIAMPolicyOutput 

func (o IAMPolicyOutput) ToIAMPolicyOutput() IAMPolicyOutput

func (IAMPolicyOutput) ToIAMPolicyOutputWithContext 

func (o IAMPolicyOutput) ToIAMPolicyOutputWithContext(ctx context.Context) IAMPolicyOutput

type IAMPolicyState 

type IAMPolicyState struct {
	// (Computed) The etag of the service account IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The fully-qualified name of the service account to apply policy to.
	ServiceAccountId pulumi.StringPtrInput
}

func (IAMPolicyState) ElementType 

func (IAMPolicyState) ElementType() reflect.Type

type Key 

type Key struct {
	pulumi.CustomResourceState

	// Arbitrary map of values that, when changed, will trigger a new key to be generated.
	Keepers pulumi.MapOutput `pulumi:"keepers"`
	// The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm.
	// Valid values are listed at
	// [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm)
	// (only used on create)
	KeyAlgorithm pulumi.StringPtrOutput `pulumi:"keyAlgorithm"`
	// The name used for this key pair
	Name pulumi.StringOutput `pulumi:"name"`
	// The private key in JSON format, base64 encoded. This is what you normally get as a file when creating
	// service account keys through the CLI or web console. This is only populated when creating a new key.
	PrivateKey pulumi.StringOutput `pulumi:"privateKey"`
	// The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
	PrivateKeyType pulumi.StringPtrOutput `pulumi:"privateKeyType"`
	// The public key, base64 encoded
	PublicKey pulumi.StringOutput `pulumi:"publicKey"`
	// Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`.
	PublicKeyData pulumi.StringPtrOutput `pulumi:"publicKeyData"`
	// The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
	PublicKeyType pulumi.StringPtrOutput `pulumi:"publicKeyType"`
	// The Service account id of the Key. This can be a string in the format
	// `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. If the `{ACCOUNT}`-only syntax is used, either
	// the **full** email address of the service account or its name can be specified as a value, in which case the project will
	// automatically be inferred from the account. Otherwise, if the `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`
	// syntax is used, the `{ACCOUNT}` specified can be the full email address of the service account or the service account's
	// unique id. Substituting `-` as a wildcard for the `{PROJECT_ID}` will infer the project from the account.
	ServiceAccountId pulumi.StringOutput `pulumi:"serviceAccountId"`
	// The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
	ValidAfter pulumi.StringOutput `pulumi:"validAfter"`
	// The key can be used before this timestamp.
	// A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
	ValidBefore pulumi.StringOutput `pulumi:"validBefore"`
}

## Example Usage

### Creating A New Key

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("myaccount"),
			DisplayName: pulumi.String("My Service Account"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
			ServiceAccountId: myaccount.Name,
			PublicKeyType:    pulumi.String("TYPE_X509_PEM_FILE"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Creating And Regularly Rotating A Key

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi-time/sdk/go/time"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("myaccount"),
			DisplayName: pulumi.String("My Service Account"),
		})
		if err != nil {
			return err
		}
		// note this requires the terraform to be run regularly
		mykeyRotation, err := time.NewRotating(ctx, "mykey_rotation", &time.RotatingArgs{
			RotationDays: pulumi.Int(30),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
			ServiceAccountId: myaccount.Name,
			Keepers: pulumi.Map{
				"rotation_time": mykeyRotation.RotationRfc3339,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Save Key In Kubernetes Secret - DEPRECATED

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
corev1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/core/v1"
metav1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/meta/v1"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		// Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
		// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
		myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("myaccount"),
			DisplayName: pulumi.String("My Service Account"),
		})
		if err != nil {
			return err
		}
		mykey, err := serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
			ServiceAccountId: myaccount.Name,
		})
		if err != nil {
			return err
		}
		_, err = corev1.NewSecret(ctx, "google-application-credentials", &corev1.SecretArgs{
			Metadata: &metav1.ObjectMetaArgs{
				Name: pulumi.String("google-application-credentials"),
			},
			Data: pulumi.StringMap{
				"json": std.Base64decodeOutput(ctx, std.Base64decodeOutputArgs{
					Input: mykey.PrivateKey,
				}, nil).ApplyT(func(invoke std.Base64decodeResult) (*string, error) {
					return invoke.Result, nil
				}).(pulumi.StringPtrOutput),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

This resource does not support import.

func GetKey 

func GetKey(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *KeyState, opts ...pulumi.ResourceOption) (*Key, error)

GetKey gets an existing Key resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewKey 

func NewKey(ctx *pulumi.Context,
	name string, args *KeyArgs, opts ...pulumi.ResourceOption) (*Key, error)

NewKey registers a new resource with the given unique name, arguments, and options.

func (*Key) ElementType 

func (*Key) ElementType() reflect.Type

func (*Key) ToKeyOutput 

func (i *Key) ToKeyOutput() KeyOutput

func (*Key) ToKeyOutputWithContext 

func (i *Key) ToKeyOutputWithContext(ctx context.Context) KeyOutput

type KeyArgs 

type KeyArgs struct {
	// Arbitrary map of values that, when changed, will trigger a new key to be generated.
	Keepers pulumi.MapInput
	// The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm.
	// Valid values are listed at
	// [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm)
	// (only used on create)
	KeyAlgorithm pulumi.StringPtrInput
	// The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
	PrivateKeyType pulumi.StringPtrInput
	// Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`.
	PublicKeyData pulumi.StringPtrInput
	// The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
	PublicKeyType pulumi.StringPtrInput
	// The Service account id of the Key. This can be a string in the format
	// `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. If the `{ACCOUNT}`-only syntax is used, either
	// the **full** email address of the service account or its name can be specified as a value, in which case the project will
	// automatically be inferred from the account. Otherwise, if the `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`
	// syntax is used, the `{ACCOUNT}` specified can be the full email address of the service account or the service account's
	// unique id. Substituting `-` as a wildcard for the `{PROJECT_ID}` will infer the project from the account.
	ServiceAccountId pulumi.StringInput
}

The set of arguments for constructing a Key resource.

func (KeyArgs) ElementType 

func (KeyArgs) ElementType() reflect.Type

type KeyArray 

type KeyArray []KeyInput

func (KeyArray) ElementType 

func (KeyArray) ElementType() reflect.Type

func (KeyArray) ToKeyArrayOutput 

func (i KeyArray) ToKeyArrayOutput() KeyArrayOutput

func (KeyArray) ToKeyArrayOutputWithContext 

func (i KeyArray) ToKeyArrayOutputWithContext(ctx context.Context) KeyArrayOutput

type KeyArrayInput 

type KeyArrayInput interface {
	pulumi.Input

	ToKeyArrayOutput() KeyArrayOutput
	ToKeyArrayOutputWithContext(context.Context) KeyArrayOutput
}

KeyArrayInput is an input type that accepts KeyArray and KeyArrayOutput values. You can construct a concrete instance of `KeyArrayInput` via: 

KeyArray{ KeyArgs{...} }

type KeyArrayOutput 

type KeyArrayOutput struct{ *pulumi.OutputState }

func (KeyArrayOutput) ElementType 

func (KeyArrayOutput) ElementType() reflect.Type

func (KeyArrayOutput) Index 

func (o KeyArrayOutput) Index(i pulumi.IntInput) KeyOutput

func (KeyArrayOutput) ToKeyArrayOutput 

func (o KeyArrayOutput) ToKeyArrayOutput() KeyArrayOutput

func (KeyArrayOutput) ToKeyArrayOutputWithContext 

func (o KeyArrayOutput) ToKeyArrayOutputWithContext(ctx context.Context) KeyArrayOutput

type KeyInput 

type KeyInput interface {
	pulumi.Input

	ToKeyOutput() KeyOutput
	ToKeyOutputWithContext(ctx context.Context) KeyOutput
}

type KeyMap 

type KeyMap map[string]KeyInput

func (KeyMap) ElementType 

func (KeyMap) ElementType() reflect.Type

func (KeyMap) ToKeyMapOutput 

func (i KeyMap) ToKeyMapOutput() KeyMapOutput

func (KeyMap) ToKeyMapOutputWithContext 

func (i KeyMap) ToKeyMapOutputWithContext(ctx context.Context) KeyMapOutput

type KeyMapInput 

type KeyMapInput interface {
	pulumi.Input

	ToKeyMapOutput() KeyMapOutput
	ToKeyMapOutputWithContext(context.Context) KeyMapOutput
}

KeyMapInput is an input type that accepts KeyMap and KeyMapOutput values. You can construct a concrete instance of `KeyMapInput` via: 

KeyMap{ "key": KeyArgs{...} }

type KeyMapOutput 

type KeyMapOutput struct{ *pulumi.OutputState }

func (KeyMapOutput) ElementType 

func (KeyMapOutput) ElementType() reflect.Type

func (KeyMapOutput) MapIndex 

func (o KeyMapOutput) MapIndex(k pulumi.StringInput) KeyOutput

func (KeyMapOutput) ToKeyMapOutput 

func (o KeyMapOutput) ToKeyMapOutput() KeyMapOutput

func (KeyMapOutput) ToKeyMapOutputWithContext 

func (o KeyMapOutput) ToKeyMapOutputWithContext(ctx context.Context) KeyMapOutput

type KeyOutput 

type KeyOutput struct{ *pulumi.OutputState }

func (KeyOutput) ElementType 

func (KeyOutput) ElementType() reflect.Type

func (KeyOutput) Keepers 

func (o KeyOutput) Keepers() pulumi.MapOutput

Arbitrary map of values that, when changed, will trigger a new key to be generated.

func (KeyOutput) KeyAlgorithm 

func (o KeyOutput) KeyAlgorithm() pulumi.StringPtrOutput

The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm) (only used on create)

func (KeyOutput) Name 

func (o KeyOutput) Name() pulumi.StringOutput

The name used for this key pair

func (KeyOutput) PrivateKey 

func (o KeyOutput) PrivateKey() pulumi.StringOutput

The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.

func (KeyOutput) PrivateKeyType 

func (o KeyOutput) PrivateKeyType() pulumi.StringPtrOutput

The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

func (KeyOutput) PublicKey 

func (o KeyOutput) PublicKey() pulumi.StringOutput

The public key, base64 encoded

func (KeyOutput) PublicKeyData 

func (o KeyOutput) PublicKeyData() pulumi.StringPtrOutput

Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`.

func (KeyOutput) PublicKeyType 

func (o KeyOutput) PublicKeyType() pulumi.StringPtrOutput

The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.

func (KeyOutput) ServiceAccountId 

func (o KeyOutput) ServiceAccountId() pulumi.StringOutput

The Service account id of the Key. This can be a string in the format `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. If the `{ACCOUNT}`-only syntax is used, either the **full** email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}` syntax is used, the `{ACCOUNT}` specified can be the full email address of the service account or the service account's unique id. Substituting `-` as a wildcard for the `{PROJECT_ID}` will infer the project from the account.

func (KeyOutput) ToKeyOutput 

func (o KeyOutput) ToKeyOutput() KeyOutput

func (KeyOutput) ToKeyOutputWithContext 

func (o KeyOutput) ToKeyOutputWithContext(ctx context.Context) KeyOutput

func (KeyOutput) ValidAfter 

func (o KeyOutput) ValidAfter() pulumi.StringOutput

The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

func (KeyOutput) ValidBefore 

func (o KeyOutput) ValidBefore() pulumi.StringOutput

The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

type KeyState 

type KeyState struct {
	// Arbitrary map of values that, when changed, will trigger a new key to be generated.
	Keepers pulumi.MapInput
	// The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm.
	// Valid values are listed at
	// [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm)
	// (only used on create)
	KeyAlgorithm pulumi.StringPtrInput
	// The name used for this key pair
	Name pulumi.StringPtrInput
	// The private key in JSON format, base64 encoded. This is what you normally get as a file when creating
	// service account keys through the CLI or web console. This is only populated when creating a new key.
	PrivateKey pulumi.StringPtrInput
	// The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
	PrivateKeyType pulumi.StringPtrInput
	// The public key, base64 encoded
	PublicKey pulumi.StringPtrInput
	// Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`.
	PublicKeyData pulumi.StringPtrInput
	// The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
	PublicKeyType pulumi.StringPtrInput
	// The Service account id of the Key. This can be a string in the format
	// `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. If the `{ACCOUNT}`-only syntax is used, either
	// the **full** email address of the service account or its name can be specified as a value, in which case the project will
	// automatically be inferred from the account. Otherwise, if the `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`
	// syntax is used, the `{ACCOUNT}` specified can be the full email address of the service account or the service account's
	// unique id. Substituting `-` as a wildcard for the `{PROJECT_ID}` will infer the project from the account.
	ServiceAccountId pulumi.StringPtrInput
	// The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
	ValidAfter pulumi.StringPtrInput
	// The key can be used before this timestamp.
	// A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
	ValidBefore pulumi.StringPtrInput
}

func (KeyState) ElementType 

func (KeyState) ElementType() reflect.Type

type LookupAccountArgs 

type LookupAccountArgs struct {
	// The Google service account ID. This be one of:
	//
	// * The name of the service account within the project (e.g. `my-service`)
	//
	// * The fully-qualified path to a service account resource (e.g.
	// `projects/my-project/serviceAccounts/...`)
	//
	// * The email address of the service account (e.g.
	// `my-service@my-project.iam.gserviceaccount.com`)
	AccountId string `pulumi:"accountId"`
	// The ID of the project that the service account is present in.
	// Defaults to the provider project configuration.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getAccount.

type LookupAccountOutputArgs 

type LookupAccountOutputArgs struct {
	// The Google service account ID. This be one of:
	//
	// * The name of the service account within the project (e.g. `my-service`)
	//
	// * The fully-qualified path to a service account resource (e.g.
	// `projects/my-project/serviceAccounts/...`)
	//
	// * The email address of the service account (e.g.
	// `my-service@my-project.iam.gserviceaccount.com`)
	AccountId pulumi.StringInput `pulumi:"accountId"`
	// The ID of the project that the service account is present in.
	// Defaults to the provider project configuration.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getAccount.

func (LookupAccountOutputArgs) ElementType 

func (LookupAccountOutputArgs) ElementType() reflect.Type

type LookupAccountResult 

type LookupAccountResult struct {
	AccountId string `pulumi:"accountId"`
	// The display name for the service account.
	DisplayName string `pulumi:"displayName"`
	// The e-mail address of the service account. This value
	// should be referenced from any `organizations.getIAMPolicy` data sources
	// that would grant the service account privileges.
	Email string `pulumi:"email"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// The Identity of the service account in the form `serviceAccount:{email}`. This value is often used to refer to the service account in order to grant IAM permissions.
	Member string `pulumi:"member"`
	// The fully-qualified name of the service account.
	Name    string  `pulumi:"name"`
	Project *string `pulumi:"project"`
	// The unique id of the service account.
	UniqueId string `pulumi:"uniqueId"`
}

A collection of values returned by getAccount.

func LookupAccount 

func LookupAccount(ctx *pulumi.Context, args *LookupAccountArgs, opts ...pulumi.InvokeOption) (*LookupAccountResult, error)

Get the service account from a project. For more information see the official [API](https://cloud.google.com/compute/docs/access/service-accounts) documentation.

## Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := serviceaccount.LookupAccount(ctx, &serviceaccount.LookupAccountArgs{
			AccountId: "object-viewer",
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Save Key In Kubernetes Secret ```go package main

import ( 

"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
corev1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/core/v1"
metav1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/meta/v1"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myaccount, err := serviceaccount.LookupAccount(ctx, &serviceaccount.LookupAccountArgs{
			AccountId: "myaccount-id",
		}, nil)
		if err != nil {
			return err
		}
		mykey, err := serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
			ServiceAccountId: pulumi.String(myaccount.Name),
		})
		if err != nil {
			return err
		}
		_, err = corev1.NewSecret(ctx, "google-application-credentials", &corev1.SecretArgs{
			Metadata: &metav1.ObjectMetaArgs{
				Name: pulumi.String("google-application-credentials"),
			},
			Data: pulumi.StringMap{
				"json": std.Base64decodeOutput(ctx, std.Base64decodeOutputArgs{
					Input: mykey.PrivateKey,
				}, nil).ApplyT(func(invoke std.Base64decodeResult) (*string, error) {
					return invoke.Result, nil
				}).(pulumi.StringPtrOutput),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupAccountResultOutput 

type LookupAccountResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAccount.

func LookupAccountOutput 

func LookupAccountOutput(ctx *pulumi.Context, args LookupAccountOutputArgs, opts ...pulumi.InvokeOption) LookupAccountResultOutput

func (LookupAccountResultOutput) AccountId 

func (o LookupAccountResultOutput) AccountId() pulumi.StringOutput

func (LookupAccountResultOutput) DisplayName 

func (o LookupAccountResultOutput) DisplayName() pulumi.StringOutput

The display name for the service account.

func (LookupAccountResultOutput) ElementType 

func (LookupAccountResultOutput) ElementType() reflect.Type

func (LookupAccountResultOutput) Email 

func (o LookupAccountResultOutput) Email() pulumi.StringOutput

The e-mail address of the service account. This value should be referenced from any `organizations.getIAMPolicy` data sources that would grant the service account privileges.

func (LookupAccountResultOutput) Id 

func (o LookupAccountResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupAccountResultOutput) Member 

func (o LookupAccountResultOutput) Member() pulumi.StringOutput

The Identity of the service account in the form `serviceAccount:{email}`. This value is often used to refer to the service account in order to grant IAM permissions.

func (LookupAccountResultOutput) Name 

func (o LookupAccountResultOutput) Name() pulumi.StringOutput

The fully-qualified name of the service account.

func (LookupAccountResultOutput) Project 

func (o LookupAccountResultOutput) Project() pulumi.StringPtrOutput

func (LookupAccountResultOutput) ToLookupAccountResultOutput 

func (o LookupAccountResultOutput) ToLookupAccountResultOutput() LookupAccountResultOutput

func (LookupAccountResultOutput) ToLookupAccountResultOutputWithContext 

func (o LookupAccountResultOutput) ToLookupAccountResultOutputWithContext(ctx context.Context) LookupAccountResultOutput

func (LookupAccountResultOutput) UniqueId 

func (o LookupAccountResultOutput) UniqueId() pulumi.StringOutput

The unique id of the service account.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.