Docs Home
Google Cloud v8.23.0 published on Monday, Mar 24, 2025 by Pulumi
gcp.accessapproval.getOrganizationServiceAccount
Explore with Pulumi AI
Get the email address of an organization’s Access Approval service account.
Each Google Cloud organization has a unique service account used by Access Approval.
When using Access Approval with a
custom signing key,
this account needs to be granted the cloudkms.signerVerifier IAM role on the
Cloud KMS key used to sign approvals.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const serviceAccount = gcp.accessapproval.getOrganizationServiceAccount({
organizationId: "my-organization",
});
const iam = new gcp.kms.CryptoKeyIAMMember("iam", {
cryptoKeyId: cryptoKey.id,
role: "roles/cloudkms.signerVerifier",
member: serviceAccount.then(serviceAccount => `serviceAccount:${serviceAccount.accountEmail}`),
});
import pulumi
import pulumi_gcp as gcp
service_account = gcp.accessapproval.get_organization_service_account(organization_id="my-organization")
iam = gcp.kms.CryptoKeyIAMMember("iam",
crypto_key_id=crypto_key["id"],
role="roles/cloudkms.signerVerifier",
member=f"serviceAccount:{service_account.account_email}")
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/accessapproval"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceAccount, err := accessapproval.GetOrganizationServiceAccount(ctx, &accessapproval.GetOrganizationServiceAccountArgs{
OrganizationId: "my-organization",
}, nil)
if err != nil {
return err
}
_, err = kms.NewCryptoKeyIAMMember(ctx, "iam", &kms.CryptoKeyIAMMemberArgs{
CryptoKeyId: pulumi.Any(cryptoKey.Id),
Role: pulumi.String("roles/cloudkms.signerVerifier"),
Member: pulumi.Sprintf("serviceAccount:%v", serviceAccount.AccountEmail),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var serviceAccount = Gcp.AccessApproval.GetOrganizationServiceAccount.Invoke(new()
{
OrganizationId = "my-organization",
});
var iam = new Gcp.Kms.CryptoKeyIAMMember("iam", new()
{
CryptoKeyId = cryptoKey.Id,
Role = "roles/cloudkms.signerVerifier",
Member = $"serviceAccount:{serviceAccount.Apply(getOrganizationServiceAccountResult => getOrganizationServiceAccountResult.AccountEmail)}",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.accessapproval.AccessapprovalFunctions;
import com.pulumi.gcp.accessapproval.inputs.GetOrganizationServiceAccountArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var serviceAccount = AccessapprovalFunctions.getOrganizationServiceAccount(GetOrganizationServiceAccountArgs.builder()
.organizationId("my-organization")
.build());
var iam = new CryptoKeyIAMMember("iam", CryptoKeyIAMMemberArgs.builder()
.cryptoKeyId(cryptoKey.id())
.role("roles/cloudkms.signerVerifier")
.member(String.format("serviceAccount:%s", serviceAccount.applyValue(getOrganizationServiceAccountResult -> getOrganizationServiceAccountResult.accountEmail())))
.build());
}
}
resources:
iam:
type: gcp:kms:CryptoKeyIAMMember
properties:
cryptoKeyId: ${cryptoKey.id}
role: roles/cloudkms.signerVerifier
member: serviceAccount:${serviceAccount.accountEmail}
variables:
serviceAccount:
fn::invoke:
function: gcp:accessapproval:getOrganizationServiceAccount
arguments:
organizationId: my-organization
Using getOrganizationServiceAccount
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getOrganizationServiceAccount(args: GetOrganizationServiceAccountArgs, opts?: InvokeOptions): Promise<GetOrganizationServiceAccountResult>
function getOrganizationServiceAccountOutput(args: GetOrganizationServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetOrganizationServiceAccountResult>def get_organization_service_account(organization_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetOrganizationServiceAccountResult
def get_organization_service_account_output(organization_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetOrganizationServiceAccountResult]func GetOrganizationServiceAccount(ctx *Context, args *GetOrganizationServiceAccountArgs, opts ...InvokeOption) (*GetOrganizationServiceAccountResult, error)
func GetOrganizationServiceAccountOutput(ctx *Context, args *GetOrganizationServiceAccountOutputArgs, opts ...InvokeOption) GetOrganizationServiceAccountResultOutput> Note: This function is named GetOrganizationServiceAccount in the Go SDK.
public static class GetOrganizationServiceAccount
{
public static Task<GetOrganizationServiceAccountResult> InvokeAsync(GetOrganizationServiceAccountArgs args, InvokeOptions? opts = null)
public static Output<GetOrganizationServiceAccountResult> Invoke(GetOrganizationServiceAccountInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetOrganizationServiceAccountResult> getOrganizationServiceAccount(GetOrganizationServiceAccountArgs args, InvokeOptions options)
public static Output<GetOrganizationServiceAccountResult> getOrganizationServiceAccount(GetOrganizationServiceAccountArgs args, InvokeOptions options)
fn::invoke:
function: gcp:accessapproval/getOrganizationServiceAccount:getOrganizationServiceAccount
arguments:
# arguments dictionaryThe following arguments are supported:
- Organization
Id stringThis property is required. 
Changes to this property will trigger replacement. - The organization ID the service account was created for.
- Organization
Id stringThis property is required. Changes to this property will trigger replacement. - The organization ID the service account was created for.
- organization
Id StringThis property is required. Changes to this property will trigger replacement. - The organization ID the service account was created for.
- organization
Id stringThis property is required. Changes to this property will trigger replacement. - The organization ID the service account was created for.
- organization_
id strThis property is required. Changes to this property will trigger replacement. - The organization ID the service account was created for.
- organization
Id StringThis property is required. Changes to this property will trigger replacement. - The organization ID the service account was created for.
getOrganizationServiceAccount Result
The following output properties are available:
- Account
Email string - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- Organization
Id string
- Account
Email string - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- Organization
Id string
- account
Email String - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- organization
Id String
- account
Email string - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- organization
Id string
- account_
email str - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- organization_
id str
- account
Email String - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The Access Approval service account resource name. Format is "organizations/{organization_id}/serviceAccount".
- organization
Id String
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.