Docs Home Pulumi IaC Pulumi ESC Pulumi Cloud Packages Tutorials
  1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. serviceaccount
  5. getAccountIdToken
Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi
pulumi/pulumi-gcp

gcp.serviceaccount.getAccountIdToken

Explore with Pulumi AI

gcp logo
Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi
pulumi/pulumi-gcp

    This data source provides a Google OpenID Connect (oidc) id_token. Tokens issued from this data source are typically used to call external services that accept OIDC tokens for authentication (e.g. Google Cloud Run).

    For more information see OpenID Connect.

    Example Usage

    ServiceAccount JSON Credential File.

    gcp.serviceaccount.getAccountIdToken will use the configured provider credentials

    import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const oidc = gcp.serviceaccount.getAccountIdToken({
    targetAudience: "https://foo.bar/",
});
export const oidcToken = oidc.then(oidc => oidc.idToken);

    import pulumi
import pulumi_gcp as gcp

oidc = gcp.serviceaccount.get_account_id_token(target_audience="https://foo.bar/")
pulumi.export("oidcToken", oidc.id_token)

    package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/serviceaccount"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
			TargetAudience: "https://foo.bar/",
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("oidcToken", oidc.IdToken)
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var oidc = Gcp.ServiceAccount.GetAccountIdToken.Invoke(new()
    {
        TargetAudience = "https://foo.bar/",
    });

    return new Dictionary<string, object?>
    {
        ["oidcToken"] = oidc.Apply(getAccountIdTokenResult => getAccountIdTokenResult.IdToken),
    };
});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountIdTokenArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var oidc = ServiceaccountFunctions.getAccountIdToken(GetAccountIdTokenArgs.builder()
            .targetAudience("https://foo.bar/")
            .build());

        ctx.export("oidcToken", oidc.applyValue(getAccountIdTokenResult -> getAccountIdTokenResult.idToken()));
    }
}

    variables:
  oidc:
    fn::invoke:
      function: gcp:serviceaccount:getAccountIdToken
      arguments:
        targetAudience: https://foo.bar/
outputs:
  oidcToken: ${oidc.idToken}

    Service Account Impersonation.

    gcp.serviceaccount.getAccountIdToken will use background impersonated credentials provided by gcp.serviceaccount.getAccountAccessToken.

    Note: to use the following, you must grant target_service_account the roles/iam.serviceAccountTokenCreator role on itself.

    import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const impersonated = gcp.serviceaccount.getAccountAccessToken({
    targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
    delegates: [],
    scopes: [
        "userinfo-email",
        "cloud-platform",
    ],
    lifetime: "300s",
});
const oidc = gcp.serviceaccount.getAccountIdToken({
    targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
    delegates: [],
    includeEmail: true,
    targetAudience: "https://foo.bar/",
});
export const oidcToken = oidc.then(oidc => oidc.idToken);

    import pulumi
import pulumi_gcp as gcp

impersonated = gcp.serviceaccount.get_account_access_token(target_service_account="impersonated-account@project.iam.gserviceaccount.com",
    delegates=[],
    scopes=[
        "userinfo-email",
        "cloud-platform",
    ],
    lifetime="300s")
oidc = gcp.serviceaccount.get_account_id_token(target_service_account="impersonated-account@project.iam.gserviceaccount.com",
    delegates=[],
    include_email=True,
    target_audience="https://foo.bar/")
pulumi.export("oidcToken", oidc.id_token)

    package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/serviceaccount"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := serviceaccount.GetAccountAccessToken(ctx, &serviceaccount.GetAccountAccessTokenArgs{
			TargetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
			Delegates:            []interface{}{},
			Scopes: []string{
				"userinfo-email",
				"cloud-platform",
			},
			Lifetime: pulumi.StringRef("300s"),
		}, nil)
		if err != nil {
			return err
		}
		oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
			TargetServiceAccount: pulumi.StringRef("impersonated-account@project.iam.gserviceaccount.com"),
			Delegates:            []interface{}{},
			IncludeEmail:         pulumi.BoolRef(true),
			TargetAudience:       "https://foo.bar/",
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("oidcToken", oidc.IdToken)
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var impersonated = Gcp.ServiceAccount.GetAccountAccessToken.Invoke(new()
    {
        TargetServiceAccount = "impersonated-account@project.iam.gserviceaccount.com",
        Delegates = new() { },
        Scopes = new[]
        {
            "userinfo-email",
            "cloud-platform",
        },
        Lifetime = "300s",
    });

    var oidc = Gcp.ServiceAccount.GetAccountIdToken.Invoke(new()
    {
        TargetServiceAccount = "impersonated-account@project.iam.gserviceaccount.com",
        Delegates = new() { },
        IncludeEmail = true,
        TargetAudience = "https://foo.bar/",
    });

    return new Dictionary<string, object?>
    {
        ["oidcToken"] = oidc.Apply(getAccountIdTokenResult => getAccountIdTokenResult.IdToken),
    };
});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountAccessTokenArgs;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountIdTokenArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var impersonated = ServiceaccountFunctions.getAccountAccessToken(GetAccountAccessTokenArgs.builder()
            .targetServiceAccount("impersonated-account@project.iam.gserviceaccount.com")
            .delegates()
            .scopes(            
                "userinfo-email",
                "cloud-platform")
            .lifetime("300s")
            .build());

        final var oidc = ServiceaccountFunctions.getAccountIdToken(GetAccountIdTokenArgs.builder()
            .targetServiceAccount("impersonated-account@project.iam.gserviceaccount.com")
            .delegates()
            .includeEmail(true)
            .targetAudience("https://foo.bar/")
            .build());

        ctx.export("oidcToken", oidc.applyValue(getAccountIdTokenResult -> getAccountIdTokenResult.idToken()));
    }
}

    variables:
  impersonated:
    fn::invoke:
      function: gcp:serviceaccount:getAccountAccessToken
      arguments:
        targetServiceAccount: impersonated-account@project.iam.gserviceaccount.com
        delegates: []
        scopes:
          - userinfo-email
          - cloud-platform
        lifetime: 300s
  oidc:
    fn::invoke:
      function: gcp:serviceaccount:getAccountIdToken
      arguments:
        targetServiceAccount: impersonated-account@project.iam.gserviceaccount.com
        delegates: []
        includeEmail: true
        targetAudience: https://foo.bar/
outputs:
  oidcToken: ${oidc.idToken}

    Invoking Cloud Run Endpoint

    The following configuration will invoke Cloud Run endpoint where the service account for the provider has been granted roles/run.invoker role previously.

    import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as http from "@pulumi/http";

const oidc = gcp.serviceaccount.getAccountIdToken({
    targetAudience: "https://your.cloud.run.app/",
});
const cloudrun = oidc.then(oidc => http.getHttp({
    url: "https://your.cloud.run.app/",
    requestHeaders: {
        Authorization: `Bearer ${oidc.idToken}`,
    },
}));
export const cloudRunResponse = cloudrun.then(cloudrun => cloudrun.body);

    import pulumi
import pulumi_gcp as gcp
import pulumi_http as http

oidc = gcp.serviceaccount.get_account_id_token(target_audience="https://your.cloud.run.app/")
cloudrun = http.get_http(url="https://your.cloud.run.app/",
    request_headers={
        "Authorization": f"Bearer {oidc.id_token}",
    })
pulumi.export("cloudRunResponse", cloudrun.body)

    package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/serviceaccount"
	"github.com/pulumi/pulumi-http/sdk/go/http"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		oidc, err := serviceaccount.GetAccountIdToken(ctx, &serviceaccount.GetAccountIdTokenArgs{
			TargetAudience: "https://your.cloud.run.app/",
		}, nil)
		if err != nil {
			return err
		}
		cloudrun, err := http.GetHttp(ctx, &http.GetHttpArgs{
			Url: "https://your.cloud.run.app/",
			RequestHeaders: map[string]interface{}{
				"Authorization": fmt.Sprintf("Bearer %v", oidc.IdToken),
			},
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("cloudRunResponse", cloudrun.Body)
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Http = Pulumi.Http;

return await Deployment.RunAsync(() => 
{
    var oidc = Gcp.ServiceAccount.GetAccountIdToken.Invoke(new()
    {
        TargetAudience = "https://your.cloud.run.app/",
    });

    var cloudrun = Http.GetHttp.Invoke(new()
    {
        Url = "https://your.cloud.run.app/",
        RequestHeaders = 
        {
            { "Authorization", $"Bearer {oidc.Apply(getAccountIdTokenResult => getAccountIdTokenResult.IdToken)}" },
        },
    });

    return new Dictionary<string, object?>
    {
        ["cloudRunResponse"] = cloudrun.Apply(getHttpResult => getHttpResult.Body),
    };
});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountIdTokenArgs;
import com.pulumi.http.HttpFunctions;
import com.pulumi.http.inputs.GetHttpArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var oidc = ServiceaccountFunctions.getAccountIdToken(GetAccountIdTokenArgs.builder()
            .targetAudience("https://your.cloud.run.app/")
            .build());

        final var cloudrun = HttpFunctions.getHttp(GetHttpArgs.builder()
            .url("https://your.cloud.run.app/")
            .requestHeaders(Map.of("Authorization", String.format("Bearer %s", oidc.applyValue(getAccountIdTokenResult -> getAccountIdTokenResult.idToken()))))
            .build());

        ctx.export("cloudRunResponse", cloudrun.applyValue(getHttpResult -> getHttpResult.body()));
    }
}

    variables:
  oidc:
    fn::invoke:
      function: gcp:serviceaccount:getAccountIdToken
      arguments:
        targetAudience: https://your.cloud.run.app/
  cloudrun:
    fn::invoke:
      function: http:getHttp
      arguments:
        url: https://your.cloud.run.app/
        requestHeaders:
          Authorization: Bearer ${oidc.idToken}
outputs:
  cloudRunResponse: ${cloudrun.body}

    Using getAccountIdToken

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getAccountIdToken(args: GetAccountIdTokenArgs, opts?: InvokeOptions): Promise<GetAccountIdTokenResult>
function getAccountIdTokenOutput(args: GetAccountIdTokenOutputArgs, opts?: InvokeOptions): Output<GetAccountIdTokenResult>
    def get_account_id_token(delegates: Optional[Sequence[str]] = None,
                         include_email: Optional[bool] = None,
                         target_audience: Optional[str] = None,
                         target_service_account: Optional[str] = None,
                         opts: Optional[InvokeOptions] = None) -> GetAccountIdTokenResult
def get_account_id_token_output(delegates: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                         include_email: Optional[pulumi.Input[bool]] = None,
                         target_audience: Optional[pulumi.Input[str]] = None,
                         target_service_account: Optional[pulumi.Input[str]] = None,
                         opts: Optional[InvokeOptions] = None) -> Output[GetAccountIdTokenResult]
    func GetAccountIdToken(ctx *Context, args *GetAccountIdTokenArgs, opts ...InvokeOption) (*GetAccountIdTokenResult, error)
func GetAccountIdTokenOutput(ctx *Context, args *GetAccountIdTokenOutputArgs, opts ...InvokeOption) GetAccountIdTokenResultOutput

    > Note: This function is named GetAccountIdToken in the Go SDK.

    public static class GetAccountIdToken 
{
    public static Task<GetAccountIdTokenResult> InvokeAsync(GetAccountIdTokenArgs args, InvokeOptions? opts = null)
    public static Output<GetAccountIdTokenResult> Invoke(GetAccountIdTokenInvokeArgs args, InvokeOptions? opts = null)
}
    public static CompletableFuture<GetAccountIdTokenResult> getAccountIdToken(GetAccountIdTokenArgs args, InvokeOptions options)
public static Output<GetAccountIdTokenResult> getAccountIdToken(GetAccountIdTokenArgs args, InvokeOptions options)

    fn::invoke:
  function: gcp:serviceaccount/getAccountIdToken:getAccountIdToken
  arguments:
    # arguments dictionary

    The following arguments are supported:

    TargetAudience string
    The audience claim for the id_token.
    Delegates List<string>
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    IncludeEmail bool
    Include the verified email in the claim. Used only when using impersonation mode.
    TargetServiceAccount string
    The email of the service account being impersonated. Used only when using impersonation mode.
    TargetAudience string
    The audience claim for the id_token.
    Delegates []string
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    IncludeEmail bool
    Include the verified email in the claim. Used only when using impersonation mode.
    TargetServiceAccount string
    The email of the service account being impersonated. Used only when using impersonation mode.
    targetAudience String
    The audience claim for the id_token.
    delegates List<String>
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    includeEmail Boolean
    Include the verified email in the claim. Used only when using impersonation mode.
    targetServiceAccount String
    The email of the service account being impersonated. Used only when using impersonation mode.
    targetAudience string
    The audience claim for the id_token.
    delegates string[]
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    includeEmail boolean
    Include the verified email in the claim. Used only when using impersonation mode.
    targetServiceAccount string
    The email of the service account being impersonated. Used only when using impersonation mode.
    target_audience str
    The audience claim for the id_token.
    delegates Sequence[str]
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    include_email bool
    Include the verified email in the claim. Used only when using impersonation mode.
    target_service_account str
    The email of the service account being impersonated. Used only when using impersonation mode.
    targetAudience String
    The audience claim for the id_token.
    delegates List<String>
    Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name. Used only when using impersonation mode.
    includeEmail Boolean
    Include the verified email in the claim. Used only when using impersonation mode.
    targetServiceAccount String
    The email of the service account being impersonated. Used only when using impersonation mode.

    getAccountIdToken Result

    The following output properties are available:

    Id string
    The provider-assigned unique ID for this managed resource.
    IdToken string
    The id_token representing the new generated identity.
    TargetAudience string
    Delegates List<string>
    IncludeEmail bool
    TargetServiceAccount string
    Id string
    The provider-assigned unique ID for this managed resource.
    IdToken string
    The id_token representing the new generated identity.
    TargetAudience string
    Delegates []string
    IncludeEmail bool
    TargetServiceAccount string
    id String
    The provider-assigned unique ID for this managed resource.
    idToken String
    The id_token representing the new generated identity.
    targetAudience String
    delegates List<String>
    includeEmail Boolean
    targetServiceAccount String
    id string
    The provider-assigned unique ID for this managed resource.
    idToken string
    The id_token representing the new generated identity.
    targetAudience string
    delegates string[]
    includeEmail boolean
    targetServiceAccount string
    id str
    The provider-assigned unique ID for this managed resource.
    id_token str
    The id_token representing the new generated identity.
    target_audience str
    delegates Sequence[str]
    include_email bool
    target_service_account str
    id String
    The provider-assigned unique ID for this managed resource.
    idToken String
    The id_token representing the new generated identity.
    targetAudience String
    delegates List<String>
    includeEmail Boolean
    targetServiceAccount String

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud v8.21.0 published on Wednesday, Mar 5, 2025 by Pulumi
    pulumi/pulumi-gcp