Google Cloud v9.4.0 published on Tuesday, Nov 4, 2025 by Pulumi
gcp.serviceaccount.getAccountJwt
Start a Neo task
Explain and create a gcp.serviceaccount.getAccountJwt resource
This data source provides a self-signed JWT. Tokens issued from this data source are typically used to call external services that accept JWTs for authentication.
Example Usage
Note: in order to use the following, the caller must have at least roles/iam.serviceAccountTokenCreator on the target_service_account.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const foo = gcp.serviceaccount.getAccountJwt({
targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
payload: JSON.stringify({
foo: "bar",
sub: "subject",
}),
expiresIn: 60,
});
export const jwt = foo.then(foo => foo.jwt);
import pulumi
import json
import pulumi_gcp as gcp
foo = gcp.serviceaccount.get_account_jwt(target_service_account="impersonated-account@project.iam.gserviceaccount.com",
payload=json.dumps({
"foo": "bar",
"sub": "subject",
}),
expires_in=60)
pulumi.export("jwt", foo.jwt)
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tmpJSON0, err := json.Marshal(map[string]interface{}{
"foo": "bar",
"sub": "subject",
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
foo, err := serviceaccount.GetAccountJwt(ctx, &serviceaccount.GetAccountJwtArgs{
TargetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
Payload: json0,
ExpiresIn: pulumi.IntRef(60),
}, nil)
if err != nil {
return err
}
ctx.Export("jwt", foo.Jwt)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var foo = Gcp.ServiceAccount.GetAccountJwt.Invoke(new()
{
TargetServiceAccount = "impersonated-account@project.iam.gserviceaccount.com",
Payload = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["foo"] = "bar",
["sub"] = "subject",
}),
ExpiresIn = 60,
});
return new Dictionary<string, object?>
{
["jwt"] = foo.Apply(getAccountJwtResult => getAccountJwtResult.Jwt),
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.ServiceaccountFunctions;
import com.pulumi.gcp.serviceaccount.inputs.GetAccountJwtArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var foo = ServiceaccountFunctions.getAccountJwt(GetAccountJwtArgs.builder()
.targetServiceAccount("impersonated-account@project.iam.gserviceaccount.com")
.payload(serializeJson(
jsonObject(
jsonProperty("foo", "bar"),
jsonProperty("sub", "subject")
)))
.expiresIn(60)
.build());
ctx.export("jwt", foo.jwt());
}
}
variables:
foo:
fn::invoke:
function: gcp:serviceaccount:getAccountJwt
arguments:
targetServiceAccount: impersonated-account@project.iam.gserviceaccount.com
payload:
fn::toJSON:
foo: bar
sub: subject
expiresIn: 60
outputs:
jwt: ${foo.jwt}
Using getAccountJwt
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAccountJwt(args: GetAccountJwtArgs, opts?: InvokeOptions): Promise<GetAccountJwtResult>
function getAccountJwtOutput(args: GetAccountJwtOutputArgs, opts?: InvokeOptions): Output<GetAccountJwtResult>def get_account_jwt(delegates: Optional[Sequence[str]] = None,
expires_in: Optional[int] = None,
payload: Optional[str] = None,
target_service_account: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetAccountJwtResult
def get_account_jwt_output(delegates: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
expires_in: Optional[pulumi.Input[int]] = None,
payload: Optional[pulumi.Input[str]] = None,
target_service_account: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAccountJwtResult]func GetAccountJwt(ctx *Context, args *GetAccountJwtArgs, opts ...InvokeOption) (*GetAccountJwtResult, error)
func GetAccountJwtOutput(ctx *Context, args *GetAccountJwtOutputArgs, opts ...InvokeOption) GetAccountJwtResultOutput> Note: This function is named GetAccountJwt in the Go SDK.
public static class GetAccountJwt
{
public static Task<GetAccountJwtResult> InvokeAsync(GetAccountJwtArgs args, InvokeOptions? opts = null)
public static Output<GetAccountJwtResult> Invoke(GetAccountJwtInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetAccountJwtResult> getAccountJwt(GetAccountJwtArgs args, InvokeOptions options)
public static Output<GetAccountJwtResult> getAccountJwt(GetAccountJwtArgs args, InvokeOptions options)
fn::invoke:
function: gcp:serviceaccount/getAccountJwt:getAccountJwt
arguments:
# arguments dictionaryThe following arguments are supported:
- Payload string
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- Target
Service stringAccount - The email of the service account that will sign the JWT.
- Delegates List<string>
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- Expires
In int - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
- Payload string
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- Target
Service stringAccount - The email of the service account that will sign the JWT.
- Delegates []string
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- Expires
In int - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
- payload String
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- target
Service StringAccount - The email of the service account that will sign the JWT.
- delegates List<String>
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- expires
In Integer - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
- payload string
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- target
Service stringAccount - The email of the service account that will sign the JWT.
- delegates string[]
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- expires
In number - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
- payload str
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- target_
service_ straccount - The email of the service account that will sign the JWT.
- delegates Sequence[str]
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- expires_
in int - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
- payload String
- The JSON-encoded JWT claims set to include in the self-signed JWT.
- target
Service StringAccount - The email of the service account that will sign the JWT.
- delegates List<String>
- Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
- expires
In Number - Number of seconds until the JWT expires. If set and non-zero an
expclaim will be added to the payload derived from the current timestamp plus expires_in seconds.
getAccountJwt Result
The following output properties are available:
- id str
- The provider-assigned unique ID for this managed resource.
- jwt str
- The signed JWT containing the JWT Claims Set from the
payload. - payload str
- target_
service_ straccount - delegates Sequence[str]
- expires_
in int
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.
