-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add google_impersonated_credential datasource #3211
Add google_impersonated_credential datasource #3211
Conversation
ok, seems to still not adding in i ran tests locally and they worked; i'm just not sure how CI will run it since to do this, you need to setup the IAM permissions on a real project/serviceaccount. anyway Build:
TEST:
RUN:provider "google" {}
data "google_client_config" "default" {
provider = "google"
}
data "google_impersonated_credential" "default" {
provider = "google"
target_service_account = "impersonated-account@fabled-ray-104117.iam.gserviceaccount.com"
scopes = ["storage-ro", "cloud-platform"]
lifetime = "300s"
}
provider "google" {
alias = "impersonated"
access_token = "${data.google_impersonated_credential.default.access_token}"
}
data "google_project" "project" {
provider = "google.impersonated"
project_id = "mineral-minutia-820"
}
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First pass of review. I'll take a look at the vendoring in a little bit, but it's likely I'll pull it into another PR that can be merged ahead of this.
Note, one issue to point out with the way i've got the acceptence tests setup:
the prolbme is step 2 is eventually consistent...it may take ~30->40s to complete so the whole test fails since step 3 fails. I'm not sure how to solve this (i'm pretty new to terraform). i tried setting up multi step flow like this but i'm just guessing (it didn't work) even after i get past that, i don't know how to add in a dynamic, aliased provider (eg, https://www.terraform.io/docs/extend/testing/acceptance-tests/testcase.html#providers |
See https://github.com/terraform-providers/terraform-provider-google/blob/master/google/data_source_google_client_openid_userinfo_test.go#L27 for using a dynamic aliased provider in tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1 small correction, but otherwise looks good!
When you've corrected that I'll pull this upstream into our code generator and add the docs to the website.
website/docs/d/datasource_google_service_account_access_token.html.markdown
Outdated
Show resolved
Hide resolved
@chrisst Done. added in that final change. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
google_impersonated_credential
provides an access_token for resources the original caller may not have immediate access to.That is, you can run .tf as serviceA and then access resources serviceB has access to.
An administrator for serviceB can potentially just give 'just in time' access to impersonate.