Docs Home Pulumi IaC Pulumi ESC Pulumi Cloud Packages Tutorials
  1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. bigquery
  5. getDefaultServiceAccount
Google Cloud v8.23.0 published on Monday, Mar 24, 2025 by Pulumi
pulumi/pulumi-gcp

gcp.bigquery.getDefaultServiceAccount

Explore with Pulumi AI

Google Cloud v8.23.0 published on Monday, Mar 24, 2025 by Pulumi
pulumi/pulumi-gcp

Get the email address of a project’s unique BigQuery service account.

Each Google Cloud project has a unique service account used by BigQuery. When using BigQuery with customer-managed encryption keys, this account needs to be granted the cloudkms.cryptoKeyEncrypterDecrypter IAM role on the customer-managed Cloud KMS key used to protect the data.

For more information see the API reference.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const bqSa = gcp.bigquery.getDefaultServiceAccount({});
const keySaUser = new gcp.kms.CryptoKeyIAMMember("key_sa_user", {
    cryptoKeyId: key.id,
    role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
    member: bqSa.then(bqSa => `serviceAccount:${bqSa.email}`),
});
Copy
import pulumi
import pulumi_gcp as gcp

bq_sa = gcp.bigquery.get_default_service_account()
key_sa_user = gcp.kms.CryptoKeyIAMMember("key_sa_user",
    crypto_key_id=key["id"],
    role="roles/cloudkms.cryptoKeyEncrypterDecrypter",
    member=f"serviceAccount:{bq_sa.email}")
Copy
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/bigquery"
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		bqSa, err := bigquery.GetDefaultServiceAccount(ctx, &bigquery.GetDefaultServiceAccountArgs{}, nil)
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKeyIAMMember(ctx, "key_sa_user", &kms.CryptoKeyIAMMemberArgs{
			CryptoKeyId: pulumi.Any(key.Id),
			Role:        pulumi.String("roles/cloudkms.cryptoKeyEncrypterDecrypter"),
			Member:      pulumi.Sprintf("serviceAccount:%v", bqSa.Email),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var bqSa = Gcp.BigQuery.GetDefaultServiceAccount.Invoke();

    var keySaUser = new Gcp.Kms.CryptoKeyIAMMember("key_sa_user", new()
    {
        CryptoKeyId = key.Id,
        Role = "roles/cloudkms.cryptoKeyEncrypterDecrypter",
        Member = $"serviceAccount:{bqSa.Apply(getDefaultServiceAccountResult => getDefaultServiceAccountResult.Email)}",
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigquery.BigqueryFunctions;
import com.pulumi.gcp.bigquery.inputs.GetDefaultServiceAccountArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var bqSa = BigqueryFunctions.getDefaultServiceAccount();

        var keySaUser = new CryptoKeyIAMMember("keySaUser", CryptoKeyIAMMemberArgs.builder()
            .cryptoKeyId(key.id())
            .role("roles/cloudkms.cryptoKeyEncrypterDecrypter")
            .member(String.format("serviceAccount:%s", bqSa.applyValue(getDefaultServiceAccountResult -> getDefaultServiceAccountResult.email())))
            .build());

    }
}
Copy
resources:
  keySaUser:
    type: gcp:kms:CryptoKeyIAMMember
    name: key_sa_user
    properties:
      cryptoKeyId: ${key.id}
      role: roles/cloudkms.cryptoKeyEncrypterDecrypter
      member: serviceAccount:${bqSa.email}
variables:
  bqSa:
    fn::invoke:
      function: gcp:bigquery:getDefaultServiceAccount
      arguments: {}
Copy

Using getDefaultServiceAccount

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getDefaultServiceAccount(args: GetDefaultServiceAccountArgs, opts?: InvokeOptions): Promise<GetDefaultServiceAccountResult>
function getDefaultServiceAccountOutput(args: GetDefaultServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetDefaultServiceAccountResult>
Copy
def get_default_service_account(project: Optional[str] = None,
                                opts: Optional[InvokeOptions] = None) -> GetDefaultServiceAccountResult
def get_default_service_account_output(project: Optional[pulumi.Input[str]] = None,
                                opts: Optional[InvokeOptions] = None) -> Output[GetDefaultServiceAccountResult]
Copy
func GetDefaultServiceAccount(ctx *Context, args *GetDefaultServiceAccountArgs, opts ...InvokeOption) (*GetDefaultServiceAccountResult, error)
func GetDefaultServiceAccountOutput(ctx *Context, args *GetDefaultServiceAccountOutputArgs, opts ...InvokeOption) GetDefaultServiceAccountResultOutput
Copy

> Note: This function is named GetDefaultServiceAccount in the Go SDK.

public static class GetDefaultServiceAccount 
{
    public static Task<GetDefaultServiceAccountResult> InvokeAsync(GetDefaultServiceAccountArgs args, InvokeOptions? opts = null)
    public static Output<GetDefaultServiceAccountResult> Invoke(GetDefaultServiceAccountInvokeArgs args, InvokeOptions? opts = null)
}
Copy
public static CompletableFuture<GetDefaultServiceAccountResult> getDefaultServiceAccount(GetDefaultServiceAccountArgs args, InvokeOptions options)
public static Output<GetDefaultServiceAccountResult> getDefaultServiceAccount(GetDefaultServiceAccountArgs args, InvokeOptions options)
Copy
fn::invoke:
  function: gcp:bigquery/getDefaultServiceAccount:getDefaultServiceAccount
  arguments:
    # arguments dictionary
Copy

The following arguments are supported:

Project string
The project the unique service account was created for. If it is not provided, the provider project is used.
Project string
The project the unique service account was created for. If it is not provided, the provider project is used.
project String
The project the unique service account was created for. If it is not provided, the provider project is used.
project string
The project the unique service account was created for. If it is not provided, the provider project is used.
project str
The project the unique service account was created for. If it is not provided, the provider project is used.
project String
The project the unique service account was created for. If it is not provided, the provider project is used.

getDefaultServiceAccount Result

The following output properties are available:

Email string
The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
Id string
The provider-assigned unique ID for this managed resource.
Member string
The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
Project string
Email string
The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
Id string
The provider-assigned unique ID for this managed resource.
Member string
The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
Project string
email String
The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
id String
The provider-assigned unique ID for this managed resource.
member String
The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
project String
email string
The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
id string
The provider-assigned unique ID for this managed resource.
member string
The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
project string
email str
The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
id str
The provider-assigned unique ID for this managed resource.
member str
The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
project str
email String
The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.
id String
The provider-assigned unique ID for this managed resource.
member String
The Identity of the service account in the form serviceAccount:{email}. This value is often used to refer to the service account in order to grant IAM permissions.
project String

Package Details

Repository
Google Cloud (GCP) Classic pulumi/pulumi-gcp
License
Apache-2.0
Notes
This Pulumi package is based on the google-beta Terraform Provider.
Google Cloud v8.23.0 published on Monday, Mar 24, 2025 by Pulumi
pulumi/pulumi-gcp