https://pulumi.com logo
#general
Title
# general
f

faint-motherboard-95438

12/19/2018, 9:22 PM
Is there any way to get the current
gcloud
account used by pulumi ? Either the one from
gcloud auth
or the one from
export GOOGLE_APPLICATION_CREDENTIALS
(which drives me crazy to have both btw) ?
gcp.config.credentials
returns
undefined
;
gcp.serviceAccount.getAccount()
or
gcp.serviceAccount.Account.get()
wants an id while I only can know the email of the account.. I’m kind of out of options from what I can think of.
w

white-balloon-205

12/19/2018, 10:27 PM
You can get the project via
gcp.organizations.getClientConfig()
. And you can get the org detals via
gcp.organizations.getOrganization({ domain: "<http://pulumi.com|pulumi.com>" })
. Do those help?
f

faint-motherboard-95438

12/20/2018, 6:46 PM
Thanks @white-balloon-205 Unfortunately it does not give me what I want. But good to know those exist. Maybe I’m doing it wrong but I would like to assign a
ClusterRoleBinding
to the current account running pulumi (kind of a project master) which then in turns would be able to assign roles to dedicated service accounts with lesser privileges. That’s why I wanted to “guess” what was the current account, since I need its email as an argument to grant the role but it looks like I can’t do that, unless you got a clue here ?
w

white-balloon-205

12/20/2018, 9:08 PM
Just so I understand - what exactly is the "account" you need here? There is a notion of "billing account", but other than that I believe there are only "organizations" and "projects"? Are you actually looking for a user credential of some kind?
f

faint-motherboard-95438

12/21/2018, 9:16 AM
Yeah sorry, I was not clear about what I was looking for. So since I’m using
gcp
to create a cluster, the first run of pulumi is supposed to use the service account selected by
gcloud auth
or the exported credentials in
GOOGLE_APPLICATION_CREDENTIALS
(if I understand well, the
env
value is the right one it seems,
@pulumi/gcp
does not use the
gcloud
tool for that ?). That’s what I called the account, or to be more precise : the current active gcloud service account in my shell pulumi is using to take actions in gcp. This service account has all the permissions in
gcp
to create and manage clusters and other service accounts. I would like to give it some roles in the cluster it just created and I was looking for a way to “guess” this service account (or even just the email) instead of having to put it explicitly in the config. That’s not a big deal since I can definitely reference it somewhere, but I’m used to make things as much reusable as possible with the least amount of configuration changes.
2 Views