» google_bigquery_default_service_account

Get the email address of a project's unique BigQuery service account.

Each Google Cloud project has a unique service account used by BigQuery. When using BigQuery with customer-managed encryption keys, this account needs to be granted the cloudkms.cryptoKeyEncrypterDecrypter IAM role on the customer-managed Cloud KMS key used to protect the data.

For more information see the API reference.

» Example Usage

data "google_bigquery_default_service_account" "bq_sa" {
}

resource "google_kms_crypto_key_iam_member" "key_sa_user" {
  crypto_key_id = google_kms_crypto_key.key.id
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member        = "serviceAccount:${data.google_bigquery_default_service_account.bq_sa.email}"
}

» Argument Reference

The following arguments are supported:

  • project - (Optional) The project the unique service account was created for. If it is not provided, the provider project is used.

» Attributes Reference

The following attributes are exported:

  • email - The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.