Google Cloud v8.25.1, Apr 9 25

Google Cloud v8.25.1 published on Wednesday, Apr 9, 2025 by Pulumi

gcp.privilegedaccessmanager.Entitlement

Explore with Pulumi AI

Google Cloud v8.25.1 published on Wednesday, Apr 9, 2025 by Pulumi

pulumi/pulumi-gcp

Example Usage

Privileged Access Manager Entitlement Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const tfentitlement = new gcp.privilegedaccessmanager.Entitlement("tfentitlement", {
    entitlementId: "example-entitlement",
    location: "global",
    maxRequestDuration: "43200s",
    parent: "projects/my-project-name",
    requesterJustificationConfig: {
        unstructured: {},
    },
    eligibleUsers: [{
        principals: ["group:test@google.com"],
    }],
    privilegedAccess: {
        gcpIamAccess: {
            roleBindings: [{
                role: "roles/storage.admin",
                conditionExpression: "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
            }],
            resource: "//cloudresourcemanager.googleapis.com/projects/my-project-name",
            resourceType: "cloudresourcemanager.googleapis.com/Project",
        },
    },
    additionalNotificationTargets: {
        adminEmailRecipients: ["user@example.com"],
        requesterEmailRecipients: ["user@example.com"],
    },
    approvalWorkflow: {
        manualApprovals: {
            requireApproverJustification: true,
            steps: [{
                approvalsNeeded: 1,
                approverEmailRecipients: ["user@example.com"],
                approvers: {
                    principals: ["group:test@google.com"],
                },
            }],
        },
    },
});

import pulumi
import pulumi_gcp as gcp

tfentitlement = gcp.privilegedaccessmanager.Entitlement("tfentitlement",
    entitlement_id="example-entitlement",
    location="global",
    max_request_duration="43200s",
    parent="projects/my-project-name",
    requester_justification_config={
        "unstructured": {},
    },
    eligible_users=[{
        "principals": ["group:test@google.com"],
    }],
    privileged_access={
        "gcp_iam_access": {
            "role_bindings": [{
                "role": "roles/storage.admin",
                "condition_expression": "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
            }],
            "resource": "//cloudresourcemanager.googleapis.com/projects/my-project-name",
            "resource_type": "cloudresourcemanager.googleapis.com/Project",
        },
    },
    additional_notification_targets={
        "admin_email_recipients": ["user@example.com"],
        "requester_email_recipients": ["user@example.com"],
    },
    approval_workflow={
        "manual_approvals": {
            "require_approver_justification": True,
            "steps": [{
                "approvals_needed": 1,
                "approver_email_recipients": ["user@example.com"],
                "approvers": {
                    "principals": ["group:test@google.com"],
                },
            }],
        },
    })

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/privilegedaccessmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := privilegedaccessmanager.Newentitlement(ctx, "tfentitlement", &privilegedaccessmanager.entitlementArgs{
			EntitlementId:      pulumi.String("example-entitlement"),
			Location:           pulumi.String("global"),
			MaxRequestDuration: pulumi.String("43200s"),
			Parent:             pulumi.String("projects/my-project-name"),
			RequesterJustificationConfig: &privilegedaccessmanager.EntitlementRequesterJustificationConfigArgs{
				Unstructured: &privilegedaccessmanager.EntitlementRequesterJustificationConfigUnstructuredArgs{},
			},
			EligibleUsers: privilegedaccessmanager.EntitlementEligibleUserArray{
				&privilegedaccessmanager.EntitlementEligibleUserArgs{
					Principals: pulumi.StringArray{
						pulumi.String("group:test@google.com"),
					},
				},
			},
			PrivilegedAccess: &privilegedaccessmanager.EntitlementPrivilegedAccessArgs{
				GcpIamAccess: &privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessArgs{
					RoleBindings: privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArray{
						&privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs{
							Role:                pulumi.String("roles/storage.admin"),
							ConditionExpression: pulumi.String("request.time < timestamp(\"2024-04-23T18:30:00.000Z\")"),
						},
					},
					Resource:     pulumi.String("//cloudresourcemanager.googleapis.com/projects/my-project-name"),
					ResourceType: pulumi.String("cloudresourcemanager.googleapis.com/Project"),
				},
			},
			AdditionalNotificationTargets: &privilegedaccessmanager.EntitlementAdditionalNotificationTargetsArgs{
				AdminEmailRecipients: pulumi.StringArray{
					pulumi.String("user@example.com"),
				},
				RequesterEmailRecipients: pulumi.StringArray{
					pulumi.String("user@example.com"),
				},
			},
			ApprovalWorkflow: &privilegedaccessmanager.EntitlementApprovalWorkflowArgs{
				ManualApprovals: &privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsArgs{
					RequireApproverJustification: pulumi.Bool(true),
					Steps: privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepArray{
						&privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepArgs{
							ApprovalsNeeded: pulumi.Int(1),
							ApproverEmailRecipients: pulumi.StringArray{
								pulumi.String("user@example.com"),
							},
							Approvers: &privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepApproversArgs{
								Principals: pulumi.StringArray{
									pulumi.String("group:test@google.com"),
								},
							},
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var tfentitlement = new Gcp.PrivilegedAccessManager.Entitlement("tfentitlement", new()
    {
        EntitlementId = "example-entitlement",
        Location = "global",
        MaxRequestDuration = "43200s",
        Parent = "projects/my-project-name",
        RequesterJustificationConfig = new Gcp.PrivilegedAccessManager.Inputs.EntitlementRequesterJustificationConfigArgs
        {
            Unstructured = null,
        },
        EligibleUsers = new[]
        {
            new Gcp.PrivilegedAccessManager.Inputs.EntitlementEligibleUserArgs
            {
                Principals = new[]
                {
                    "group:test@google.com",
                },
            },
        },
        PrivilegedAccess = new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessArgs
        {
            GcpIamAccess = new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessGcpIamAccessArgs
            {
                RoleBindings = new[]
                {
                    new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs
                    {
                        Role = "roles/storage.admin",
                        ConditionExpression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
                    },
                },
                Resource = "//cloudresourcemanager.googleapis.com/projects/my-project-name",
                ResourceType = "cloudresourcemanager.googleapis.com/Project",
            },
        },
        AdditionalNotificationTargets = new Gcp.PrivilegedAccessManager.Inputs.EntitlementAdditionalNotificationTargetsArgs
        {
            AdminEmailRecipients = new[]
            {
                "user@example.com",
            },
            RequesterEmailRecipients = new[]
            {
                "user@example.com",
            },
        },
        ApprovalWorkflow = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowArgs
        {
            ManualApprovals = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsArgs
            {
                RequireApproverJustification = true,
                Steps = new[]
                {
                    new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsStepArgs
                    {
                        ApprovalsNeeded = 1,
                        ApproverEmailRecipients = new[]
                        {
                            "user@example.com",
                        },
                        Approvers = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsStepApproversArgs
                        {
                            Principals = new[]
                            {
                                "group:test@google.com",
                            },
                        },
                    },
                },
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.privilegedaccessmanager.entitlement;
import com.pulumi.gcp.privilegedaccessmanager.entitlementArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementRequesterJustificationConfigArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementRequesterJustificationConfigUnstructuredArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementEligibleUserArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementPrivilegedAccessArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementPrivilegedAccessGcpIamAccessArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementAdditionalNotificationTargetsArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementApprovalWorkflowArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementApprovalWorkflowManualApprovalsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var tfentitlement = new Entitlement("tfentitlement", EntitlementArgs.builder()
            .entitlementId("example-entitlement")
            .location("global")
            .maxRequestDuration("43200s")
            .parent("projects/my-project-name")
            .requesterJustificationConfig(EntitlementRequesterJustificationConfigArgs.builder()
                .unstructured(EntitlementRequesterJustificationConfigUnstructuredArgs.builder()
                    .build())
                .build())
            .eligibleUsers(EntitlementEligibleUserArgs.builder()
                .principals("group:test@google.com")
                .build())
            .privilegedAccess(EntitlementPrivilegedAccessArgs.builder()
                .gcpIamAccess(EntitlementPrivilegedAccessGcpIamAccessArgs.builder()
                    .roleBindings(EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs.builder()
                        .role("roles/storage.admin")
                        .conditionExpression("request.time < timestamp(\"2024-04-23T18:30:00.000Z\")")
                        .build())
                    .resource("//cloudresourcemanager.googleapis.com/projects/my-project-name")
                    .resourceType("cloudresourcemanager.googleapis.com/Project")
                    .build())
                .build())
            .additionalNotificationTargets(EntitlementAdditionalNotificationTargetsArgs.builder()
                .adminEmailRecipients("user@example.com")
                .requesterEmailRecipients("user@example.com")
                .build())
            .approvalWorkflow(EntitlementApprovalWorkflowArgs.builder()
                .manualApprovals(EntitlementApprovalWorkflowManualApprovalsArgs.builder()
                    .requireApproverJustification(true)
                    .steps(EntitlementApprovalWorkflowManualApprovalsStepArgs.builder()
                        .approvalsNeeded(1)
                        .approverEmailRecipients("user@example.com")
                        .approvers(EntitlementApprovalWorkflowManualApprovalsStepApproversArgs.builder()
                            .principals("group:test@google.com")
                            .build())
                        .build())
                    .build())
                .build())
            .build());

    }
}

resources:
  tfentitlement:
    type: gcp:privilegedaccessmanager:entitlement
    properties:
      entitlementId: example-entitlement
      location: global
      maxRequestDuration: 43200s
      parent: projects/my-project-name
      requesterJustificationConfig:
        unstructured: {}
      eligibleUsers:
        - principals:
            - group:test@google.com
      privilegedAccess:
        gcpIamAccess:
          roleBindings:
            - role: roles/storage.admin
              conditionExpression: request.time < timestamp("2024-04-23T18:30:00.000Z")
          resource: //cloudresourcemanager.googleapis.com/projects/my-project-name
          resourceType: cloudresourcemanager.googleapis.com/Project
      additionalNotificationTargets:
        adminEmailRecipients:
          - user@example.com
        requesterEmailRecipients:
          - user@example.com
      approvalWorkflow:
        manualApprovals:
          requireApproverJustification: true
          steps:
            - approvalsNeeded: 1
              approverEmailRecipients:
                - user@example.com
              approvers:
                principals:
                  - group:test@google.com

Create Entitlement Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Entitlement(name: string, args: EntitlementArgs, opts?: CustomResourceOptions);

@overload
def Entitlement(resource_name: str,
                args: EntitlementArgs,
                opts: Optional[ResourceOptions] = None)

@overload
def Entitlement(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                eligible_users: Optional[Sequence[EntitlementEligibleUserArgs]] = None,
                entitlement_id: Optional[str] = None,
                location: Optional[str] = None,
                max_request_duration: Optional[str] = None,
                parent: Optional[str] = None,
                privileged_access: Optional[EntitlementPrivilegedAccessArgs] = None,
                requester_justification_config: Optional[EntitlementRequesterJustificationConfigArgs] = None,
                additional_notification_targets: Optional[EntitlementAdditionalNotificationTargetsArgs] = None,
                approval_workflow: Optional[EntitlementApprovalWorkflowArgs] = None)

func NewEntitlement(ctx *Context, name string, args EntitlementArgs, opts ...ResourceOption) (*Entitlement, error)

public Entitlement(string name, EntitlementArgs args, CustomResourceOptions? opts = null)

public Entitlement(String name, EntitlementArgs args)
public Entitlement(String name, EntitlementArgs args, CustomResourceOptions options)

type: gcp:privilegedaccessmanager/entitlement:entitlement
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args EntitlementArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args EntitlementArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args EntitlementArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args EntitlementArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args EntitlementArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Entitlement Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Entitlement resource accepts the following input properties:

EligibleUsers List<EntitlementEligibleUserArgs>: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
EntitlementId string: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
Location string: The region of the Entitlement resource.
MaxRequestDuration string: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
Parent string: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
PrivilegedAccess EntitlementPrivilegedAccessArgs: Privileged access that this service can be used to gate. Structure is documented below.
RequesterJustificationConfig EntitlementRequesterJustificationConfigArgs: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs: AdditionalNotificationTargets includes email addresses to be notified.
ApprovalWorkflow EntitlementApprovalWorkflowArgs: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.

EligibleUsers []EntitlementEligibleUserArgs: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
EntitlementId string: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
Location string: The region of the Entitlement resource.
MaxRequestDuration string: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
Parent string: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
PrivilegedAccess EntitlementPrivilegedAccessArgs: Privileged access that this service can be used to gate. Structure is documented below.
RequesterJustificationConfig EntitlementRequesterJustificationConfigArgs: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs: AdditionalNotificationTargets includes email addresses to be notified.
ApprovalWorkflow EntitlementApprovalWorkflowArgs: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.

eligibleUsers List<EntitlementEligibleUserArgs>: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId String: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
location String: The region of the Entitlement resource.
maxRequestDuration String: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
parent String: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess EntitlementPrivilegedAccessArgs: Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig EntitlementRequesterJustificationConfigArgs: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs: AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow EntitlementApprovalWorkflowArgs: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.

eligibleUsers EntitlementEligibleUserArgs[]: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId string: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
location string: The region of the Entitlement resource.
maxRequestDuration string: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
parent string: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess EntitlementPrivilegedAccessArgs: Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig EntitlementRequesterJustificationConfigArgs: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs: AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow EntitlementApprovalWorkflowArgs: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.

eligible_users Sequence[EntitlementEligibleUserArgs]: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlement_id str: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
location str: The region of the Entitlement resource.
max_request_duration str: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
parent str: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privileged_access EntitlementPrivilegedAccessArgs: Privileged access that this service can be used to gate. Structure is documented below.
requester_justification_config EntitlementRequesterJustificationConfigArgs: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
additional_notification_targets EntitlementAdditionalNotificationTargetsArgs: AdditionalNotificationTargets includes email addresses to be notified.
approval_workflow EntitlementApprovalWorkflowArgs: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.

eligibleUsers List<Property Map>: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId String: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
location String: The region of the Entitlement resource.
maxRequestDuration String: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
parent String: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess Property Map: Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig Property Map: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
additionalNotificationTargets Property Map: AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow Property Map: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.

Outputs

All input properties are implicitly available as output properties. Additionally, the Entitlement resource produces the following output properties:

CreateTime string: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
Etag string: For Resource freshness validation (https://google.aip.dev/154)
Id string: The provider-assigned unique ID for this managed resource.
Name string: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
State string: Output only. The current state of the Entitlement.
UpdateTime string: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

CreateTime string: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
Etag string: For Resource freshness validation (https://google.aip.dev/154)
Id string: The provider-assigned unique ID for this managed resource.
Name string: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
State string: Output only. The current state of the Entitlement.
UpdateTime string: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

createTime String: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
etag String: For Resource freshness validation (https://google.aip.dev/154)
id String: The provider-assigned unique ID for this managed resource.
name String: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
state String: Output only. The current state of the Entitlement.
updateTime String: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

createTime string: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
etag string: For Resource freshness validation (https://google.aip.dev/154)
id string: The provider-assigned unique ID for this managed resource.
name string: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
state string: Output only. The current state of the Entitlement.
updateTime string: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

create_time str: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
etag str: For Resource freshness validation (https://google.aip.dev/154)
id str: The provider-assigned unique ID for this managed resource.
name str: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
state str: Output only. The current state of the Entitlement.
update_time str: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

createTime String: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
etag String: For Resource freshness validation (https://google.aip.dev/154)
id String: The provider-assigned unique ID for this managed resource.
name String: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
state String: Output only. The current state of the Entitlement.
updateTime String: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Look up Existing Entitlement Resource

Get an existing Entitlement resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: EntitlementState, opts?: CustomResourceOptions): Entitlement

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        additional_notification_targets: Optional[EntitlementAdditionalNotificationTargetsArgs] = None,
        approval_workflow: Optional[EntitlementApprovalWorkflowArgs] = None,
        create_time: Optional[str] = None,
        eligible_users: Optional[Sequence[EntitlementEligibleUserArgs]] = None,
        entitlement_id: Optional[str] = None,
        etag: Optional[str] = None,
        location: Optional[str] = None,
        max_request_duration: Optional[str] = None,
        name: Optional[str] = None,
        parent: Optional[str] = None,
        privileged_access: Optional[EntitlementPrivilegedAccessArgs] = None,
        requester_justification_config: Optional[EntitlementRequesterJustificationConfigArgs] = None,
        state: Optional[str] = None,
        update_time: Optional[str] = None) -> Entitlement

func GetEntitlement(ctx *Context, name string, id IDInput, state *EntitlementState, opts ...ResourceOption) (*Entitlement, error)

public static Entitlement Get(string name, Input<string> id, EntitlementState? state, CustomResourceOptions? opts = null)

public static Entitlement get(String name, Output<String> id, EntitlementState state, CustomResourceOptions options)

resources:  _:    type: gcp:privilegedaccessmanager/entitlement:entitlement    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs: AdditionalNotificationTargets includes email addresses to be notified.
ApprovalWorkflow EntitlementApprovalWorkflowArgs: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
CreateTime string: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
EligibleUsers List<EntitlementEligibleUserArgs>: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
EntitlementId string: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
Etag string: For Resource freshness validation (https://google.aip.dev/154)
Location string: The region of the Entitlement resource.
MaxRequestDuration string: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
Name string: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
Parent string: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
PrivilegedAccess EntitlementPrivilegedAccessArgs: Privileged access that this service can be used to gate. Structure is documented below.
RequesterJustificationConfig EntitlementRequesterJustificationConfigArgs: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
State string: Output only. The current state of the Entitlement.
UpdateTime string: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs: AdditionalNotificationTargets includes email addresses to be notified.
ApprovalWorkflow EntitlementApprovalWorkflowArgs: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
CreateTime string: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
EligibleUsers []EntitlementEligibleUserArgs: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
EntitlementId string: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
Etag string: For Resource freshness validation (https://google.aip.dev/154)
Location string: The region of the Entitlement resource.
MaxRequestDuration string: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
Name string: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
Parent string: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
PrivilegedAccess EntitlementPrivilegedAccessArgs: Privileged access that this service can be used to gate. Structure is documented below.
RequesterJustificationConfig EntitlementRequesterJustificationConfigArgs: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
State string: Output only. The current state of the Entitlement.
UpdateTime string: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs: AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow EntitlementApprovalWorkflowArgs: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
createTime String: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
eligibleUsers List<EntitlementEligibleUserArgs>: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId String: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
etag String: For Resource freshness validation (https://google.aip.dev/154)
location String: The region of the Entitlement resource.
maxRequestDuration String: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
name String: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
parent String: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess EntitlementPrivilegedAccessArgs: Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig EntitlementRequesterJustificationConfigArgs: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
state String: Output only. The current state of the Entitlement.
updateTime String: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs: AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow EntitlementApprovalWorkflowArgs: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
createTime string: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
eligibleUsers EntitlementEligibleUserArgs[]: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId string: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
etag string: For Resource freshness validation (https://google.aip.dev/154)
location string: The region of the Entitlement resource.
maxRequestDuration string: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
name string: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
parent string: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess EntitlementPrivilegedAccessArgs: Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig EntitlementRequesterJustificationConfigArgs: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
state string: Output only. The current state of the Entitlement.
updateTime string: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

additional_notification_targets EntitlementAdditionalNotificationTargetsArgs: AdditionalNotificationTargets includes email addresses to be notified.
approval_workflow EntitlementApprovalWorkflowArgs: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
create_time str: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
eligible_users Sequence[EntitlementEligibleUserArgs]: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlement_id str: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
etag str: For Resource freshness validation (https://google.aip.dev/154)
location str: The region of the Entitlement resource.
max_request_duration str: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
name str: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
parent str: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privileged_access EntitlementPrivilegedAccessArgs: Privileged access that this service can be used to gate. Structure is documented below.
requester_justification_config EntitlementRequesterJustificationConfigArgs: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
state str: Output only. The current state of the Entitlement.
update_time str: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

additionalNotificationTargets Property Map: AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow Property Map: The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
createTime String: Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
eligibleUsers List<Property Map>: Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId String: The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
etag String: For Resource freshness validation (https://google.aip.dev/154)
location String: The region of the Entitlement resource.
maxRequestDuration String: The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
name String: Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
parent String: Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess Property Map: Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig Property Map: Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
state String: Output only. The current state of the Entitlement.
updateTime String: Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Supporting Types

EntitlementAdditionalNotificationTargets, EntitlementAdditionalNotificationTargetsArgs

AdminEmailRecipients List<string>: Optional. Additional email addresses to be notified when a principal(requester) is granted access.
RequesterEmailRecipients List<string>: Optional. Additional email address to be notified about an eligible entitlement.

AdminEmailRecipients []string: Optional. Additional email addresses to be notified when a principal(requester) is granted access.
RequesterEmailRecipients []string: Optional. Additional email address to be notified about an eligible entitlement.

adminEmailRecipients List<String>: Optional. Additional email addresses to be notified when a principal(requester) is granted access.
requesterEmailRecipients List<String>: Optional. Additional email address to be notified about an eligible entitlement.

adminEmailRecipients string[]: Optional. Additional email addresses to be notified when a principal(requester) is granted access.
requesterEmailRecipients string[]: Optional. Additional email address to be notified about an eligible entitlement.

admin_email_recipients Sequence[str]: Optional. Additional email addresses to be notified when a principal(requester) is granted access.
requester_email_recipients Sequence[str]: Optional. Additional email address to be notified about an eligible entitlement.

adminEmailRecipients List<String>: Optional. Additional email addresses to be notified when a principal(requester) is granted access.
requesterEmailRecipients List<String>: Optional. Additional email address to be notified about an eligible entitlement.

EntitlementApprovalWorkflow, EntitlementApprovalWorkflowArgs

ManualApprovals EntitlementApprovalWorkflowManualApprovals

A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

Require an approval from any user in a group G.
Require an approval from any k number of users from a Group G.
Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.

ManualApprovals EntitlementApprovalWorkflowManualApprovals

Require an approval from any user in a group G.
Require an approval from any k number of users from a Group G.
Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.

manualApprovals EntitlementApprovalWorkflowManualApprovals

Require an approval from any user in a group G.
Require an approval from any k number of users from a Group G.
Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.

manualApprovals EntitlementApprovalWorkflowManualApprovals

Require an approval from any user in a group G.
Require an approval from any k number of users from a Group G.
Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.

manual_approvals EntitlementApprovalWorkflowManualApprovals

Require an approval from any user in a group G.
Require an approval from any k number of users from a Group G.
Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.

manualApprovals Property Map

Require an approval from any user in a group G.
Require an approval from any k number of users from a Group G.
Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.

EntitlementApprovalWorkflowManualApprovals, EntitlementApprovalWorkflowManualApprovalsArgs

Steps List<EntitlementApprovalWorkflowManualApprovalsStep>: List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
RequireApproverJustification bool: Optional. Do the approvers need to provide a justification for their actions?

Steps []EntitlementApprovalWorkflowManualApprovalsStep: List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
RequireApproverJustification bool: Optional. Do the approvers need to provide a justification for their actions?

steps List<EntitlementApprovalWorkflowManualApprovalsStep>: List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
requireApproverJustification Boolean: Optional. Do the approvers need to provide a justification for their actions?

steps EntitlementApprovalWorkflowManualApprovalsStep[]: List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
requireApproverJustification boolean: Optional. Do the approvers need to provide a justification for their actions?

steps Sequence[EntitlementApprovalWorkflowManualApprovalsStep]: List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
require_approver_justification bool: Optional. Do the approvers need to provide a justification for their actions?

steps List<Property Map>: List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
requireApproverJustification Boolean: Optional. Do the approvers need to provide a justification for their actions?

EntitlementApprovalWorkflowManualApprovalsStep, EntitlementApprovalWorkflowManualApprovalsStepArgs

Approvers EntitlementApprovalWorkflowManualApprovalsStepApprovers: The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
ApprovalsNeeded int: How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
ApproverEmailRecipients List<string>: Optional. Additional email addresses to be notified when a grant is pending approval.

Approvers EntitlementApprovalWorkflowManualApprovalsStepApprovers: The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
ApprovalsNeeded int: How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
ApproverEmailRecipients []string: Optional. Additional email addresses to be notified when a grant is pending approval.

approvers EntitlementApprovalWorkflowManualApprovalsStepApprovers: The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
approvalsNeeded Integer: How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
approverEmailRecipients List<String>: Optional. Additional email addresses to be notified when a grant is pending approval.

approvers EntitlementApprovalWorkflowManualApprovalsStepApprovers: The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
approvalsNeeded number: How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
approverEmailRecipients string[]: Optional. Additional email addresses to be notified when a grant is pending approval.

approvers EntitlementApprovalWorkflowManualApprovalsStepApprovers: The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
approvals_needed int: How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
approver_email_recipients Sequence[str]: Optional. Additional email addresses to be notified when a grant is pending approval.

approvers Property Map: The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
approvalsNeeded Number: How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
approverEmailRecipients List<String>: Optional. Additional email addresses to be notified when a grant is pending approval.

EntitlementApprovalWorkflowManualApprovalsStepApprovers, EntitlementApprovalWorkflowManualApprovalsStepApproversArgs

Principals List<string>: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1

Principals []string: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1

principals List<String>: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1

principals string[]: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1

principals Sequence[str]: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1

principals List<String>: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1

EntitlementEligibleUser, EntitlementEligibleUserArgs

Principals List<string>: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"

Principals []string: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"

principals List<String>: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"

principals string[]: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"

principals Sequence[str]: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"

principals List<String>: Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"

EntitlementPrivilegedAccess, EntitlementPrivilegedAccessArgs

GcpIamAccess EntitlementPrivilegedAccessGcpIamAccess: GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.

GcpIamAccess EntitlementPrivilegedAccessGcpIamAccess: GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.

gcpIamAccess EntitlementPrivilegedAccessGcpIamAccess: GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.

gcpIamAccess EntitlementPrivilegedAccessGcpIamAccess: GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.

gcp_iam_access EntitlementPrivilegedAccessGcpIamAccess: GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.

gcpIamAccess Property Map: GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.

EntitlementPrivilegedAccessGcpIamAccess, EntitlementPrivilegedAccessGcpIamAccessArgs

Resource string: Name of the resource.
ResourceType string: The type of this resource.
RoleBindings List<EntitlementPrivilegedAccessGcpIamAccessRoleBinding>: Role bindings to be created on successful grant. Structure is documented below.

Resource string: Name of the resource.
ResourceType string: The type of this resource.
RoleBindings []EntitlementPrivilegedAccessGcpIamAccessRoleBinding: Role bindings to be created on successful grant. Structure is documented below.

resource String: Name of the resource.
resourceType String: The type of this resource.
roleBindings List<EntitlementPrivilegedAccessGcpIamAccessRoleBinding>: Role bindings to be created on successful grant. Structure is documented below.

resource string: Name of the resource.
resourceType string: The type of this resource.
roleBindings EntitlementPrivilegedAccessGcpIamAccessRoleBinding[]: Role bindings to be created on successful grant. Structure is documented below.

resource str: Name of the resource.
resource_type str: The type of this resource.
role_bindings Sequence[EntitlementPrivilegedAccessGcpIamAccessRoleBinding]: Role bindings to be created on successful grant. Structure is documented below.

resource String: Name of the resource.
resourceType String: The type of this resource.
roleBindings List<Property Map>: Role bindings to be created on successful grant. Structure is documented below.

EntitlementPrivilegedAccessGcpIamAccessRoleBinding, EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs

Role string: IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
ConditionExpression string: The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.

Role string: IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
ConditionExpression string: The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.

role String: IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
conditionExpression String: The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.

role string: IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
conditionExpression string: The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.

role str: IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
condition_expression str: The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.

role String: IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
conditionExpression String: The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.

EntitlementRequesterJustificationConfig, EntitlementRequesterJustificationConfigArgs

NotMandatory EntitlementRequesterJustificationConfigNotMandatory: The justification is not mandatory but can be provided in any of the supported formats.
Unstructured EntitlementRequesterJustificationConfigUnstructured: The requester has to provide a justification in the form of free flowing text.

NotMandatory EntitlementRequesterJustificationConfigNotMandatory: The justification is not mandatory but can be provided in any of the supported formats.
Unstructured EntitlementRequesterJustificationConfigUnstructured: The requester has to provide a justification in the form of free flowing text.

notMandatory EntitlementRequesterJustificationConfigNotMandatory: The justification is not mandatory but can be provided in any of the supported formats.
unstructured EntitlementRequesterJustificationConfigUnstructured: The requester has to provide a justification in the form of free flowing text.

notMandatory EntitlementRequesterJustificationConfigNotMandatory: The justification is not mandatory but can be provided in any of the supported formats.
unstructured EntitlementRequesterJustificationConfigUnstructured: The requester has to provide a justification in the form of free flowing text.

not_mandatory EntitlementRequesterJustificationConfigNotMandatory: The justification is not mandatory but can be provided in any of the supported formats.
unstructured EntitlementRequesterJustificationConfigUnstructured: The requester has to provide a justification in the form of free flowing text.

notMandatory Property Map: The justification is not mandatory but can be provided in any of the supported formats.
unstructured Property Map: The requester has to provide a justification in the form of free flowing text.

Import

Entitlement can be imported using any of these accepted formats:

{{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}

When using the pulumi import command, Entitlement can be imported using one of the formats above. For example:

$ pulumi import gcp:privilegedaccessmanager/entitlement:entitlement default {{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud v8.25.1 published on Wednesday, Apr 9, 2025 by Pulumi

pulumi/pulumi-gcp

gcp.privilegedaccessmanager.Entitlement

On this page

On this page

Example Usage

Privileged Access Manager Entitlement Basic

Create Entitlement Resource

Constructor syntax

Parameters

Entitlement Resource Properties

Inputs

Outputs

Look up Existing Entitlement Resource

Supporting Types

EntitlementAdditionalNotificationTargets, EntitlementAdditionalNotificationTargetsArgs

EntitlementApprovalWorkflow, EntitlementApprovalWorkflowArgs

EntitlementApprovalWorkflowManualApprovals, EntitlementApprovalWorkflowManualApprovalsArgs

EntitlementApprovalWorkflowManualApprovalsStep, EntitlementApprovalWorkflowManualApprovalsStepArgs

EntitlementApprovalWorkflowManualApprovalsStepApprovers, EntitlementApprovalWorkflowManualApprovalsStepApproversArgs

EntitlementEligibleUser, EntitlementEligibleUserArgs

EntitlementPrivilegedAccess, EntitlementPrivilegedAccessArgs

EntitlementPrivilegedAccessGcpIamAccess, EntitlementPrivilegedAccessGcpIamAccessArgs

EntitlementPrivilegedAccessGcpIamAccessRoleBinding, EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs

EntitlementRequesterJustificationConfig, EntitlementRequesterJustificationConfigArgs

Import

Package Details

On this page

On this page