1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. privilegedaccessmanager
  5. Entitlement
Google Cloud v8.25.1 published on Wednesday, Apr 9, 2025 by Pulumi

gcp.privilegedaccessmanager.Entitlement

Explore with Pulumi AI

An Entitlement defines the eligibility of a set of users to obtain a predefined access for some time possibly after going through an approval workflow.

To get more information about Entitlement, see:

Example Usage

Privileged Access Manager Entitlement Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const tfentitlement = new gcp.privilegedaccessmanager.Entitlement("tfentitlement", {
    entitlementId: "example-entitlement",
    location: "global",
    maxRequestDuration: "43200s",
    parent: "projects/my-project-name",
    requesterJustificationConfig: {
        unstructured: {},
    },
    eligibleUsers: [{
        principals: ["group:test@google.com"],
    }],
    privilegedAccess: {
        gcpIamAccess: {
            roleBindings: [{
                role: "roles/storage.admin",
                conditionExpression: "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
            }],
            resource: "//cloudresourcemanager.googleapis.com/projects/my-project-name",
            resourceType: "cloudresourcemanager.googleapis.com/Project",
        },
    },
    additionalNotificationTargets: {
        adminEmailRecipients: ["user@example.com"],
        requesterEmailRecipients: ["user@example.com"],
    },
    approvalWorkflow: {
        manualApprovals: {
            requireApproverJustification: true,
            steps: [{
                approvalsNeeded: 1,
                approverEmailRecipients: ["user@example.com"],
                approvers: {
                    principals: ["group:test@google.com"],
                },
            }],
        },
    },
});
Copy
import pulumi
import pulumi_gcp as gcp

tfentitlement = gcp.privilegedaccessmanager.Entitlement("tfentitlement",
    entitlement_id="example-entitlement",
    location="global",
    max_request_duration="43200s",
    parent="projects/my-project-name",
    requester_justification_config={
        "unstructured": {},
    },
    eligible_users=[{
        "principals": ["group:test@google.com"],
    }],
    privileged_access={
        "gcp_iam_access": {
            "role_bindings": [{
                "role": "roles/storage.admin",
                "condition_expression": "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
            }],
            "resource": "//cloudresourcemanager.googleapis.com/projects/my-project-name",
            "resource_type": "cloudresourcemanager.googleapis.com/Project",
        },
    },
    additional_notification_targets={
        "admin_email_recipients": ["user@example.com"],
        "requester_email_recipients": ["user@example.com"],
    },
    approval_workflow={
        "manual_approvals": {
            "require_approver_justification": True,
            "steps": [{
                "approvals_needed": 1,
                "approver_email_recipients": ["user@example.com"],
                "approvers": {
                    "principals": ["group:test@google.com"],
                },
            }],
        },
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/privilegedaccessmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := privilegedaccessmanager.Newentitlement(ctx, "tfentitlement", &privilegedaccessmanager.entitlementArgs{
			EntitlementId:      pulumi.String("example-entitlement"),
			Location:           pulumi.String("global"),
			MaxRequestDuration: pulumi.String("43200s"),
			Parent:             pulumi.String("projects/my-project-name"),
			RequesterJustificationConfig: &privilegedaccessmanager.EntitlementRequesterJustificationConfigArgs{
				Unstructured: &privilegedaccessmanager.EntitlementRequesterJustificationConfigUnstructuredArgs{},
			},
			EligibleUsers: privilegedaccessmanager.EntitlementEligibleUserArray{
				&privilegedaccessmanager.EntitlementEligibleUserArgs{
					Principals: pulumi.StringArray{
						pulumi.String("group:test@google.com"),
					},
				},
			},
			PrivilegedAccess: &privilegedaccessmanager.EntitlementPrivilegedAccessArgs{
				GcpIamAccess: &privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessArgs{
					RoleBindings: privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArray{
						&privilegedaccessmanager.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs{
							Role:                pulumi.String("roles/storage.admin"),
							ConditionExpression: pulumi.String("request.time < timestamp(\"2024-04-23T18:30:00.000Z\")"),
						},
					},
					Resource:     pulumi.String("//cloudresourcemanager.googleapis.com/projects/my-project-name"),
					ResourceType: pulumi.String("cloudresourcemanager.googleapis.com/Project"),
				},
			},
			AdditionalNotificationTargets: &privilegedaccessmanager.EntitlementAdditionalNotificationTargetsArgs{
				AdminEmailRecipients: pulumi.StringArray{
					pulumi.String("user@example.com"),
				},
				RequesterEmailRecipients: pulumi.StringArray{
					pulumi.String("user@example.com"),
				},
			},
			ApprovalWorkflow: &privilegedaccessmanager.EntitlementApprovalWorkflowArgs{
				ManualApprovals: &privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsArgs{
					RequireApproverJustification: pulumi.Bool(true),
					Steps: privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepArray{
						&privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepArgs{
							ApprovalsNeeded: pulumi.Int(1),
							ApproverEmailRecipients: pulumi.StringArray{
								pulumi.String("user@example.com"),
							},
							Approvers: &privilegedaccessmanager.EntitlementApprovalWorkflowManualApprovalsStepApproversArgs{
								Principals: pulumi.StringArray{
									pulumi.String("group:test@google.com"),
								},
							},
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var tfentitlement = new Gcp.PrivilegedAccessManager.Entitlement("tfentitlement", new()
    {
        EntitlementId = "example-entitlement",
        Location = "global",
        MaxRequestDuration = "43200s",
        Parent = "projects/my-project-name",
        RequesterJustificationConfig = new Gcp.PrivilegedAccessManager.Inputs.EntitlementRequesterJustificationConfigArgs
        {
            Unstructured = null,
        },
        EligibleUsers = new[]
        {
            new Gcp.PrivilegedAccessManager.Inputs.EntitlementEligibleUserArgs
            {
                Principals = new[]
                {
                    "group:test@google.com",
                },
            },
        },
        PrivilegedAccess = new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessArgs
        {
            GcpIamAccess = new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessGcpIamAccessArgs
            {
                RoleBindings = new[]
                {
                    new Gcp.PrivilegedAccessManager.Inputs.EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs
                    {
                        Role = "roles/storage.admin",
                        ConditionExpression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")",
                    },
                },
                Resource = "//cloudresourcemanager.googleapis.com/projects/my-project-name",
                ResourceType = "cloudresourcemanager.googleapis.com/Project",
            },
        },
        AdditionalNotificationTargets = new Gcp.PrivilegedAccessManager.Inputs.EntitlementAdditionalNotificationTargetsArgs
        {
            AdminEmailRecipients = new[]
            {
                "user@example.com",
            },
            RequesterEmailRecipients = new[]
            {
                "user@example.com",
            },
        },
        ApprovalWorkflow = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowArgs
        {
            ManualApprovals = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsArgs
            {
                RequireApproverJustification = true,
                Steps = new[]
                {
                    new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsStepArgs
                    {
                        ApprovalsNeeded = 1,
                        ApproverEmailRecipients = new[]
                        {
                            "user@example.com",
                        },
                        Approvers = new Gcp.PrivilegedAccessManager.Inputs.EntitlementApprovalWorkflowManualApprovalsStepApproversArgs
                        {
                            Principals = new[]
                            {
                                "group:test@google.com",
                            },
                        },
                    },
                },
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.privilegedaccessmanager.entitlement;
import com.pulumi.gcp.privilegedaccessmanager.entitlementArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementRequesterJustificationConfigArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementRequesterJustificationConfigUnstructuredArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementEligibleUserArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementPrivilegedAccessArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementPrivilegedAccessGcpIamAccessArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementAdditionalNotificationTargetsArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementApprovalWorkflowArgs;
import com.pulumi.gcp.privilegedaccessmanager.inputs.EntitlementApprovalWorkflowManualApprovalsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var tfentitlement = new Entitlement("tfentitlement", EntitlementArgs.builder()
            .entitlementId("example-entitlement")
            .location("global")
            .maxRequestDuration("43200s")
            .parent("projects/my-project-name")
            .requesterJustificationConfig(EntitlementRequesterJustificationConfigArgs.builder()
                .unstructured(EntitlementRequesterJustificationConfigUnstructuredArgs.builder()
                    .build())
                .build())
            .eligibleUsers(EntitlementEligibleUserArgs.builder()
                .principals("group:test@google.com")
                .build())
            .privilegedAccess(EntitlementPrivilegedAccessArgs.builder()
                .gcpIamAccess(EntitlementPrivilegedAccessGcpIamAccessArgs.builder()
                    .roleBindings(EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs.builder()
                        .role("roles/storage.admin")
                        .conditionExpression("request.time < timestamp(\"2024-04-23T18:30:00.000Z\")")
                        .build())
                    .resource("//cloudresourcemanager.googleapis.com/projects/my-project-name")
                    .resourceType("cloudresourcemanager.googleapis.com/Project")
                    .build())
                .build())
            .additionalNotificationTargets(EntitlementAdditionalNotificationTargetsArgs.builder()
                .adminEmailRecipients("user@example.com")
                .requesterEmailRecipients("user@example.com")
                .build())
            .approvalWorkflow(EntitlementApprovalWorkflowArgs.builder()
                .manualApprovals(EntitlementApprovalWorkflowManualApprovalsArgs.builder()
                    .requireApproverJustification(true)
                    .steps(EntitlementApprovalWorkflowManualApprovalsStepArgs.builder()
                        .approvalsNeeded(1)
                        .approverEmailRecipients("user@example.com")
                        .approvers(EntitlementApprovalWorkflowManualApprovalsStepApproversArgs.builder()
                            .principals("group:test@google.com")
                            .build())
                        .build())
                    .build())
                .build())
            .build());

    }
}
Copy
resources:
  tfentitlement:
    type: gcp:privilegedaccessmanager:entitlement
    properties:
      entitlementId: example-entitlement
      location: global
      maxRequestDuration: 43200s
      parent: projects/my-project-name
      requesterJustificationConfig:
        unstructured: {}
      eligibleUsers:
        - principals:
            - group:test@google.com
      privilegedAccess:
        gcpIamAccess:
          roleBindings:
            - role: roles/storage.admin
              conditionExpression: request.time < timestamp("2024-04-23T18:30:00.000Z")
          resource: //cloudresourcemanager.googleapis.com/projects/my-project-name
          resourceType: cloudresourcemanager.googleapis.com/Project
      additionalNotificationTargets:
        adminEmailRecipients:
          - user@example.com
        requesterEmailRecipients:
          - user@example.com
      approvalWorkflow:
        manualApprovals:
          requireApproverJustification: true
          steps:
            - approvalsNeeded: 1
              approverEmailRecipients:
                - user@example.com
              approvers:
                principals:
                  - group:test@google.com
Copy

Create Entitlement Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Entitlement(name: string, args: EntitlementArgs, opts?: CustomResourceOptions);
@overload
def Entitlement(resource_name: str,
                args: EntitlementArgs,
                opts: Optional[ResourceOptions] = None)

@overload
def Entitlement(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                eligible_users: Optional[Sequence[EntitlementEligibleUserArgs]] = None,
                entitlement_id: Optional[str] = None,
                location: Optional[str] = None,
                max_request_duration: Optional[str] = None,
                parent: Optional[str] = None,
                privileged_access: Optional[EntitlementPrivilegedAccessArgs] = None,
                requester_justification_config: Optional[EntitlementRequesterJustificationConfigArgs] = None,
                additional_notification_targets: Optional[EntitlementAdditionalNotificationTargetsArgs] = None,
                approval_workflow: Optional[EntitlementApprovalWorkflowArgs] = None)
func NewEntitlement(ctx *Context, name string, args EntitlementArgs, opts ...ResourceOption) (*Entitlement, error)
public Entitlement(string name, EntitlementArgs args, CustomResourceOptions? opts = null)
public Entitlement(String name, EntitlementArgs args)
public Entitlement(String name, EntitlementArgs args, CustomResourceOptions options)
type: gcp:privilegedaccessmanager/entitlement:entitlement
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. EntitlementArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. EntitlementArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. EntitlementArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. EntitlementArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. EntitlementArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Entitlement Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Entitlement resource accepts the following input properties:

EligibleUsers This property is required. List<EntitlementEligibleUserArgs>
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
EntitlementId
This property is required.
Changes to this property will trigger replacement.
string
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
Location
This property is required.
Changes to this property will trigger replacement.
string
The region of the Entitlement resource.
MaxRequestDuration This property is required. string
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
Parent
This property is required.
Changes to this property will trigger replacement.
string
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
PrivilegedAccess This property is required. EntitlementPrivilegedAccessArgs
Privileged access that this service can be used to gate. Structure is documented below.
RequesterJustificationConfig This property is required. EntitlementRequesterJustificationConfigArgs
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
AdditionalNotificationTargets includes email addresses to be notified.
ApprovalWorkflow Changes to this property will trigger replacement. EntitlementApprovalWorkflowArgs
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
EligibleUsers This property is required. []EntitlementEligibleUserArgs
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
EntitlementId
This property is required.
Changes to this property will trigger replacement.
string
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
Location
This property is required.
Changes to this property will trigger replacement.
string
The region of the Entitlement resource.
MaxRequestDuration This property is required. string
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
Parent
This property is required.
Changes to this property will trigger replacement.
string
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
PrivilegedAccess This property is required. EntitlementPrivilegedAccessArgs
Privileged access that this service can be used to gate. Structure is documented below.
RequesterJustificationConfig This property is required. EntitlementRequesterJustificationConfigArgs
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
AdditionalNotificationTargets includes email addresses to be notified.
ApprovalWorkflow Changes to this property will trigger replacement. EntitlementApprovalWorkflowArgs
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
eligibleUsers This property is required. List<EntitlementEligibleUserArgs>
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId
This property is required.
Changes to this property will trigger replacement.
String
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
location
This property is required.
Changes to this property will trigger replacement.
String
The region of the Entitlement resource.
maxRequestDuration This property is required. String
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
parent
This property is required.
Changes to this property will trigger replacement.
String
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess This property is required. EntitlementPrivilegedAccessArgs
Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig This property is required. EntitlementRequesterJustificationConfigArgs
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow Changes to this property will trigger replacement. EntitlementApprovalWorkflowArgs
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
eligibleUsers This property is required. EntitlementEligibleUserArgs[]
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId
This property is required.
Changes to this property will trigger replacement.
string
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
location
This property is required.
Changes to this property will trigger replacement.
string
The region of the Entitlement resource.
maxRequestDuration This property is required. string
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
parent
This property is required.
Changes to this property will trigger replacement.
string
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess This property is required. EntitlementPrivilegedAccessArgs
Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig This property is required. EntitlementRequesterJustificationConfigArgs
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow Changes to this property will trigger replacement. EntitlementApprovalWorkflowArgs
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
eligible_users This property is required. Sequence[EntitlementEligibleUserArgs]
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlement_id
This property is required.
Changes to this property will trigger replacement.
str
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
location
This property is required.
Changes to this property will trigger replacement.
str
The region of the Entitlement resource.
max_request_duration This property is required. str
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
parent
This property is required.
Changes to this property will trigger replacement.
str
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privileged_access This property is required. EntitlementPrivilegedAccessArgs
Privileged access that this service can be used to gate. Structure is documented below.
requester_justification_config This property is required. EntitlementRequesterJustificationConfigArgs
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
additional_notification_targets EntitlementAdditionalNotificationTargetsArgs
AdditionalNotificationTargets includes email addresses to be notified.
approval_workflow Changes to this property will trigger replacement. EntitlementApprovalWorkflowArgs
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
eligibleUsers This property is required. List<Property Map>
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId
This property is required.
Changes to this property will trigger replacement.
String
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
location
This property is required.
Changes to this property will trigger replacement.
String
The region of the Entitlement resource.
maxRequestDuration This property is required. String
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
parent
This property is required.
Changes to this property will trigger replacement.
String
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess This property is required. Property Map
Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig This property is required. Property Map
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
additionalNotificationTargets Property Map
AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow Changes to this property will trigger replacement. Property Map
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.

Outputs

All input properties are implicitly available as output properties. Additionally, the Entitlement resource produces the following output properties:

CreateTime string
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
Etag string
For Resource freshness validation (https://google.aip.dev/154)
Id string
The provider-assigned unique ID for this managed resource.
Name string
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
State string
Output only. The current state of the Entitlement.
UpdateTime string
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
CreateTime string
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
Etag string
For Resource freshness validation (https://google.aip.dev/154)
Id string
The provider-assigned unique ID for this managed resource.
Name string
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
State string
Output only. The current state of the Entitlement.
UpdateTime string
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
createTime String
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
etag String
For Resource freshness validation (https://google.aip.dev/154)
id String
The provider-assigned unique ID for this managed resource.
name String
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
state String
Output only. The current state of the Entitlement.
updateTime String
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
createTime string
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
etag string
For Resource freshness validation (https://google.aip.dev/154)
id string
The provider-assigned unique ID for this managed resource.
name string
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
state string
Output only. The current state of the Entitlement.
updateTime string
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
create_time str
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
etag str
For Resource freshness validation (https://google.aip.dev/154)
id str
The provider-assigned unique ID for this managed resource.
name str
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
state str
Output only. The current state of the Entitlement.
update_time str
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
createTime String
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
etag String
For Resource freshness validation (https://google.aip.dev/154)
id String
The provider-assigned unique ID for this managed resource.
name String
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
state String
Output only. The current state of the Entitlement.
updateTime String
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Look up Existing Entitlement Resource

Get an existing Entitlement resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: EntitlementState, opts?: CustomResourceOptions): Entitlement
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        additional_notification_targets: Optional[EntitlementAdditionalNotificationTargetsArgs] = None,
        approval_workflow: Optional[EntitlementApprovalWorkflowArgs] = None,
        create_time: Optional[str] = None,
        eligible_users: Optional[Sequence[EntitlementEligibleUserArgs]] = None,
        entitlement_id: Optional[str] = None,
        etag: Optional[str] = None,
        location: Optional[str] = None,
        max_request_duration: Optional[str] = None,
        name: Optional[str] = None,
        parent: Optional[str] = None,
        privileged_access: Optional[EntitlementPrivilegedAccessArgs] = None,
        requester_justification_config: Optional[EntitlementRequesterJustificationConfigArgs] = None,
        state: Optional[str] = None,
        update_time: Optional[str] = None) -> Entitlement
func GetEntitlement(ctx *Context, name string, id IDInput, state *EntitlementState, opts ...ResourceOption) (*Entitlement, error)
public static Entitlement Get(string name, Input<string> id, EntitlementState? state, CustomResourceOptions? opts = null)
public static Entitlement get(String name, Output<String> id, EntitlementState state, CustomResourceOptions options)
resources:  _:    type: gcp:privilegedaccessmanager/entitlement:entitlement    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
AdditionalNotificationTargets includes email addresses to be notified.
ApprovalWorkflow Changes to this property will trigger replacement. EntitlementApprovalWorkflowArgs
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
CreateTime string
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
EligibleUsers List<EntitlementEligibleUserArgs>
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
EntitlementId Changes to this property will trigger replacement. string
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
Etag string
For Resource freshness validation (https://google.aip.dev/154)
Location Changes to this property will trigger replacement. string
The region of the Entitlement resource.
MaxRequestDuration string
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
Name string
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
Parent Changes to this property will trigger replacement. string
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
PrivilegedAccess EntitlementPrivilegedAccessArgs
Privileged access that this service can be used to gate. Structure is documented below.
RequesterJustificationConfig EntitlementRequesterJustificationConfigArgs
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
State string
Output only. The current state of the Entitlement.
UpdateTime string
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
AdditionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
AdditionalNotificationTargets includes email addresses to be notified.
ApprovalWorkflow Changes to this property will trigger replacement. EntitlementApprovalWorkflowArgs
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
CreateTime string
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
EligibleUsers []EntitlementEligibleUserArgs
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
EntitlementId Changes to this property will trigger replacement. string
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
Etag string
For Resource freshness validation (https://google.aip.dev/154)
Location Changes to this property will trigger replacement. string
The region of the Entitlement resource.
MaxRequestDuration string
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
Name string
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
Parent Changes to this property will trigger replacement. string
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
PrivilegedAccess EntitlementPrivilegedAccessArgs
Privileged access that this service can be used to gate. Structure is documented below.
RequesterJustificationConfig EntitlementRequesterJustificationConfigArgs
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
State string
Output only. The current state of the Entitlement.
UpdateTime string
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow Changes to this property will trigger replacement. EntitlementApprovalWorkflowArgs
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
createTime String
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
eligibleUsers List<EntitlementEligibleUserArgs>
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId Changes to this property will trigger replacement. String
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
etag String
For Resource freshness validation (https://google.aip.dev/154)
location Changes to this property will trigger replacement. String
The region of the Entitlement resource.
maxRequestDuration String
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
name String
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
parent Changes to this property will trigger replacement. String
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess EntitlementPrivilegedAccessArgs
Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig EntitlementRequesterJustificationConfigArgs
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
state String
Output only. The current state of the Entitlement.
updateTime String
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
additionalNotificationTargets EntitlementAdditionalNotificationTargetsArgs
AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow Changes to this property will trigger replacement. EntitlementApprovalWorkflowArgs
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
createTime string
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
eligibleUsers EntitlementEligibleUserArgs[]
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId Changes to this property will trigger replacement. string
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
etag string
For Resource freshness validation (https://google.aip.dev/154)
location Changes to this property will trigger replacement. string
The region of the Entitlement resource.
maxRequestDuration string
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
name string
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
parent Changes to this property will trigger replacement. string
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess EntitlementPrivilegedAccessArgs
Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig EntitlementRequesterJustificationConfigArgs
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
state string
Output only. The current state of the Entitlement.
updateTime string
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
additional_notification_targets EntitlementAdditionalNotificationTargetsArgs
AdditionalNotificationTargets includes email addresses to be notified.
approval_workflow Changes to this property will trigger replacement. EntitlementApprovalWorkflowArgs
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
create_time str
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
eligible_users Sequence[EntitlementEligibleUserArgs]
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlement_id Changes to this property will trigger replacement. str
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
etag str
For Resource freshness validation (https://google.aip.dev/154)
location Changes to this property will trigger replacement. str
The region of the Entitlement resource.
max_request_duration str
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
name str
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
parent Changes to this property will trigger replacement. str
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privileged_access EntitlementPrivilegedAccessArgs
Privileged access that this service can be used to gate. Structure is documented below.
requester_justification_config EntitlementRequesterJustificationConfigArgs
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
state str
Output only. The current state of the Entitlement.
update_time str
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
additionalNotificationTargets Property Map
AdditionalNotificationTargets includes email addresses to be notified.
approvalWorkflow Changes to this property will trigger replacement. Property Map
The approvals needed before access will be granted to a requester. No approvals will be needed if this field is null. Different types of approval workflows that can be used to gate privileged access granting.
createTime String
Output only. Create time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z"
eligibleUsers List<Property Map>
Who can create Grants using Entitlement. This list should contain at most one entry Structure is documented below.
entitlementId Changes to this property will trigger replacement. String
The ID to use for this Entitlement. This will become the last part of the resource name. This value should be 4-63 characters, and valid characters are "[a-z]", "[0-9]", and "-". The first character should be from [a-z]. This value should be unique among all other Entitlements under the specified parent.
etag String
For Resource freshness validation (https://google.aip.dev/154)
location Changes to this property will trigger replacement. String
The region of the Entitlement resource.
maxRequestDuration String
The maximum amount of time for which access would be granted for a request. A requester can choose to ask for access for less than this duration but never more. Format: calculate the time in seconds and concatenate it with 's' i.e. 2 hours = "7200s", 45 minutes = "2700s"
name String
Output Only. The entitlement's name follows a hierarchical structure, comprising the organization, folder, or project, alongside the region and a unique entitlement ID. Formats: organizations/{organization-number}/locations/{region}/entitlements/{entitlement-id}, folders/{folder-number}/locations/{region}/entitlements/{entitlement-id}, and projects/{project-id|project-number}/locations/{region}/entitlements/{entitlement-id}.
parent Changes to this property will trigger replacement. String
Format: projects/{project-id|project-number} or organizations/{organization-number} or folders/{folder-number}
privilegedAccess Property Map
Privileged access that this service can be used to gate. Structure is documented below.
requesterJustificationConfig Property Map
Defines the ways in which a requester should provide the justification while requesting for access. Structure is documented below.
state String
Output only. The current state of the Entitlement.
updateTime String
Output only. Update time stamp. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Supporting Types

EntitlementAdditionalNotificationTargets
, EntitlementAdditionalNotificationTargetsArgs

AdminEmailRecipients List<string>
Optional. Additional email addresses to be notified when a principal(requester) is granted access.
RequesterEmailRecipients List<string>
Optional. Additional email address to be notified about an eligible entitlement.
AdminEmailRecipients []string
Optional. Additional email addresses to be notified when a principal(requester) is granted access.
RequesterEmailRecipients []string
Optional. Additional email address to be notified about an eligible entitlement.
adminEmailRecipients List<String>
Optional. Additional email addresses to be notified when a principal(requester) is granted access.
requesterEmailRecipients List<String>
Optional. Additional email address to be notified about an eligible entitlement.
adminEmailRecipients string[]
Optional. Additional email addresses to be notified when a principal(requester) is granted access.
requesterEmailRecipients string[]
Optional. Additional email address to be notified about an eligible entitlement.
admin_email_recipients Sequence[str]
Optional. Additional email addresses to be notified when a principal(requester) is granted access.
requester_email_recipients Sequence[str]
Optional. Additional email address to be notified about an eligible entitlement.
adminEmailRecipients List<String>
Optional. Additional email addresses to be notified when a principal(requester) is granted access.
requesterEmailRecipients List<String>
Optional. Additional email address to be notified about an eligible entitlement.

EntitlementApprovalWorkflow
, EntitlementApprovalWorkflowArgs

ManualApprovals This property is required. EntitlementApprovalWorkflowManualApprovals
A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

  • Require an approval from any user in a group G.
  • Require an approval from any k number of users from a Group G.
  • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
ManualApprovals This property is required. EntitlementApprovalWorkflowManualApprovals
A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

  • Require an approval from any user in a group G.
  • Require an approval from any k number of users from a Group G.
  • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
manualApprovals This property is required. EntitlementApprovalWorkflowManualApprovals
A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

  • Require an approval from any user in a group G.
  • Require an approval from any k number of users from a Group G.
  • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
manualApprovals This property is required. EntitlementApprovalWorkflowManualApprovals
A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

  • Require an approval from any user in a group G.
  • Require an approval from any k number of users from a Group G.
  • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
manual_approvals This property is required. EntitlementApprovalWorkflowManualApprovals
A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

  • Require an approval from any user in a group G.
  • Require an approval from any k number of users from a Group G.
  • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.
manualApprovals This property is required. Property Map
A manual approval workflow where users who are designated as approvers need to call the ApproveGrant/DenyGrant APIs for an Grant. The workflow can consist of multiple serial steps where each step defines who can act as Approver in that step and how many of those users should approve before the workflow moves to the next step. This can be used to create approval workflows such as

  • Require an approval from any user in a group G.
  • Require an approval from any k number of users from a Group G.
  • Require an approval from any user in a group G and then from a user U. etc. A single user might be part of approvers ACL for multiple steps in this workflow but they can only approve once and that approval will only be considered to satisfy the approval step at which it was granted. Structure is documented below.

EntitlementApprovalWorkflowManualApprovals
, EntitlementApprovalWorkflowManualApprovalsArgs

Steps This property is required. List<EntitlementApprovalWorkflowManualApprovalsStep>
List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
RequireApproverJustification bool
Optional. Do the approvers need to provide a justification for their actions?
Steps This property is required. []EntitlementApprovalWorkflowManualApprovalsStep
List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
RequireApproverJustification bool
Optional. Do the approvers need to provide a justification for their actions?
steps This property is required. List<EntitlementApprovalWorkflowManualApprovalsStep>
List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
requireApproverJustification Boolean
Optional. Do the approvers need to provide a justification for their actions?
steps This property is required. EntitlementApprovalWorkflowManualApprovalsStep[]
List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
requireApproverJustification boolean
Optional. Do the approvers need to provide a justification for their actions?
steps This property is required. Sequence[EntitlementApprovalWorkflowManualApprovalsStep]
List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
require_approver_justification bool
Optional. Do the approvers need to provide a justification for their actions?
steps This property is required. List<Property Map>
List of approval steps in this workflow. These steps would be followed in the specified order sequentially. 1 step is supported for now. Structure is documented below.
requireApproverJustification Boolean
Optional. Do the approvers need to provide a justification for their actions?

EntitlementApprovalWorkflowManualApprovalsStep
, EntitlementApprovalWorkflowManualApprovalsStepArgs

Approvers This property is required. EntitlementApprovalWorkflowManualApprovalsStepApprovers
The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
ApprovalsNeeded int
How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
ApproverEmailRecipients List<string>
Optional. Additional email addresses to be notified when a grant is pending approval.
Approvers This property is required. EntitlementApprovalWorkflowManualApprovalsStepApprovers
The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
ApprovalsNeeded int
How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
ApproverEmailRecipients []string
Optional. Additional email addresses to be notified when a grant is pending approval.
approvers This property is required. EntitlementApprovalWorkflowManualApprovalsStepApprovers
The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
approvalsNeeded Integer
How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
approverEmailRecipients List<String>
Optional. Additional email addresses to be notified when a grant is pending approval.
approvers This property is required. EntitlementApprovalWorkflowManualApprovalsStepApprovers
The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
approvalsNeeded number
How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
approverEmailRecipients string[]
Optional. Additional email addresses to be notified when a grant is pending approval.
approvers This property is required. EntitlementApprovalWorkflowManualApprovalsStepApprovers
The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
approvals_needed int
How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
approver_email_recipients Sequence[str]
Optional. Additional email addresses to be notified when a grant is pending approval.
approvers This property is required. Property Map
The potential set of approvers in this step. This list should contain at only one entry. Structure is documented below.
approvalsNeeded Number
How many users from the above list need to approve. If there are not enough distinct users in the list above then the workflow will indefinitely block. Should always be greater than 0. Currently 1 is the only supported value.
approverEmailRecipients List<String>
Optional. Additional email addresses to be notified when a grant is pending approval.

EntitlementApprovalWorkflowManualApprovalsStepApprovers
, EntitlementApprovalWorkflowManualApprovalsStepApproversArgs

Principals This property is required. List<string>
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
Principals This property is required. []string
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
principals This property is required. List<String>
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
principals This property is required. string[]
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
principals This property is required. Sequence[str]
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1
principals This property is required. List<String>
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at: https://cloud.google.com/iam/docs/principal-identifiers#v1

EntitlementEligibleUser
, EntitlementEligibleUserArgs

Principals This property is required. List<string>
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
Principals This property is required. []string
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
principals This property is required. List<String>
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
principals This property is required. string[]
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
principals This property is required. Sequence[str]
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"
principals This property is required. List<String>
Users who are being allowed for the operation. Each entry should be a valid v1 IAM Principal Identifier. Format for these is documented at "https://cloud.google.com/iam/docs/principal-identifiers#v1"

EntitlementPrivilegedAccess
, EntitlementPrivilegedAccessArgs

GcpIamAccess This property is required. EntitlementPrivilegedAccessGcpIamAccess
GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
GcpIamAccess This property is required. EntitlementPrivilegedAccessGcpIamAccess
GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
gcpIamAccess This property is required. EntitlementPrivilegedAccessGcpIamAccess
GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
gcpIamAccess This property is required. EntitlementPrivilegedAccessGcpIamAccess
GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
gcp_iam_access This property is required. EntitlementPrivilegedAccessGcpIamAccess
GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.
gcpIamAccess This property is required. Property Map
GcpIamAccess represents IAM based access control on a GCP resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. Structure is documented below.

EntitlementPrivilegedAccessGcpIamAccess
, EntitlementPrivilegedAccessGcpIamAccessArgs

Resource This property is required. string
Name of the resource.
ResourceType This property is required. string
The type of this resource.
RoleBindings This property is required. List<EntitlementPrivilegedAccessGcpIamAccessRoleBinding>
Role bindings to be created on successful grant. Structure is documented below.
Resource This property is required. string
Name of the resource.
ResourceType This property is required. string
The type of this resource.
RoleBindings This property is required. []EntitlementPrivilegedAccessGcpIamAccessRoleBinding
Role bindings to be created on successful grant. Structure is documented below.
resource This property is required. String
Name of the resource.
resourceType This property is required. String
The type of this resource.
roleBindings This property is required. List<EntitlementPrivilegedAccessGcpIamAccessRoleBinding>
Role bindings to be created on successful grant. Structure is documented below.
resource This property is required. string
Name of the resource.
resourceType This property is required. string
The type of this resource.
roleBindings This property is required. EntitlementPrivilegedAccessGcpIamAccessRoleBinding[]
Role bindings to be created on successful grant. Structure is documented below.
resource This property is required. str
Name of the resource.
resource_type This property is required. str
The type of this resource.
role_bindings This property is required. Sequence[EntitlementPrivilegedAccessGcpIamAccessRoleBinding]
Role bindings to be created on successful grant. Structure is documented below.
resource This property is required. String
Name of the resource.
resourceType This property is required. String
The type of this resource.
roleBindings This property is required. List<Property Map>
Role bindings to be created on successful grant. Structure is documented below.

EntitlementPrivilegedAccessGcpIamAccessRoleBinding
, EntitlementPrivilegedAccessGcpIamAccessRoleBindingArgs

Role This property is required. string
IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
ConditionExpression string
The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
Role This property is required. string
IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
ConditionExpression string
The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
role This property is required. String
IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
conditionExpression String
The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
role This property is required. string
IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
conditionExpression string
The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
role This property is required. str
IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
condition_expression str
The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.
role This property is required. String
IAM role to be granted. https://cloud.google.com/iam/docs/roles-overview.
conditionExpression String
The expression field of the IAM condition to be associated with the role. If specified, a user with an active grant for this entitlement would be able to access the resource only if this condition evaluates to true for their request. https://cloud.google.com/iam/docs/conditions-overview#attributes.

EntitlementRequesterJustificationConfig
, EntitlementRequesterJustificationConfigArgs

NotMandatory EntitlementRequesterJustificationConfigNotMandatory
The justification is not mandatory but can be provided in any of the supported formats.
Unstructured EntitlementRequesterJustificationConfigUnstructured
The requester has to provide a justification in the form of free flowing text.


NotMandatory EntitlementRequesterJustificationConfigNotMandatory
The justification is not mandatory but can be provided in any of the supported formats.
Unstructured EntitlementRequesterJustificationConfigUnstructured
The requester has to provide a justification in the form of free flowing text.


notMandatory EntitlementRequesterJustificationConfigNotMandatory
The justification is not mandatory but can be provided in any of the supported formats.
unstructured EntitlementRequesterJustificationConfigUnstructured
The requester has to provide a justification in the form of free flowing text.


notMandatory EntitlementRequesterJustificationConfigNotMandatory
The justification is not mandatory but can be provided in any of the supported formats.
unstructured EntitlementRequesterJustificationConfigUnstructured
The requester has to provide a justification in the form of free flowing text.


not_mandatory EntitlementRequesterJustificationConfigNotMandatory
The justification is not mandatory but can be provided in any of the supported formats.
unstructured EntitlementRequesterJustificationConfigUnstructured
The requester has to provide a justification in the form of free flowing text.


notMandatory Property Map
The justification is not mandatory but can be provided in any of the supported formats.
unstructured Property Map
The requester has to provide a justification in the form of free flowing text.


Import

Entitlement can be imported using any of these accepted formats:

  • {{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}

When using the pulumi import command, Entitlement can be imported using one of the formats above. For example:

$ pulumi import gcp:privilegedaccessmanager/entitlement:entitlement default {{parent}}/locations/{{location}}/entitlements/{{entitlement_id}}
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Google Cloud (GCP) Classic pulumi/pulumi-gcp
License
Apache-2.0
Notes
This Pulumi package is based on the google-beta Terraform Provider.