Gcp/iam
@hivemq/gcp/iamv2026.04.27.34
01Models
@hivemq/gcp/iamv2026.03.31.1gcp_iam.ts
Global Arguments
| Argument | Type | Description |
|---|---|---|
| projectId | string | GCP project ID |
fn create_pool(displayName: string, description?: string)
Create a Workload Identity Federation pool (idempotent — skips if exists)
| Argument | Type | Description |
|---|---|---|
| displayName | string | Human-readable pool name |
| description? | string | Pool description |
fn create_github_provider(poolId: string, providerId: string)
Create a GitHub Actions OIDC provider on a WIF pool (idempotent)
| Argument | Type | Description |
|---|---|---|
| poolId | string | WIF pool ID to attach the provider to |
| providerId | string | Provider ID (e.g. github-provider) |
fn create_service_account(displayName: string, description?: string)
Create a GCP service account (idempotent)
| Argument | Type | Description |
|---|---|---|
| displayName | string | Human-readable SA name |
| description? | string | SA description |
fn bind_service_account_to_pool(serviceAccountEmail: string, poolId: string)
Grant roles/iam.workloadIdentityUser on a SA to a WIF pool principal scoped to a GitHub repository
| Argument | Type | Description |
|---|---|---|
| serviceAccountEmail | string | SA email to bind |
| poolId | string | WIF pool ID |
fn grant_external_project_role()
Grant an IAM role to a service account on a project other than this model's own projectId (idempotent)
fn grant_dns_zone_role()
Grant an IAM role to a service account on a specific Cloud DNS managed zone in another project (idempotent). Use this for least-privilege DNS record management scoped to one zone.
fn revoke_dns_zone_role()
Revoke an IAM role from a service account on a specific Cloud DNS managed zone (idempotent — no-op if not granted).
fn grant_project_role()
Grant an IAM role to a service account on the project
fn refresh_access_token()
Exchange the local ADC refresh token for a fresh GCP access token and store it in a swamp vault. Reads credentials from application_default_credentials.json — no gcloud binary required. Defaults to vault 'swamp', key 'GCP_ACCESS_TOKEN'.
fn sync()
Refresh stored pool, provider, and service account state from the GCP API
fn delete_pool(poolId: string)
Delete a Workload Identity Federation pool (also deletes its providers)
| Argument | Type | Description |
|---|---|---|
| poolId | string | Pool ID to delete |
fn delete_service_account(serviceAccountEmail: string)
Delete a GCP service account
| Argument | Type | Description |
|---|---|---|
| serviceAccountEmail | string | SA email to delete |
Resources
pool(infinite)— Workload Identity Federation pool
provider(infinite)— Workload Identity Federation OIDC provider
serviceAccount(infinite)— GCP service account
iamBinding(infinite)— IAM policy binding record
02Previous Versions
2026.04.01.21Apr 1, 2026
2026.04.01.20Apr 1, 2026
Modified 1 models
2026.03.31.15Mar 31, 2026
2026.03.31.1Mar 31, 2026
Modified 1 models
2026.03.30.13Mar 30, 2026
Modified 1 models
2026.03.30.11Mar 30, 2026
Modified 1 models
2026.03.25.3Mar 25, 2026
2026.03.25.1Mar 25, 2026
03Stats
F
33 / 100
Downloads
18
Archive size
10.7 KB
- Has README or module doc0/2missing
- README has a code example0/1missing
- README is substantive0/1pending
- Most symbols documented1/1earned
- No slow types1/1earned
- Has description0/1missing
- Platform support declared (or universal)2/2earned
- License declared0/1missing
- Verified public repository0/2missing
04Platforms