import * as pulumi from "@pulumi/pulumi";
/**
 * This data source provides a Google OpenID Connect (`oidc`) `idToken`.  Tokens issued from this data source are typically used to call external services that accept OIDC tokens for authentication (e.g. [Google Cloud Run](https://cloud.google.com/run/docs/authenticating/service-to-service)).
 *
 * For more information see
 * [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#IDToken).
 *
 * ## Example Usage
 *
 * ### ServiceAccount JSON Credential File.
 *   `gcp.serviceaccount.getAccountIdToken` will use the configured provider credentials
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const oidc = gcp.serviceaccount.getAccountIdToken({
 *   targetAudience: "https://foo.bar/",
 * });
 * export const oidcToken = oidc.then(oidc => oidc.idToken);
 * ```
 *
 * ### Service Account Impersonation.
 *   `gcp.serviceaccount.getAccountIdToken` will use background impersonated credentials provided by `gcp.serviceaccount.getAccountAccessToken`.
 *
 *   Note: to use the following, you must grant `targetServiceAccount` the
 *   `roles/iam.serviceAccountTokenCreator` role on itself.
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const impersonated = gcp.serviceaccount.getAccountAccessToken({
 *   targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
 *   delegates: [],
 *   scopes: [
 *       "userinfo-email",
 *       "cloud-platform",
 *   ],
 *   lifetime: "300s",
 * });
 * const oidc = gcp.serviceaccount.getAccountIdToken({
 *   targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
 *   delegates: [],
 *   includeEmail: true,
 *   targetAudience: "https://foo.bar/",
 * });
 * export const oidcToken = oidc.then(oidc => oidc.idToken);
 * ```
 *
 * ### Invoking Cloud Run Endpoint
 *
 *   The following configuration will invoke [Cloud Run](https://cloud.google.com/run/docs/authenticating/service-to-service) endpoint where the service account for the provider has been granted `roles/run.invoker` role previously.
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 * import * as http from "@pulumi/http";
 *
 * const oidc = gcp.serviceaccount.getAccountIdToken({
 *     targetAudience: "https://your.cloud.run.app/",
 * });
 * const cloudrun = oidc.then(oidc => http.getHttp({
 *     url: "https://your.cloud.run.app/",
 *     requestHeaders: {
 *         Authorization: `Bearer ${oidc.idToken}`,
 *     },
 * }));
 * export const cloudRunResponse = cloudrun.then(cloudrun => cloudrun.body);
 * ```
 */
export declare function getAccountIdToken(args: GetAccountIdTokenArgs, opts?: pulumi.InvokeOptions): Promise<GetAccountIdTokenResult>;
/**
 * A collection of arguments for invoking getAccountIdToken.
 */
export interface GetAccountIdTokenArgs {
    /**
     * Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.   Used only when using impersonation mode.
     */
    delegates?: string[];
    /**
     * Include the verified email in the claim. Used only when using impersonation mode.
     */
    includeEmail?: boolean;
    /**
     * The audience claim for the `idToken`.
     */
    targetAudience: string;
    /**
     * The email of the service account being impersonated.  Used only when using impersonation mode.
     */
    targetServiceAccount?: string;
}
/**
 * A collection of values returned by getAccountIdToken.
 */
export interface GetAccountIdTokenResult {
    readonly delegates?: string[];
    /**
     * The provider-assigned unique ID for this managed resource.
     */
    readonly id: string;
    /**
     * The `idToken` representing the new generated identity.
     */
    readonly idToken: string;
    readonly includeEmail?: boolean;
    readonly targetAudience: string;
    readonly targetServiceAccount?: string;
}
/**
 * This data source provides a Google OpenID Connect (`oidc`) `idToken`.  Tokens issued from this data source are typically used to call external services that accept OIDC tokens for authentication (e.g. [Google Cloud Run](https://cloud.google.com/run/docs/authenticating/service-to-service)).
 *
 * For more information see
 * [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#IDToken).
 *
 * ## Example Usage
 *
 * ### ServiceAccount JSON Credential File.
 *   `gcp.serviceaccount.getAccountIdToken` will use the configured provider credentials
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const oidc = gcp.serviceaccount.getAccountIdToken({
 *   targetAudience: "https://foo.bar/",
 * });
 * export const oidcToken = oidc.then(oidc => oidc.idToken);
 * ```
 *
 * ### Service Account Impersonation.
 *   `gcp.serviceaccount.getAccountIdToken` will use background impersonated credentials provided by `gcp.serviceaccount.getAccountAccessToken`.
 *
 *   Note: to use the following, you must grant `targetServiceAccount` the
 *   `roles/iam.serviceAccountTokenCreator` role on itself.
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const impersonated = gcp.serviceaccount.getAccountAccessToken({
 *   targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
 *   delegates: [],
 *   scopes: [
 *       "userinfo-email",
 *       "cloud-platform",
 *   ],
 *   lifetime: "300s",
 * });
 * const oidc = gcp.serviceaccount.getAccountIdToken({
 *   targetServiceAccount: "impersonated-account@project.iam.gserviceaccount.com",
 *   delegates: [],
 *   includeEmail: true,
 *   targetAudience: "https://foo.bar/",
 * });
 * export const oidcToken = oidc.then(oidc => oidc.idToken);
 * ```
 *
 * ### Invoking Cloud Run Endpoint
 *
 *   The following configuration will invoke [Cloud Run](https://cloud.google.com/run/docs/authenticating/service-to-service) endpoint where the service account for the provider has been granted `roles/run.invoker` role previously.
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 * import * as http from "@pulumi/http";
 *
 * const oidc = gcp.serviceaccount.getAccountIdToken({
 *     targetAudience: "https://your.cloud.run.app/",
 * });
 * const cloudrun = oidc.then(oidc => http.getHttp({
 *     url: "https://your.cloud.run.app/",
 *     requestHeaders: {
 *         Authorization: `Bearer ${oidc.idToken}`,
 *     },
 * }));
 * export const cloudRunResponse = cloudrun.then(cloudrun => cloudrun.body);
 * ```
 */
export declare function getAccountIdTokenOutput(args: GetAccountIdTokenOutputArgs, opts?: pulumi.InvokeOutputOptions): pulumi.Output<GetAccountIdTokenResult>;
/**
 * A collection of arguments for invoking getAccountIdToken.
 */
export interface GetAccountIdTokenOutputArgs {
    /**
     * Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.   Used only when using impersonation mode.
     */
    delegates?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * Include the verified email in the claim. Used only when using impersonation mode.
     */
    includeEmail?: pulumi.Input<boolean>;
    /**
     * The audience claim for the `idToken`.
     */
    targetAudience: pulumi.Input<string>;
    /**
     * The email of the service account being impersonated.  Used only when using impersonation mode.
     */
    targetServiceAccount?: pulumi.Input<string>;
}