googleServiceAccountKey

Creates and manages service account keys, which allow the use of a service account with Google Cloud.

-> Warning: This resource persists a sensitive credential in plaintext in the remote state used by Terraform. Please take appropriate measures to protect your remote state.

• API documentation
• How-to Guides
• Official Documentation

Example Usage, creating a new Key

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleServiceAccountMyaccount = new google.serviceAccount.ServiceAccount(
  this,
  "myaccount",
  {
    account_id: "myaccount",
    display_name: "My Service Account",
  }
);
new google.serviceAccountKey.ServiceAccountKey(this, "mykey", {
  public_key_type: "TYPE_X509_PEM_FILE",
  service_account_id: googleServiceAccountMyaccount.name,
});

Example Usage, creating and regularly rotating a key

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
import * as time from "./.gen/providers/time";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google, time.
For a more precise conversion please use the --provider flag in convert.*/
const googleServiceAccountMyaccount = new google.serviceAccount.ServiceAccount(
  this,
  "myaccount",
  {
    account_id: "myaccount",
    display_name: "My Service Account",
  }
);
const timeRotatingMykeyRotation = new time.rotating.Rotating(
  this,
  "mykey_rotation",
  {
    rotation_days: 30,
  }
);
new google.serviceAccountKey.ServiceAccountKey(this, "mykey", {
  keepers: [
    {
      rotation_time: timeRotatingMykeyRotation.rotationRfc3339,
    },
  ],
  service_account_id: googleServiceAccountMyaccount.name,
});

Example Usage, save key in Kubernetes secret - DEPRECATED

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
import * as kubernetes from "./.gen/providers/kubernetes";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google, kubernetes.
For a more precise conversion please use the --provider flag in convert.*/
const googleServiceAccountMyaccount = new google.serviceAccount.ServiceAccount(
  this,
  "myaccount",
  {
    account_id: "myaccount",
    display_name: "My Service Account",
  }
);
const googleServiceAccountKeyMykey =
  new google.serviceAccountKey.ServiceAccountKey(this, "mykey", {
    service_account_id: googleServiceAccountMyaccount.name,
  });
new kubernetes.secret.Secret(this, "google-application-credentials", {
  data: [
    {
      "credentials.json": `\${base64decode(${googleServiceAccountKeyMykey.privateKey})}`,
    },
  ],
  metadata: [
    {
      name: "google-application-credentials",
    },
  ],
});

Argument Reference

The following arguments are supported:

• serviceAccountId - (Required) The Service account id of the Key. This can be a string in the format {account} or projects/{projectId}/serviceAccounts/{account}. If the {account}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{projectId}/serviceAccounts/{account} syntax is used, the {account} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {projectId} will infer the project from the account.

• keyAlgorithm - (Optional) The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)

• publicKeyType (Optional) The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.

• privateKeyType (Optional) The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.

• publicKeyData (Optional) Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with publicKeyType and privateKeyType.

• keepers (Optional) Arbitrary map of values that, when changed, will trigger a new key to be generated.

Attributes Reference

The following attributes are exported in addition to the arguments listed above:

• id - an identifier for the resource with format projects/{{project}}/serviceAccounts/{{account}}/keys/{{key}}

• name - The name used for this key pair

• publicKey - The public key, base64 encoded

• privateKey - The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.

• validAfter - The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

• validBefore - The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

Import

This resource does not support import.