googleServiceAccountKey
Creates and manages service account keys, which allow the use of a service account with Google Cloud.
-> Warning: This resource persists a sensitive credential in plaintext in the remote state used by Terraform. Please take appropriate measures to protect your remote state.
- API documentation
- How-to Guides
- Official Documentation
Example Usage, creating a new Key
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleServiceAccountMyaccount = new google.serviceAccount.ServiceAccount(
this,
"myaccount",
{
account_id: "myaccount",
display_name: "My Service Account",
}
);
new google.serviceAccountKey.ServiceAccountKey(this, "mykey", {
public_key_type: "TYPE_X509_PEM_FILE",
service_account_id: googleServiceAccountMyaccount.name,
});
Example Usage, creating and regularly rotating a key
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
import * as time from "./.gen/providers/time";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google, time.
For a more precise conversion please use the --provider flag in convert.*/
const googleServiceAccountMyaccount = new google.serviceAccount.ServiceAccount(
this,
"myaccount",
{
account_id: "myaccount",
display_name: "My Service Account",
}
);
const timeRotatingMykeyRotation = new time.rotating.Rotating(
this,
"mykey_rotation",
{
rotation_days: 30,
}
);
new google.serviceAccountKey.ServiceAccountKey(this, "mykey", {
keepers: [
{
rotation_time: timeRotatingMykeyRotation.rotationRfc3339,
},
],
service_account_id: googleServiceAccountMyaccount.name,
});
Example Usage, save key in Kubernetes secret - DEPRECATED
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
import * as kubernetes from "./.gen/providers/kubernetes";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google, kubernetes.
For a more precise conversion please use the --provider flag in convert.*/
const googleServiceAccountMyaccount = new google.serviceAccount.ServiceAccount(
this,
"myaccount",
{
account_id: "myaccount",
display_name: "My Service Account",
}
);
const googleServiceAccountKeyMykey =
new google.serviceAccountKey.ServiceAccountKey(this, "mykey", {
service_account_id: googleServiceAccountMyaccount.name,
});
new kubernetes.secret.Secret(this, "google-application-credentials", {
data: [
{
"credentials.json": `\${base64decode(${googleServiceAccountKeyMykey.privateKey})}`,
},
],
metadata: [
{
name: "google-application-credentials",
},
],
});
Argument Reference
The following arguments are supported:
-
serviceAccountId
- (Required) The Service account id of the Key. This can be a string in the format{account}
orprojects/{projectId}/serviceAccounts/{account}
. If the{account}
-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{projectId}/serviceAccounts/{account}
syntax is used, the{account}
specified can be the full email address of the service account or the service account's unique id. Substituting-
as a wildcard for the{projectId}
will infer the project from the account. -
keyAlgorithm
- (Optional) The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create) -
publicKeyType
(Optional) The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format. -
privateKeyType
(Optional) The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format. -
publicKeyData
(Optional) Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts withpublicKeyType
andprivateKeyType
. -
keepers
(Optional) Arbitrary map of values that, when changed, will trigger a new key to be generated.
Attributes Reference
The following attributes are exported in addition to the arguments listed above:
-
id
- an identifier for the resource with formatprojects/{{project}}/serviceAccounts/{{account}}/keys/{{key}}
-
name
- The name used for this key pair -
publicKey
- The public key, base64 encoded -
privateKey
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key. -
validAfter
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". -
validBefore
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
Import
This resource does not support import.