2017-10-25 19:43:20 +00:00
---
layout: "google"
page_title: "Google: google_service_account_key"
sidebar_current: "docs-google-service-account-key"
description: |-
Allows management of a Google Cloud Platform service account Key Pair
---
# google\_service\_account\_key
Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see [the official documentation ](https://cloud.google.com/iam/docs/creating-managing-service-account-keys ) and [API ](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys ).
## Example Usage, creating a new Key Pair
```hcl
2018-05-21 22:05:55 +00:00
resource "google_service_account" "myaccount" {
account_id = "myaccount"
display_name = "My Service Account"
2017-10-25 19:43:20 +00:00
}
2018-05-21 22:05:55 +00:00
resource "google_service_account_key" "mykey" {
service_account_id = "${google_service_account.myaccount.name}"
2017-10-25 19:43:20 +00:00
public_key_type = "TYPE_X509_PEM_FILE"
}
```
2018-02-05 18:46:27 +00:00
## Example Usage, save key in Kubernetes secret
```hcl
resource "google_service_account" "myaccount" {
account_id = "myaccount"
display_name = "My Service Account"
}
2018-05-21 22:05:55 +00:00
2018-02-05 18:46:27 +00:00
resource "google_service_account_key" "mykey" {
2018-03-26 22:44:34 +00:00
service_account_id = "${google_service_account.myaccount.name}"
2018-02-05 18:46:27 +00:00
}
2018-05-21 22:05:55 +00:00
2018-02-05 18:46:27 +00:00
resource "kubernetes_secret" "google-application-credentials" {
2018-12-27 15:51:23 +00:00
metadata = {
2018-02-05 18:46:27 +00:00
name = "google-application-credentials"
}
data {
credentials.json = "${base64decode(google_service_account_key.mykey.private_key)}"
}
}
```
2017-10-25 19:43:20 +00:00
## Create new Key Pair, encrypting the private key with a PGP Key
```hcl
2018-05-21 22:05:55 +00:00
resource "google_service_account" "myaccount" {
account_id = "myaccount"
display_name = "My Service Account"
2017-10-25 19:43:20 +00:00
}
2018-05-21 22:05:55 +00:00
resource "google_service_account_key" "mykey" {
service_account_id = "${google_service_account.myaccount.name}"
2017-10-25 19:43:20 +00:00
pgp_key = "keybase:keybaseusername"
public_key_type = "TYPE_X509_PEM_FILE"
}
```
## Argument Reference
The following arguments are supported:
2018-03-26 22:44:34 +00:00
* `service_account_id` - (Required) The Service account id of the Key Pair. This can be a string in the format
`{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}` , where `{ACCOUNT}` is the email address or
unique id of the service account. If the `{ACCOUNT}` syntax is used, the project will be inferred from the account.
2017-10-25 19:43:20 +00:00
2017-11-10 19:07:05 +00:00
* `key_algorithm` - (Optional) The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm.
Valid values are listed at
[ServiceAccountPrivateKeyType ](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm )
(only used on create)
2017-10-25 19:43:20 +00:00
* `public_key_type` (Optional) The output format of the public key requested. X509_PEM is the default output format.
2018-04-04 16:08:08 +00:00
* `private_key_type` (Optional) The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
2017-10-25 19:43:20 +00:00
* `pgp_key` – (Optional) An optional PGP key to encrypt the resulting private
2017-11-10 19:07:05 +00:00
key material. Only used when creating or importing a new key pair. May either be
a base64-encoded public key or a `keybase:keybaseusername` string for looking up
in Vault.
2017-10-25 19:43:20 +00:00
~> **NOTE:** a PGP key is not required, however it is strongly encouraged.
Without a PGP key, the private key material will be stored in state unencrypted.
## Attributes Reference
The following attributes are exported in addition to the arguments listed above:
* `name` - The name used for this key pair
* `public_key` - The public key, base64 encoded
2018-02-05 18:46:27 +00:00
* `private_key` - The private key in JSON format, base64 encoded. This is what you normally get as a file when creating
2018-05-21 22:05:55 +00:00
service account keys through the CLI or web console. This is only populated when creating a new key, and when no
2018-02-05 18:46:27 +00:00
`pgp_key` is provided.
2017-10-25 19:43:20 +00:00
* `private_key_encrypted` – The private key material, base 64 encoded and
encrypted with the given `pgp_key` . This is only populated when creating a new
key and `pgp_key` is supplied
* `private_key_fingerprint` - The MD5 public key fingerprint for the encrypted
2018-01-02 21:30:02 +00:00
private key. This is only populated when creating a new key and `pgp_key` is supplied
2017-10-25 19:43:20 +00:00
* `valid_after` - The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
* `valid_before` - The key can be used before this timestamp.
A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".