--- layout: "google" page_title: "Google: google_service_account_key" sidebar_current: "docs-google-service-account-key" description: |- Allows management of a Google Cloud Platform service account Key Pair --- # google\_service\_account\_key Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see [the official documentation](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and [API](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys). ## Example Usage, creating a new Key Pair ```hcl resource "google_service_account" "myaccount" { account_id = "myaccount" display_name = "My Service Account" } resource "google_service_account_key" "mykey" { service_account_id = "${google_service_account.myaccount.name}" public_key_type = "TYPE_X509_PEM_FILE" } ``` ## Example Usage, save key in Kubernetes secret ```hcl resource "google_service_account" "myaccount" { account_id = "myaccount" display_name = "My Service Account" } resource "google_service_account_key" "mykey" { service_account_id = "${google_service_account.myaccount.name}" } resource "kubernetes_secret" "google-application-credentials" { metadata = { name = "google-application-credentials" } data { credentials.json = "${base64decode(google_service_account_key.mykey.private_key)}" } } ``` ## Create new Key Pair, encrypting the private key with a PGP Key ```hcl resource "google_service_account" "myaccount" { account_id = "myaccount" display_name = "My Service Account" } resource "google_service_account_key" "mykey" { service_account_id = "${google_service_account.myaccount.name}" pgp_key = "keybase:keybaseusername" public_key_type = "TYPE_X509_PEM_FILE" } ``` ## Argument Reference The following arguments are supported: * `service_account_id` - (Required) The Service account id of the Key Pair. This can be a string in the format `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`, where `{ACCOUNT}` is the email address or unique id of the service account. If the `{ACCOUNT}` syntax is used, the project will be inferred from the account. * `key_algorithm` - (Optional) The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm) (only used on create) * `public_key_type` (Optional) The output format of the public key requested. X509_PEM is the default output format. * `private_key_type` (Optional) The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format. * `pgp_key` – (Optional) An optional PGP key to encrypt the resulting private key material. Only used when creating or importing a new key pair. May either be a base64-encoded public key or a `keybase:keybaseusername` string for looking up in Vault. ~> **NOTE:** a PGP key is not required, however it is strongly encouraged. Without a PGP key, the private key material will be stored in state unencrypted. ## Attributes Reference The following attributes are exported in addition to the arguments listed above: * `name` - The name used for this key pair * `public_key` - The public key, base64 encoded * `private_key` - The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key, and when no `pgp_key` is provided. * `private_key_encrypted` – The private key material, base 64 encoded and encrypted with the given `pgp_key`. This is only populated when creating a new key and `pgp_key` is supplied * `private_key_fingerprint` - The MD5 public key fingerprint for the encrypted private key. This is only populated when creating a new key and `pgp_key` is supplied * `valid_after` - The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". * `valid_before` - The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".