mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-09-19 01:29:57 +00:00
114 lines
4.2 KiB
Markdown
114 lines
4.2 KiB
Markdown
---
|
||
layout: "google"
|
||
page_title: "Google: google_service_account_key"
|
||
sidebar_current: "docs-google-service-account-key"
|
||
description: |-
|
||
Allows management of a Google Cloud Platform service account Key Pair
|
||
---
|
||
|
||
# google\_service\_account\_key
|
||
|
||
Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see [the official documentation](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and [API](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys).
|
||
|
||
|
||
## Example Usage, creating a new Key Pair
|
||
|
||
```hcl
|
||
resource "google_service_account" "myaccount" {
|
||
account_id = "myaccount"
|
||
display_name = "My Service Account"
|
||
}
|
||
|
||
resource "google_service_account_key" "mykey" {
|
||
service_account_id = "${google_service_account.myaccount.name}"
|
||
public_key_type = "TYPE_X509_PEM_FILE"
|
||
}
|
||
```
|
||
|
||
## Example Usage, save key in Kubernetes secret
|
||
|
||
```hcl
|
||
resource "google_service_account" "myaccount" {
|
||
account_id = "myaccount"
|
||
display_name = "My Service Account"
|
||
}
|
||
|
||
resource "google_service_account_key" "mykey" {
|
||
service_account_id = "${google_service_account.myaccount.name}"
|
||
}
|
||
|
||
resource "kubernetes_secret" "google-application-credentials" {
|
||
metadata {
|
||
name = "google-application-credentials"
|
||
}
|
||
data {
|
||
credentials.json = "${base64decode(google_service_account_key.mykey.private_key)}"
|
||
}
|
||
}
|
||
```
|
||
|
||
## Create new Key Pair, encrypting the private key with a PGP Key
|
||
|
||
```hcl
|
||
resource "google_service_account" "myaccount" {
|
||
account_id = "myaccount"
|
||
display_name = "My Service Account"
|
||
}
|
||
|
||
resource "google_service_account_key" "mykey" {
|
||
service_account_id = "${google_service_account.myaccount.name}"
|
||
pgp_key = "keybase:keybaseusername"
|
||
public_key_type = "TYPE_X509_PEM_FILE"
|
||
}
|
||
```
|
||
|
||
## Argument Reference
|
||
|
||
The following arguments are supported:
|
||
|
||
* `service_account_id` - (Required) The Service account id of the Key Pair. This can be a string in the format
|
||
`{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`, where `{ACCOUNT}` is the email address or
|
||
unique id of the service account. If the `{ACCOUNT}` syntax is used, the project will be inferred from the account.
|
||
|
||
* `key_algorithm` - (Optional) The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm.
|
||
Valid values are listed at
|
||
[ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm)
|
||
(only used on create)
|
||
|
||
* `public_key_type` (Optional) The output format of the public key requested. X509_PEM is the default output format.
|
||
|
||
* `private_key_type` (Optional) The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
|
||
|
||
* `pgp_key` – (Optional) An optional PGP key to encrypt the resulting private
|
||
key material. Only used when creating or importing a new key pair. May either be
|
||
a base64-encoded public key or a `keybase:keybaseusername` string for looking up
|
||
in Vault.
|
||
|
||
~> **NOTE:** a PGP key is not required, however it is strongly encouraged.
|
||
Without a PGP key, the private key material will be stored in state unencrypted.
|
||
|
||
## Attributes Reference
|
||
|
||
The following attributes are exported in addition to the arguments listed above:
|
||
|
||
* `name` - The name used for this key pair
|
||
|
||
* `public_key` - The public key, base64 encoded
|
||
|
||
* `private_key` - The private key in JSON format, base64 encoded. This is what you normally get as a file when creating
|
||
service account keys through the CLI or web console. This is only populated when creating a new key, and when no
|
||
`pgp_key` is provided.
|
||
|
||
* `private_key_encrypted` – The private key material, base 64 encoded and
|
||
encrypted with the given `pgp_key`. This is only populated when creating a new
|
||
key and `pgp_key` is supplied
|
||
|
||
* `private_key_fingerprint` - The MD5 public key fingerprint for the encrypted
|
||
private key. This is only populated when creating a new key and `pgp_key` is supplied
|
||
|
||
* `valid_after` - The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
|
||
|
||
* `valid_before` - The key can be used before this timestamp.
|
||
A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
|
||
|