Creates and manages service account keys, which allow the use of a service account with Google Cloud.
resource "google_service_account" "myaccount" {
account_id = "myaccount"
display_name = "My Service Account"
}
resource "google_service_account_key" "mykey" {
service_account_id = google_service_account.myaccount.name
public_key_type = "TYPE_X509_PEM_FILE"
}
resource "google_service_account" "myaccount" {
account_id = "myaccount"
display_name = "My Service Account"
}
# note this requires the terraform to be run regularly
resource "time_rotating" "mykey_rotation" {
rotation_days = 30
}
resource "google_service_account_key" "mykey" {
service_account_id = google_service_account.myaccount.name
keepers = {
rotation_time = time_rotating.mykey_rotation.rotation_rfc3339
}
}
# Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
# https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
resource "google_service_account" "myaccount" {
account_id = "myaccount"
display_name = "My Service Account"
}
resource "google_service_account_key" "mykey" {
service_account_id = google_service_account.myaccount.name
}
resource "kubernetes_secret" "google-application-credentials" {
metadata {
name = "google-application-credentials"
}
data = {
"credentials.json" = base64decode(google_service_account_key.mykey.private_key)
}
}
The following arguments are supported:
service_account_id
- (Required) The Service account id of the Key. This can be a string in the format
{ACCOUNT}
or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}
. If the {ACCOUNT}
-only syntax is used, either
the full email address of the service account or its name can be specified as a value, in which case the project will
automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}
syntax is used, the {ACCOUNT}
specified can be the full email address of the service account or the service account's
unique id. Substituting -
as a wildcard for the {PROJECT_ID}
will infer the project from the account.
key_algorithm
- (Optional) The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm.
Valid values are listed at
ServiceAccountPrivateKeyType
(only used on create)
public_key_type
(Optional) The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
private_key_type
(Optional) The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
public_key_data
(Optional) Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type
and private_key_type
.
keepers
(Optional) Arbitrary map of values that, when changed, will trigger a new key to be generated.
The following attributes are exported in addition to the arguments listed above:
id
- an identifier for the resource with format projects/{{project}}/serviceAccounts/{{account}}/keys/{{key}}
name
- The name used for this key pair
public_key
- The public key, base64 encoded
private_key
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating
service account keys through the CLI or web console. This is only populated when creating a new key.
valid_after
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
valid_before
- The key can be used before this timestamp.
A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
This resource does not support import.