google_service_account_key

Creates and manages service account keys, which allow the use of a service account with Google Cloud.

Example Usage, creating a new Key

resource "google_service_account" "myaccount" {
  account_id   = "myaccount"
  display_name = "My Service Account"
}

resource "google_service_account_key" "mykey" {
  service_account_id = google_service_account.myaccount.name
  public_key_type    = "TYPE_X509_PEM_FILE"
}

Example Usage, creating and regularly rotating a key

resource "google_service_account" "myaccount" {
  account_id   = "myaccount"
  display_name = "My Service Account"
}

# note this requires the terraform to be run regularly
resource "time_rotating" "mykey_rotation" {
  rotation_days = 30
}

resource "google_service_account_key" "mykey" {
  service_account_id = google_service_account.myaccount.name

  keepers = {
    rotation_time = time_rotating.mykey_rotation.rotation_rfc3339
  }
}

Example Usage, save key in Kubernetes secret - DEPRECATED

# Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
# https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

resource "google_service_account" "myaccount" {
  account_id   = "myaccount"
  display_name = "My Service Account"
}

resource "google_service_account_key" "mykey" {
  service_account_id = google_service_account.myaccount.name
}

resource "kubernetes_secret" "google-application-credentials" {
  metadata {
    name = "google-application-credentials"
  }
  data = {
    "credentials.json" = base64decode(google_service_account_key.mykey.private_key)
  }
}

Argument Reference

The following arguments are supported:

Attributes Reference

The following attributes are exported in addition to the arguments listed above:

Import

This resource does not support import.