gcp.serviceaccount.Key
Explore with Pulumi AI
Example Usage
Creating A New Key
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const myaccount = new gcp.serviceaccount.Account("myaccount", {
    accountId: "myaccount",
    displayName: "My Service Account",
});
const mykey = new gcp.serviceaccount.Key("mykey", {
    serviceAccountId: myaccount.name,
    publicKeyType: "TYPE_X509_PEM_FILE",
});
import pulumi
import pulumi_gcp as gcp
myaccount = gcp.serviceaccount.Account("myaccount",
    account_id="myaccount",
    display_name="My Service Account")
mykey = gcp.serviceaccount.Key("mykey",
    service_account_id=myaccount.name,
    public_key_type="TYPE_X509_PEM_FILE")
package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/serviceaccount"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("myaccount"),
			DisplayName: pulumi.String("My Service Account"),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
			ServiceAccountId: myaccount.Name,
			PublicKeyType:    pulumi.String("TYPE_X509_PEM_FILE"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() => 
{
    var myaccount = new Gcp.ServiceAccount.Account("myaccount", new()
    {
        AccountId = "myaccount",
        DisplayName = "My Service Account",
    });
    var mykey = new Gcp.ServiceAccount.Key("mykey", new()
    {
        ServiceAccountId = myaccount.Name,
        PublicKeyType = "TYPE_X509_PEM_FILE",
    });
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.Account;
import com.pulumi.gcp.serviceaccount.AccountArgs;
import com.pulumi.gcp.serviceaccount.Key;
import com.pulumi.gcp.serviceaccount.KeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var myaccount = new Account("myaccount", AccountArgs.builder()
            .accountId("myaccount")
            .displayName("My Service Account")
            .build());
        var mykey = new Key("mykey", KeyArgs.builder()
            .serviceAccountId(myaccount.name())
            .publicKeyType("TYPE_X509_PEM_FILE")
            .build());
    }
}
resources:
  myaccount:
    type: gcp:serviceaccount:Account
    properties:
      accountId: myaccount
      displayName: My Service Account
  mykey:
    type: gcp:serviceaccount:Key
    properties:
      serviceAccountId: ${myaccount.name}
      publicKeyType: TYPE_X509_PEM_FILE
Creating And Regularly Rotating A Key
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as time from "@pulumiverse/time";
const myaccount = new gcp.serviceaccount.Account("myaccount", {
    accountId: "myaccount",
    displayName: "My Service Account",
});
// note this requires the terraform to be run regularly
const mykeyRotation = new time.Rotating("mykey_rotation", {rotationDays: 30});
const mykey = new gcp.serviceaccount.Key("mykey", {
    serviceAccountId: myaccount.name,
    keepers: {
        rotation_time: mykeyRotation.rotationRfc3339,
    },
});
import pulumi
import pulumi_gcp as gcp
import pulumiverse_time as time
myaccount = gcp.serviceaccount.Account("myaccount",
    account_id="myaccount",
    display_name="My Service Account")
# note this requires the terraform to be run regularly
mykey_rotation = time.Rotating("mykey_rotation", rotation_days=30)
mykey = gcp.serviceaccount.Key("mykey",
    service_account_id=myaccount.name,
    keepers={
        "rotation_time": mykey_rotation.rotation_rfc3339,
    })
package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/serviceaccount"
	"github.com/pulumi/pulumi-time/sdk/go/time"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("myaccount"),
			DisplayName: pulumi.String("My Service Account"),
		})
		if err != nil {
			return err
		}
		// note this requires the terraform to be run regularly
		mykeyRotation, err := time.NewRotating(ctx, "mykey_rotation", &time.RotatingArgs{
			RotationDays: pulumi.Int(30),
		})
		if err != nil {
			return err
		}
		_, err = serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
			ServiceAccountId: myaccount.Name,
			Keepers: pulumi.StringMap{
				"rotation_time": mykeyRotation.RotationRfc3339,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Time = Pulumiverse.Time;
return await Deployment.RunAsync(() => 
{
    var myaccount = new Gcp.ServiceAccount.Account("myaccount", new()
    {
        AccountId = "myaccount",
        DisplayName = "My Service Account",
    });
    // note this requires the terraform to be run regularly
    var mykeyRotation = new Time.Rotating("mykey_rotation", new()
    {
        RotationDays = 30,
    });
    var mykey = new Gcp.ServiceAccount.Key("mykey", new()
    {
        ServiceAccountId = myaccount.Name,
        Keepers = 
        {
            { "rotation_time", mykeyRotation.RotationRfc3339 },
        },
    });
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.Account;
import com.pulumi.gcp.serviceaccount.AccountArgs;
import com.pulumiverse.time.Rotating;
import com.pulumiverse.time.RotatingArgs;
import com.pulumi.gcp.serviceaccount.Key;
import com.pulumi.gcp.serviceaccount.KeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var myaccount = new Account("myaccount", AccountArgs.builder()
            .accountId("myaccount")
            .displayName("My Service Account")
            .build());
        // note this requires the terraform to be run regularly
        var mykeyRotation = new Rotating("mykeyRotation", RotatingArgs.builder()
            .rotationDays(30)
            .build());
        var mykey = new Key("mykey", KeyArgs.builder()
            .serviceAccountId(myaccount.name())
            .keepers(Map.of("rotation_time", mykeyRotation.rotationRfc3339()))
            .build());
    }
}
resources:
  myaccount:
    type: gcp:serviceaccount:Account
    properties:
      accountId: myaccount
      displayName: My Service Account
  # note this requires the terraform to be run regularly
  mykeyRotation:
    type: time:Rotating
    name: mykey_rotation
    properties:
      rotationDays: 30
  mykey:
    type: gcp:serviceaccount:Key
    properties:
      serviceAccountId: ${myaccount.name}
      keepers:
        rotation_time: ${mykeyRotation.rotationRfc3339}
Save Key In Kubernetes Secret - DEPRECATED
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as kubernetes from "@pulumi/kubernetes";
import * as std from "@pulumi/std";
// Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
const myaccount = new gcp.serviceaccount.Account("myaccount", {
    accountId: "myaccount",
    displayName: "My Service Account",
});
const mykey = new gcp.serviceaccount.Key("mykey", {serviceAccountId: myaccount.name});
const google_application_credentials = new kubernetes.core.v1.Secret("google-application-credentials", {
    metadata: {
        name: "google-application-credentials",
    },
    data: {
        "credentials.json": std.base64decodeOutput({
            input: mykey.privateKey,
        }).apply(invoke => invoke.result),
    },
});
import pulumi
import pulumi_gcp as gcp
import pulumi_kubernetes as kubernetes
import pulumi_std as std
# Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
# https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
myaccount = gcp.serviceaccount.Account("myaccount",
    account_id="myaccount",
    display_name="My Service Account")
mykey = gcp.serviceaccount.Key("mykey", service_account_id=myaccount.name)
google_application_credentials = kubernetes.core.v1.Secret("google-application-credentials",
    metadata={
        "name": "google-application-credentials",
    },
    data={
        "credentials.json": std.base64decode_output(input=mykey.private_key).apply(lambda invoke: invoke.result),
    })
package main
import (
	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/serviceaccount"
	corev1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/core/v1"
	metav1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/meta/v1"
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		// Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
		// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
		myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
			AccountId:   pulumi.String("myaccount"),
			DisplayName: pulumi.String("My Service Account"),
		})
		if err != nil {
			return err
		}
		mykey, err := serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
			ServiceAccountId: myaccount.Name,
		})
		if err != nil {
			return err
		}
		_, err = corev1.NewSecret(ctx, "google-application-credentials", &corev1.SecretArgs{
			Metadata: &metav1.ObjectMetaArgs{
				Name: pulumi.String("google-application-credentials"),
			},
			Data: pulumi.StringMap{
				"credentials.json": pulumi.String(std.Base64decodeOutput(ctx, std.Base64decodeOutputArgs{
					Input: mykey.PrivateKey,
				}, nil).ApplyT(func(invoke std.Base64decodeResult) (*string, error) {
					return invoke.Result, nil
				}).(pulumi.StringPtrOutput)),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Kubernetes = Pulumi.Kubernetes;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() => 
{
    // Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
    // https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
    var myaccount = new Gcp.ServiceAccount.Account("myaccount", new()
    {
        AccountId = "myaccount",
        DisplayName = "My Service Account",
    });
    var mykey = new Gcp.ServiceAccount.Key("mykey", new()
    {
        ServiceAccountId = myaccount.Name,
    });
    var google_application_credentials = new Kubernetes.Core.V1.Secret("google-application-credentials", new()
    {
        Metadata = new Kubernetes.Types.Inputs.Meta.V1.ObjectMetaArgs
        {
            Name = "google-application-credentials",
        },
        Data = 
        {
            { "credentials.json", Std.Base64decode.Invoke(new()
            {
                Input = mykey.PrivateKey,
            }).Apply(invoke => invoke.Result) },
        },
    });
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.Account;
import com.pulumi.gcp.serviceaccount.AccountArgs;
import com.pulumi.gcp.serviceaccount.Key;
import com.pulumi.gcp.serviceaccount.KeyArgs;
import com.pulumi.kubernetes.core_v1.Secret;
import com.pulumi.kubernetes.core_v1.SecretArgs;
import com.pulumi.kubernetes.meta_v1.inputs.ObjectMetaArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.Base64decodeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        // Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
        // https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
        var myaccount = new Account("myaccount", AccountArgs.builder()
            .accountId("myaccount")
            .displayName("My Service Account")
            .build());
        var mykey = new Key("mykey", KeyArgs.builder()
            .serviceAccountId(myaccount.name())
            .build());
        var google_application_credentials = new Secret("google-application-credentials", SecretArgs.builder()
            .metadata(ObjectMetaArgs.builder()
                .name("google-application-credentials")
                .build())
            .data(Map.of("credentials.json", StdFunctions.base64decode(Base64decodeArgs.builder()
                .input(mykey.privateKey())
                .build()).applyValue(_invoke -> _invoke.result())))
            .build());
    }
}
resources:
  # Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
  # https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
  myaccount:
    type: gcp:serviceaccount:Account
    properties:
      accountId: myaccount
      displayName: My Service Account
  mykey:
    type: gcp:serviceaccount:Key
    properties:
      serviceAccountId: ${myaccount.name}
  google-application-credentials:
    type: kubernetes:core/v1:Secret
    properties:
      metadata:
        name: google-application-credentials
      data:
        credentials.json:
          fn::invoke:
            function: std:base64decode
            arguments:
              input: ${mykey.privateKey}
            return: result
Create Key Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Key(name: string, args: KeyArgs, opts?: CustomResourceOptions);@overload
def Key(resource_name: str,
        args: KeyArgs,
        opts: Optional[ResourceOptions] = None)
@overload
def Key(resource_name: str,
        opts: Optional[ResourceOptions] = None,
        service_account_id: Optional[str] = None,
        keepers: Optional[Mapping[str, str]] = None,
        key_algorithm: Optional[str] = None,
        private_key_type: Optional[str] = None,
        public_key_data: Optional[str] = None,
        public_key_type: Optional[str] = None)func NewKey(ctx *Context, name string, args KeyArgs, opts ...ResourceOption) (*Key, error)public Key(string name, KeyArgs args, CustomResourceOptions? opts = null)type: gcp:serviceaccount:Key
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args KeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args KeyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args KeyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args KeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args KeyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var keyResource = new Gcp.ServiceAccount.Key("keyResource", new()
{
    ServiceAccountId = "string",
    Keepers = 
    {
        { "string", "string" },
    },
    KeyAlgorithm = "string",
    PrivateKeyType = "string",
    PublicKeyData = "string",
    PublicKeyType = "string",
});
example, err := serviceaccount.NewKey(ctx, "keyResource", &serviceaccount.KeyArgs{
	ServiceAccountId: pulumi.String("string"),
	Keepers: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	KeyAlgorithm:   pulumi.String("string"),
	PrivateKeyType: pulumi.String("string"),
	PublicKeyData:  pulumi.String("string"),
	PublicKeyType:  pulumi.String("string"),
})
var keyResource = new Key("keyResource", KeyArgs.builder()
    .serviceAccountId("string")
    .keepers(Map.of("string", "string"))
    .keyAlgorithm("string")
    .privateKeyType("string")
    .publicKeyData("string")
    .publicKeyType("string")
    .build());
key_resource = gcp.serviceaccount.Key("keyResource",
    service_account_id="string",
    keepers={
        "string": "string",
    },
    key_algorithm="string",
    private_key_type="string",
    public_key_data="string",
    public_key_type="string")
const keyResource = new gcp.serviceaccount.Key("keyResource", {
    serviceAccountId: "string",
    keepers: {
        string: "string",
    },
    keyAlgorithm: "string",
    privateKeyType: "string",
    publicKeyData: "string",
    publicKeyType: "string",
});
type: gcp:serviceaccount:Key
properties:
    keepers:
        string: string
    keyAlgorithm: string
    privateKeyType: string
    publicKeyData: string
    publicKeyType: string
    serviceAccountId: string
Key Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Key resource accepts the following input properties:
- ServiceAccount stringId 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- Keepers Dictionary<string, string>
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- KeyAlgorithm string
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- PrivateKey stringType 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- PublicKey stringData 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- PublicKey stringType 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
- ServiceAccount stringId 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- Keepers map[string]string
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- KeyAlgorithm string
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- PrivateKey stringType 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- PublicKey stringData 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- PublicKey stringType 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
- serviceAccount StringId 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- keepers Map<String,String>
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- keyAlgorithm String
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- privateKey StringType 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- publicKey StringData 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- publicKey StringType 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
- serviceAccount stringId 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- keepers {[key: string]: string}
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- keyAlgorithm string
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- privateKey stringType 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- publicKey stringData 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- publicKey stringType 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
- service_account_ strid 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- keepers Mapping[str, str]
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- key_algorithm str
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- private_key_ strtype 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- public_key_ strdata 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- public_key_ strtype 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
- serviceAccount StringId 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- keepers Map<String>
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- keyAlgorithm String
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- privateKey StringType 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- publicKey StringData 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- publicKey StringType 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
Outputs
All input properties are implicitly available as output properties. Additionally, the Key resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The name used for this key pair
- PrivateKey string
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- PublicKey string
- The public key, base64 encoded
- ValidAfter string
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- ValidBefore string
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The name used for this key pair
- PrivateKey string
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- PublicKey string
- The public key, base64 encoded
- ValidAfter string
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- ValidBefore string
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The name used for this key pair
- privateKey String
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- publicKey String
- The public key, base64 encoded
- validAfter String
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- validBefore String
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- The name used for this key pair
- privateKey string
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- publicKey string
- The public key, base64 encoded
- validAfter string
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- validBefore string
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- The name used for this key pair
- private_key str
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- public_key str
- The public key, base64 encoded
- valid_after str
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- valid_before str
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The name used for this key pair
- privateKey String
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- publicKey String
- The public key, base64 encoded
- validAfter String
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- validBefore String
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
Look up Existing Key Resource
Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: KeyState, opts?: CustomResourceOptions): Key@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        keepers: Optional[Mapping[str, str]] = None,
        key_algorithm: Optional[str] = None,
        name: Optional[str] = None,
        private_key: Optional[str] = None,
        private_key_type: Optional[str] = None,
        public_key: Optional[str] = None,
        public_key_data: Optional[str] = None,
        public_key_type: Optional[str] = None,
        service_account_id: Optional[str] = None,
        valid_after: Optional[str] = None,
        valid_before: Optional[str] = None) -> Keyfunc GetKey(ctx *Context, name string, id IDInput, state *KeyState, opts ...ResourceOption) (*Key, error)public static Key Get(string name, Input<string> id, KeyState? state, CustomResourceOptions? opts = null)public static Key get(String name, Output<String> id, KeyState state, CustomResourceOptions options)resources:  _:    type: gcp:serviceaccount:Key    get:      id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Keepers Dictionary<string, string>
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- KeyAlgorithm string
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- Name string
- The name used for this key pair
- PrivateKey string
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- PrivateKey stringType 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- PublicKey string
- The public key, base64 encoded
- PublicKey stringData 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- PublicKey stringType 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
- ServiceAccount stringId 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- ValidAfter string
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- ValidBefore string
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- Keepers map[string]string
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- KeyAlgorithm string
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- Name string
- The name used for this key pair
- PrivateKey string
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- PrivateKey stringType 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- PublicKey string
- The public key, base64 encoded
- PublicKey stringData 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- PublicKey stringType 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
- ServiceAccount stringId 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- ValidAfter string
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- ValidBefore string
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- keepers Map<String,String>
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- keyAlgorithm String
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- name String
- The name used for this key pair
- privateKey String
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- privateKey StringType 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- publicKey String
- The public key, base64 encoded
- publicKey StringData 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- publicKey StringType 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
- serviceAccount StringId 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- validAfter String
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- validBefore String
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- keepers {[key: string]: string}
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- keyAlgorithm string
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- name string
- The name used for this key pair
- privateKey string
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- privateKey stringType 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- publicKey string
- The public key, base64 encoded
- publicKey stringData 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- publicKey stringType 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
- serviceAccount stringId 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- validAfter string
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- validBefore string
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- keepers Mapping[str, str]
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- key_algorithm str
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- name str
- The name used for this key pair
- private_key str
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- private_key_ strtype 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- public_key str
- The public key, base64 encoded
- public_key_ strdata 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- public_key_ strtype 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
- service_account_ strid 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- valid_after str
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- valid_before str
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- keepers Map<String>
- Arbitrary map of values that, when changed, will trigger a new key to be generated.
- keyAlgorithm String
- The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
- name String
- The name used for this key pair
- privateKey String
- The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
- privateKey StringType 
- The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
- publicKey String
- The public key, base64 encoded
- publicKey StringData 
- Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_typeandprivate_key_type.
- publicKey StringType 
- The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
- serviceAccount StringId 
- The Service account id of the Key. This can be a string in the format
{ACCOUNT}orprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the{ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if theprojects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}syntax is used, the{ACCOUNT}specified can be the full email address of the service account or the service account's unique id. Substituting-as a wildcard for the{PROJECT_ID}will infer the project from the account.
- validAfter String
- The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
- validBefore String
- The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
Import
This resource does not support import.
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the google-betaTerraform Provider.