1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. serviceaccount
  5. Key
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

gcp.serviceaccount.Key

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

    Example Usage

    Creating A New Key

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const myaccount = new gcp.serviceaccount.Account("myaccount", {
        accountId: "myaccount",
        displayName: "My Service Account",
    });
    const mykey = new gcp.serviceaccount.Key("mykey", {
        serviceAccountId: myaccount.name,
        publicKeyType: "TYPE_X509_PEM_FILE",
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    myaccount = gcp.serviceaccount.Account("myaccount",
        account_id="myaccount",
        display_name="My Service Account")
    mykey = gcp.serviceaccount.Key("mykey",
        service_account_id=myaccount.name,
        public_key_type="TYPE_X509_PEM_FILE")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/serviceaccount"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
    			AccountId:   pulumi.String("myaccount"),
    			DisplayName: pulumi.String("My Service Account"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
    			ServiceAccountId: myaccount.Name,
    			PublicKeyType:    pulumi.String("TYPE_X509_PEM_FILE"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var myaccount = new Gcp.ServiceAccount.Account("myaccount", new()
        {
            AccountId = "myaccount",
            DisplayName = "My Service Account",
        });
    
        var mykey = new Gcp.ServiceAccount.Key("mykey", new()
        {
            ServiceAccountId = myaccount.Name,
            PublicKeyType = "TYPE_X509_PEM_FILE",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.serviceaccount.Account;
    import com.pulumi.gcp.serviceaccount.AccountArgs;
    import com.pulumi.gcp.serviceaccount.Key;
    import com.pulumi.gcp.serviceaccount.KeyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var myaccount = new Account("myaccount", AccountArgs.builder()
                .accountId("myaccount")
                .displayName("My Service Account")
                .build());
    
            var mykey = new Key("mykey", KeyArgs.builder()
                .serviceAccountId(myaccount.name())
                .publicKeyType("TYPE_X509_PEM_FILE")
                .build());
    
        }
    }
    
    resources:
      myaccount:
        type: gcp:serviceaccount:Account
        properties:
          accountId: myaccount
          displayName: My Service Account
      mykey:
        type: gcp:serviceaccount:Key
        properties:
          serviceAccountId: ${myaccount.name}
          publicKeyType: TYPE_X509_PEM_FILE
    

    Creating And Regularly Rotating A Key

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as time from "@pulumiverse/time";
    
    const myaccount = new gcp.serviceaccount.Account("myaccount", {
        accountId: "myaccount",
        displayName: "My Service Account",
    });
    // note this requires the terraform to be run regularly
    const mykeyRotation = new time.Rotating("mykey_rotation", {rotationDays: 30});
    const mykey = new gcp.serviceaccount.Key("mykey", {
        serviceAccountId: myaccount.name,
        keepers: {
            rotation_time: mykeyRotation.rotationRfc3339,
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumiverse_time as time
    
    myaccount = gcp.serviceaccount.Account("myaccount",
        account_id="myaccount",
        display_name="My Service Account")
    # note this requires the terraform to be run regularly
    mykey_rotation = time.Rotating("mykey_rotation", rotation_days=30)
    mykey = gcp.serviceaccount.Key("mykey",
        service_account_id=myaccount.name,
        keepers={
            "rotation_time": mykey_rotation.rotation_rfc3339,
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/serviceaccount"
    	"github.com/pulumi/pulumi-time/sdk/go/time"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
    			AccountId:   pulumi.String("myaccount"),
    			DisplayName: pulumi.String("My Service Account"),
    		})
    		if err != nil {
    			return err
    		}
    		// note this requires the terraform to be run regularly
    		mykeyRotation, err := time.NewRotating(ctx, "mykey_rotation", &time.RotatingArgs{
    			RotationDays: pulumi.Int(30),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
    			ServiceAccountId: myaccount.Name,
    			Keepers: pulumi.StringMap{
    				"rotation_time": mykeyRotation.RotationRfc3339,
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Time = Pulumiverse.Time;
    
    return await Deployment.RunAsync(() => 
    {
        var myaccount = new Gcp.ServiceAccount.Account("myaccount", new()
        {
            AccountId = "myaccount",
            DisplayName = "My Service Account",
        });
    
        // note this requires the terraform to be run regularly
        var mykeyRotation = new Time.Rotating("mykey_rotation", new()
        {
            RotationDays = 30,
        });
    
        var mykey = new Gcp.ServiceAccount.Key("mykey", new()
        {
            ServiceAccountId = myaccount.Name,
            Keepers = 
            {
                { "rotation_time", mykeyRotation.RotationRfc3339 },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.serviceaccount.Account;
    import com.pulumi.gcp.serviceaccount.AccountArgs;
    import com.pulumi.time.Rotating;
    import com.pulumi.time.RotatingArgs;
    import com.pulumi.gcp.serviceaccount.Key;
    import com.pulumi.gcp.serviceaccount.KeyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var myaccount = new Account("myaccount", AccountArgs.builder()
                .accountId("myaccount")
                .displayName("My Service Account")
                .build());
    
            // note this requires the terraform to be run regularly
            var mykeyRotation = new Rotating("mykeyRotation", RotatingArgs.builder()
                .rotationDays(30)
                .build());
    
            var mykey = new Key("mykey", KeyArgs.builder()
                .serviceAccountId(myaccount.name())
                .keepers(Map.of("rotation_time", mykeyRotation.rotationRfc3339()))
                .build());
    
        }
    }
    
    resources:
      myaccount:
        type: gcp:serviceaccount:Account
        properties:
          accountId: myaccount
          displayName: My Service Account
      # note this requires the terraform to be run regularly
      mykeyRotation:
        type: time:Rotating
        name: mykey_rotation
        properties:
          rotationDays: 30
      mykey:
        type: gcp:serviceaccount:Key
        properties:
          serviceAccountId: ${myaccount.name}
          keepers:
            rotation_time: ${mykeyRotation.rotationRfc3339}
    

    Save Key In Kubernetes Secret - DEPRECATED

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    import * as kubernetes from "@pulumi/kubernetes";
    import * as std from "@pulumi/std";
    
    // Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
    // https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
    const myaccount = new gcp.serviceaccount.Account("myaccount", {
        accountId: "myaccount",
        displayName: "My Service Account",
    });
    const mykey = new gcp.serviceaccount.Key("mykey", {serviceAccountId: myaccount.name});
    const google_application_credentials = new kubernetes.core.v1.Secret("google-application-credentials", {
        metadata: {
            name: "google-application-credentials",
        },
        data: {
            "credentials.json": std.base64decodeOutput({
                input: mykey.privateKey,
            }).apply(invoke => invoke.result),
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_kubernetes as kubernetes
    import pulumi_std as std
    
    # Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
    # https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
    myaccount = gcp.serviceaccount.Account("myaccount",
        account_id="myaccount",
        display_name="My Service Account")
    mykey = gcp.serviceaccount.Key("mykey", service_account_id=myaccount.name)
    google_application_credentials = kubernetes.core.v1.Secret("google-application-credentials",
        metadata={
            "name": "google-application-credentials",
        },
        data={
            "credentials.json": std.base64decode_output(input=mykey.private_key).apply(lambda invoke: invoke.result),
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/serviceaccount"
    	corev1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/core/v1"
    	metav1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/meta/v1"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		// Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
    		// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
    		myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
    			AccountId:   pulumi.String("myaccount"),
    			DisplayName: pulumi.String("My Service Account"),
    		})
    		if err != nil {
    			return err
    		}
    		mykey, err := serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
    			ServiceAccountId: myaccount.Name,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = corev1.NewSecret(ctx, "google-application-credentials", &corev1.SecretArgs{
    			Metadata: &metav1.ObjectMetaArgs{
    				Name: pulumi.String("google-application-credentials"),
    			},
    			Data: pulumi.StringMap{
    				"credentials.json": pulumi.String(std.Base64decodeOutput(ctx, std.Base64decodeOutputArgs{
    					Input: mykey.PrivateKey,
    				}, nil).ApplyT(func(invoke std.Base64decodeResult) (*string, error) {
    					return invoke.Result, nil
    				}).(pulumi.StringPtrOutput)),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Kubernetes = Pulumi.Kubernetes;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        // Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
        // https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
        var myaccount = new Gcp.ServiceAccount.Account("myaccount", new()
        {
            AccountId = "myaccount",
            DisplayName = "My Service Account",
        });
    
        var mykey = new Gcp.ServiceAccount.Key("mykey", new()
        {
            ServiceAccountId = myaccount.Name,
        });
    
        var google_application_credentials = new Kubernetes.Core.V1.Secret("google-application-credentials", new()
        {
            Metadata = new Kubernetes.Types.Inputs.Meta.V1.ObjectMetaArgs
            {
                Name = "google-application-credentials",
            },
            Data = 
            {
                { "credentials.json", Std.Base64decode.Invoke(new()
                {
                    Input = mykey.PrivateKey,
                }).Apply(invoke => invoke.Result) },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.serviceaccount.Account;
    import com.pulumi.gcp.serviceaccount.AccountArgs;
    import com.pulumi.gcp.serviceaccount.Key;
    import com.pulumi.gcp.serviceaccount.KeyArgs;
    import com.pulumi.kubernetes.core_v1.Secret;
    import com.pulumi.kubernetes.core_v1.SecretArgs;
    import com.pulumi.kubernetes.meta_v1.inputs.ObjectMetaArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            // Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
            // https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
            var myaccount = new Account("myaccount", AccountArgs.builder()
                .accountId("myaccount")
                .displayName("My Service Account")
                .build());
    
            var mykey = new Key("mykey", KeyArgs.builder()
                .serviceAccountId(myaccount.name())
                .build());
    
            var google_application_credentials = new Secret("google-application-credentials", SecretArgs.builder()
                .metadata(ObjectMetaArgs.builder()
                    .name("google-application-credentials")
                    .build())
                .data(Map.of("credentials.json", StdFunctions.base64decode().applyValue(invoke -> invoke.result())))
                .build());
    
        }
    }
    
    resources:
      # Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
      # https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
      myaccount:
        type: gcp:serviceaccount:Account
        properties:
          accountId: myaccount
          displayName: My Service Account
      mykey:
        type: gcp:serviceaccount:Key
        properties:
          serviceAccountId: ${myaccount.name}
      google-application-credentials:
        type: kubernetes:core/v1:Secret
        properties:
          metadata:
            name: google-application-credentials
          data:
            credentials.json:
              fn::invoke:
                Function: std:base64decode
                Arguments:
                  input: ${mykey.privateKey}
                Return: result
    

    Create Key Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Key(name: string, args: KeyArgs, opts?: CustomResourceOptions);
    @overload
    def Key(resource_name: str,
            args: KeyArgs,
            opts: Optional[ResourceOptions] = None)
    
    @overload
    def Key(resource_name: str,
            opts: Optional[ResourceOptions] = None,
            service_account_id: Optional[str] = None,
            keepers: Optional[Mapping[str, str]] = None,
            key_algorithm: Optional[str] = None,
            private_key_type: Optional[str] = None,
            public_key_data: Optional[str] = None,
            public_key_type: Optional[str] = None)
    func NewKey(ctx *Context, name string, args KeyArgs, opts ...ResourceOption) (*Key, error)
    public Key(string name, KeyArgs args, CustomResourceOptions? opts = null)
    public Key(String name, KeyArgs args)
    public Key(String name, KeyArgs args, CustomResourceOptions options)
    
    type: gcp:serviceaccount:Key
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var keyResource = new Gcp.ServiceAccount.Key("keyResource", new()
    {
        ServiceAccountId = "string",
        Keepers = 
        {
            { "string", "string" },
        },
        KeyAlgorithm = "string",
        PrivateKeyType = "string",
        PublicKeyData = "string",
        PublicKeyType = "string",
    });
    
    example, err := serviceaccount.NewKey(ctx, "keyResource", &serviceaccount.KeyArgs{
    	ServiceAccountId: pulumi.String("string"),
    	Keepers: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	KeyAlgorithm:   pulumi.String("string"),
    	PrivateKeyType: pulumi.String("string"),
    	PublicKeyData:  pulumi.String("string"),
    	PublicKeyType:  pulumi.String("string"),
    })
    
    var keyResource = new Key("keyResource", KeyArgs.builder()
        .serviceAccountId("string")
        .keepers(Map.of("string", "string"))
        .keyAlgorithm("string")
        .privateKeyType("string")
        .publicKeyData("string")
        .publicKeyType("string")
        .build());
    
    key_resource = gcp.serviceaccount.Key("keyResource",
        service_account_id="string",
        keepers={
            "string": "string",
        },
        key_algorithm="string",
        private_key_type="string",
        public_key_data="string",
        public_key_type="string")
    
    const keyResource = new gcp.serviceaccount.Key("keyResource", {
        serviceAccountId: "string",
        keepers: {
            string: "string",
        },
        keyAlgorithm: "string",
        privateKeyType: "string",
        publicKeyData: "string",
        publicKeyType: "string",
    });
    
    type: gcp:serviceaccount:Key
    properties:
        keepers:
            string: string
        keyAlgorithm: string
        privateKeyType: string
        publicKeyData: string
        publicKeyType: string
        serviceAccountId: string
    

    Key Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Key resource accepts the following input properties:

    ServiceAccountId string
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    Keepers Dictionary<string, string>
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    KeyAlgorithm string
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    PrivateKeyType string
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    PublicKeyData string
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    PublicKeyType string
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
    ServiceAccountId string
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    Keepers map[string]string
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    KeyAlgorithm string
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    PrivateKeyType string
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    PublicKeyData string
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    PublicKeyType string
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
    serviceAccountId String
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    keepers Map<String,String>
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    keyAlgorithm String
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    privateKeyType String
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    publicKeyData String
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    publicKeyType String
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
    serviceAccountId string
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    keepers {[key: string]: string}
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    keyAlgorithm string
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    privateKeyType string
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    publicKeyData string
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    publicKeyType string
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
    service_account_id str
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    keepers Mapping[str, str]
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    key_algorithm str
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    private_key_type str
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    public_key_data str
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    public_key_type str
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
    serviceAccountId String
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    keepers Map<String>
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    keyAlgorithm String
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    privateKeyType String
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    publicKeyData String
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    publicKeyType String
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Key resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The name used for this key pair
    PrivateKey string
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    PublicKey string
    The public key, base64 encoded
    ValidAfter string
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    ValidBefore string
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The name used for this key pair
    PrivateKey string
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    PublicKey string
    The public key, base64 encoded
    ValidAfter string
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    ValidBefore string
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The name used for this key pair
    privateKey String
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    publicKey String
    The public key, base64 encoded
    validAfter String
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    validBefore String
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    The name used for this key pair
    privateKey string
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    publicKey string
    The public key, base64 encoded
    validAfter string
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    validBefore string
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    The name used for this key pair
    private_key str
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    public_key str
    The public key, base64 encoded
    valid_after str
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    valid_before str
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The name used for this key pair
    privateKey String
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    publicKey String
    The public key, base64 encoded
    validAfter String
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    validBefore String
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

    Look up Existing Key Resource

    Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: KeyState, opts?: CustomResourceOptions): Key
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            keepers: Optional[Mapping[str, str]] = None,
            key_algorithm: Optional[str] = None,
            name: Optional[str] = None,
            private_key: Optional[str] = None,
            private_key_type: Optional[str] = None,
            public_key: Optional[str] = None,
            public_key_data: Optional[str] = None,
            public_key_type: Optional[str] = None,
            service_account_id: Optional[str] = None,
            valid_after: Optional[str] = None,
            valid_before: Optional[str] = None) -> Key
    func GetKey(ctx *Context, name string, id IDInput, state *KeyState, opts ...ResourceOption) (*Key, error)
    public static Key Get(string name, Input<string> id, KeyState? state, CustomResourceOptions? opts = null)
    public static Key get(String name, Output<String> id, KeyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Keepers Dictionary<string, string>
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    KeyAlgorithm string
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    Name string
    The name used for this key pair
    PrivateKey string
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    PrivateKeyType string
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    PublicKey string
    The public key, base64 encoded
    PublicKeyData string
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    PublicKeyType string
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
    ServiceAccountId string
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    ValidAfter string
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    ValidBefore string
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    Keepers map[string]string
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    KeyAlgorithm string
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    Name string
    The name used for this key pair
    PrivateKey string
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    PrivateKeyType string
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    PublicKey string
    The public key, base64 encoded
    PublicKeyData string
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    PublicKeyType string
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
    ServiceAccountId string
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    ValidAfter string
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    ValidBefore string
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    keepers Map<String,String>
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    keyAlgorithm String
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    name String
    The name used for this key pair
    privateKey String
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    privateKeyType String
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    publicKey String
    The public key, base64 encoded
    publicKeyData String
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    publicKeyType String
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
    serviceAccountId String
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    validAfter String
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    validBefore String
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    keepers {[key: string]: string}
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    keyAlgorithm string
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    name string
    The name used for this key pair
    privateKey string
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    privateKeyType string
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    publicKey string
    The public key, base64 encoded
    publicKeyData string
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    publicKeyType string
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
    serviceAccountId string
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    validAfter string
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    validBefore string
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    keepers Mapping[str, str]
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    key_algorithm str
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    name str
    The name used for this key pair
    private_key str
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    private_key_type str
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    public_key str
    The public key, base64 encoded
    public_key_data str
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    public_key_type str
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
    service_account_id str
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    valid_after str
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    valid_before str
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    keepers Map<String>
    Arbitrary map of values that, when changed, will trigger a new key to be generated.
    keyAlgorithm String
    The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
    name String
    The name used for this key pair
    privateKey String
    The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
    privateKeyType String
    The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
    publicKey String
    The public key, base64 encoded
    publicKeyData String
    Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
    publicKeyType String
    The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
    serviceAccountId String
    The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.
    validAfter String
    The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
    validBefore String
    The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

    Import

    This resource does not support import.

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi