Key
data class KeyArgs(val keepers: Output<Map<String, String>>? = null, val keyAlgorithm: Output<String>? = null, val privateKeyType: Output<String>? = null, val publicKeyData: Output<String>? = null, val publicKeyType: Output<String>? = null, val serviceAccountId: Output<String>? = null) : ConvertibleToJava<KeyArgs>
Example Usage
Creating A New Key
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const myaccount = new gcp.serviceaccount.Account("myaccount", {
accountId: "myaccount",
displayName: "My Service Account",
});
const mykey = new gcp.serviceaccount.Key("mykey", {
serviceAccountId: myaccount.name,
publicKeyType: "TYPE_X509_PEM_FILE",
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
myaccount = gcp.serviceaccount.Account("myaccount",
account_id="myaccount",
display_name="My Service Account")
mykey = gcp.serviceaccount.Key("mykey",
service_account_id=myaccount.name,
public_key_type="TYPE_X509_PEM_FILE")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var myaccount = new Gcp.ServiceAccount.Account("myaccount", new()
{
AccountId = "myaccount",
DisplayName = "My Service Account",
});
var mykey = new Gcp.ServiceAccount.Key("mykey", new()
{
ServiceAccountId = myaccount.Name,
PublicKeyType = "TYPE_X509_PEM_FILE",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
AccountId: pulumi.String("myaccount"),
DisplayName: pulumi.String("My Service Account"),
})
if err != nil {
return err
}
_, err = serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
ServiceAccountId: myaccount.Name,
PublicKeyType: pulumi.String("TYPE_X509_PEM_FILE"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.Account;
import com.pulumi.gcp.serviceaccount.AccountArgs;
import com.pulumi.gcp.serviceaccount.Key;
import com.pulumi.gcp.serviceaccount.KeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myaccount = new Account("myaccount", AccountArgs.builder()
.accountId("myaccount")
.displayName("My Service Account")
.build());
var mykey = new Key("mykey", KeyArgs.builder()
.serviceAccountId(myaccount.name())
.publicKeyType("TYPE_X509_PEM_FILE")
.build());
}
}Content copied to clipboard
resources:
myaccount:
type: gcp:serviceaccount:Account
properties:
accountId: myaccount
displayName: My Service Account
mykey:
type: gcp:serviceaccount:Key
properties:
serviceAccountId: ${myaccount.name}
publicKeyType: TYPE_X509_PEM_FILEContent copied to clipboard
Creating And Regularly Rotating A Key
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as time from "@pulumiverse/time";
const myaccount = new gcp.serviceaccount.Account("myaccount", {
accountId: "myaccount",
displayName: "My Service Account",
});
// note this requires the terraform to be run regularly
const mykeyRotation = new time.Rotating("mykey_rotation", {rotationDays: 30});
const mykey = new gcp.serviceaccount.Key("mykey", {
serviceAccountId: myaccount.name,
keepers: {
rotation_time: mykeyRotation.rotationRfc3339,
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
import pulumiverse_time as time
myaccount = gcp.serviceaccount.Account("myaccount",
account_id="myaccount",
display_name="My Service Account")
# note this requires the terraform to be run regularly
mykey_rotation = time.Rotating("mykey_rotation", rotation_days=30)
mykey = gcp.serviceaccount.Key("mykey",
service_account_id=myaccount.name,
keepers={
"rotation_time": mykey_rotation.rotation_rfc3339,
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Time = Pulumiverse.Time;
return await Deployment.RunAsync(() =>
{
var myaccount = new Gcp.ServiceAccount.Account("myaccount", new()
{
AccountId = "myaccount",
DisplayName = "My Service Account",
});
// note this requires the terraform to be run regularly
var mykeyRotation = new Time.Rotating("mykey_rotation", new()
{
RotationDays = 30,
});
var mykey = new Gcp.ServiceAccount.Key("mykey", new()
{
ServiceAccountId = myaccount.Name,
Keepers =
{
{ "rotation_time", mykeyRotation.RotationRfc3339 },
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
"github.com/pulumi/pulumi-time/sdk/go/time"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
AccountId: pulumi.String("myaccount"),
DisplayName: pulumi.String("My Service Account"),
})
if err != nil {
return err
}
// note this requires the terraform to be run regularly
mykeyRotation, err := time.NewRotating(ctx, "mykey_rotation", &time.RotatingArgs{
RotationDays: pulumi.Int(30),
})
if err != nil {
return err
}
_, err = serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
ServiceAccountId: myaccount.Name,
Keepers: pulumi.StringMap{
"rotation_time": mykeyRotation.RotationRfc3339,
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.Account;
import com.pulumi.gcp.serviceaccount.AccountArgs;
import com.pulumi.time.Rotating;
import com.pulumi.time.RotatingArgs;
import com.pulumi.gcp.serviceaccount.Key;
import com.pulumi.gcp.serviceaccount.KeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myaccount = new Account("myaccount", AccountArgs.builder()
.accountId("myaccount")
.displayName("My Service Account")
.build());
// note this requires the terraform to be run regularly
var mykeyRotation = new Rotating("mykeyRotation", RotatingArgs.builder()
.rotationDays(30)
.build());
var mykey = new Key("mykey", KeyArgs.builder()
.serviceAccountId(myaccount.name())
.keepers(Map.of("rotation_time", mykeyRotation.rotationRfc3339()))
.build());
}
}Content copied to clipboard
resources:
myaccount:
type: gcp:serviceaccount:Account
properties:
accountId: myaccount
displayName: My Service Account
# note this requires the terraform to be run regularly
mykeyRotation:
type: time:Rotating
name: mykey_rotation
properties:
rotationDays: 30
mykey:
type: gcp:serviceaccount:Key
properties:
serviceAccountId: ${myaccount.name}
keepers:
rotation_time: ${mykeyRotation.rotationRfc3339}Content copied to clipboard
Save Key In Kubernetes Secret - DEPRECATED
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as kubernetes from "@pulumi/kubernetes";
import * as std from "@pulumi/std";
// Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
const myaccount = new gcp.serviceaccount.Account("myaccount", {
accountId: "myaccount",
displayName: "My Service Account",
});
const mykey = new gcp.serviceaccount.Key("mykey", {serviceAccountId: myaccount.name});
const google_application_credentials = new kubernetes.core.v1.Secret("google-application-credentials", {
metadata: {
name: "google-application-credentials",
},
data: {
"credentials.json": std.base64decodeOutput({
input: mykey.privateKey,
}).apply(invoke => invoke.result),
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
import pulumi_kubernetes as kubernetes
import pulumi_std as std
# Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
# https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
myaccount = gcp.serviceaccount.Account("myaccount",
account_id="myaccount",
display_name="My Service Account")
mykey = gcp.serviceaccount.Key("mykey", service_account_id=myaccount.name)
google_application_credentials = kubernetes.core.v1.Secret("google-application-credentials",
metadata={
"name": "google-application-credentials",
},
data={
"credentials.json": std.base64decode_output(input=mykey.private_key).apply(lambda invoke: invoke.result),
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
using Kubernetes = Pulumi.Kubernetes;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
// Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
var myaccount = new Gcp.ServiceAccount.Account("myaccount", new()
{
AccountId = "myaccount",
DisplayName = "My Service Account",
});
var mykey = new Gcp.ServiceAccount.Key("mykey", new()
{
ServiceAccountId = myaccount.Name,
});
var google_application_credentials = new Kubernetes.Core.V1.Secret("google-application-credentials", new()
{
Metadata = new Kubernetes.Types.Inputs.Meta.V1.ObjectMetaArgs
{
Name = "google-application-credentials",
},
Data =
{
{ "credentials.json", Std.Base64decode.Invoke(new()
{
Input = mykey.PrivateKey,
}).Apply(invoke => invoke.Result) },
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/serviceaccount"
corev1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/core/v1"
metav1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/meta/v1"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
myaccount, err := serviceaccount.NewAccount(ctx, "myaccount", &serviceaccount.AccountArgs{
AccountId: pulumi.String("myaccount"),
DisplayName: pulumi.String("My Service Account"),
})
if err != nil {
return err
}
mykey, err := serviceaccount.NewKey(ctx, "mykey", &serviceaccount.KeyArgs{
ServiceAccountId: myaccount.Name,
})
if err != nil {
return err
}
_, err = corev1.NewSecret(ctx, "google-application-credentials", &corev1.SecretArgs{
Metadata: &metav1.ObjectMetaArgs{
Name: pulumi.String("google-application-credentials"),
},
Data: pulumi.StringMap{
"credentials.json": pulumi.String(std.Base64decodeOutput(ctx, std.Base64decodeOutputArgs{
Input: mykey.PrivateKey,
}, nil).ApplyT(func(invoke std.Base64decodeResult) (*string, error) {
return invoke.Result, nil
}).(pulumi.StringPtrOutput)),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.serviceaccount.Account;
import com.pulumi.gcp.serviceaccount.AccountArgs;
import com.pulumi.gcp.serviceaccount.Key;
import com.pulumi.gcp.serviceaccount.KeyArgs;
import com.pulumi.kubernetes.core_v1.Secret;
import com.pulumi.kubernetes.core_v1.SecretArgs;
import com.pulumi.kubernetes.meta_v1.inputs.ObjectMetaArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
var myaccount = new Account("myaccount", AccountArgs.builder()
.accountId("myaccount")
.displayName("My Service Account")
.build());
var mykey = new Key("mykey", KeyArgs.builder()
.serviceAccountId(myaccount.name())
.build());
var google_application_credentials = new Secret("google-application-credentials", SecretArgs.builder()
.metadata(ObjectMetaArgs.builder()
.name("google-application-credentials")
.build())
.data(Map.of("credentials.json", StdFunctions.base64decode().applyValue(invoke -> invoke.result())))
.build());
}
}Content copied to clipboard
resources:
# Workload Identity is the recommended way of accessing Google Cloud APIs from pods.
# https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
myaccount:
type: gcp:serviceaccount:Account
properties:
accountId: myaccount
displayName: My Service Account
mykey:
type: gcp:serviceaccount:Key
properties:
serviceAccountId: ${myaccount.name}
google-application-credentials:
type: kubernetes:core/v1:Secret
properties:
metadata:
name: google-application-credentials
data:
credentials.json:
fn::invoke:
Function: std:base64decode
Arguments:
input: ${mykey.privateKey}
Return: resultContent copied to clipboard
Import
This resource does not support import.
Constructors
Properties
Link copied to clipboard
The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. Valid values are listed at ServiceAccountPrivateKeyType (only used on create)
Link copied to clipboard
The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format.
Link copied to clipboard
Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with public_key_type and private_key_type.
Link copied to clipboard
The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format.
Link copied to clipboard
The Service account id of the Key. This can be a string in the format {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. If the {ACCOUNT}-only syntax is used, either the full email address of the service account or its name can be specified as a value, in which case the project will automatically be inferred from the account. Otherwise, if the projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT} syntax is used, the {ACCOUNT} specified can be the full email address of the service account or the service account's unique id. Substituting - as a wildcard for the {PROJECT_ID} will infer the project from the account.