import * as pulumi from "@pulumi/pulumi"; /** * Creates and manages service account keys, which allow the use of a service account with Google Cloud. * * > **Warning**: This resource persists a sensitive credential in plaintext in the remote state used by Terraform. * Please take appropriate measures to protect your remote state. * * * [API documentation](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys) * * How-to Guides * * [Official Documentation](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) * * ## Example Usage * * ### Creating A New Key * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const myaccount = new gcp.serviceaccount.Account("myaccount", { * accountId: "myaccount", * displayName: "My Service Account", * }); * const mykey = new gcp.serviceaccount.Key("mykey", { * serviceAccountId: myaccount.name, * publicKeyType: "TYPE_X509_PEM_FILE", * }); * ``` * * ### Creating And Regularly Rotating A Key * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as time from "@pulumiverse/time"; * * const myaccount = new gcp.serviceaccount.Account("myaccount", { * accountId: "myaccount", * displayName: "My Service Account", * }); * // note this requires the terraform to be run regularly * const mykeyRotation = new time.Rotating("mykey_rotation", {rotationDays: 30}); * const mykey = new gcp.serviceaccount.Key("mykey", { * serviceAccountId: myaccount.name, * keepers: { * rotation_time: mykeyRotation.rotationRfc3339, * }, * }); * ``` * * ### Save Key In Kubernetes Secret - DEPRECATED * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as kubernetes from "@pulumi/kubernetes"; * import * as std from "@pulumi/std"; * * // Workload Identity is the recommended way of accessing Google Cloud APIs from pods. * // https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity * const myaccount = new gcp.serviceaccount.Account("myaccount", { * accountId: "myaccount", * displayName: "My Service Account", * }); * const mykey = new gcp.serviceaccount.Key("mykey", {serviceAccountId: myaccount.name}); * const google_application_credentials = new kubernetes.index.Secret("google-application-credentials", { * metadata: [{ * name: "google-application-credentials", * }], * data: { * "credentials.json": std.base64decodeOutput({ * input: mykey.privateKey, * }).result, * }, * }); * ``` * * ## Import * * This resource does not support import. */ export declare class Key extends pulumi.CustomResource { /** * Get an existing Key resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: KeyState, opts?: pulumi.CustomResourceOptions): Key; /** * Returns true if the given object is an instance of Key. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Key; /** * Arbitrary map of values that, when changed, will trigger a new key to be generated. */ readonly keepers: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. * Valid values are listed at * [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm) * (only used on create) */ readonly keyAlgorithm: pulumi.Output; /** * The name used for this key pair */ readonly name: pulumi.Output; /** * The private key in JSON format, base64 encoded. This is what you normally get as a file when creating * service account keys through the CLI or web console. This is only populated when creating a new key. */ readonly privateKey: pulumi.Output; /** * The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format. */ readonly privateKeyType: pulumi.Output; /** * The public key, base64 encoded */ readonly publicKey: pulumi.Output; /** * Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`. */ readonly publicKeyData: pulumi.Output; /** * The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format. */ readonly publicKeyType: pulumi.Output; /** * The Service account id of the Key. This can be a string in the format * `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. If the `{ACCOUNT}`-only syntax is used, either * the **full** email address of the service account or its name can be specified as a value, in which case the project will * automatically be inferred from the account. Otherwise, if the `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}` * syntax is used, the `{ACCOUNT}` specified can be the full email address of the service account or the service account's * unique id. Substituting `-` as a wildcard for the `{PROJECT_ID}` will infer the project from the account. */ readonly serviceAccountId: pulumi.Output; /** * The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". */ readonly validAfter: pulumi.Output; /** * The key can be used before this timestamp. * A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". */ readonly validBefore: pulumi.Output; /** * Create a Key resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: KeyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Key resources. */ export interface KeyState { /** * Arbitrary map of values that, when changed, will trigger a new key to be generated. */ keepers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. * Valid values are listed at * [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm) * (only used on create) */ keyAlgorithm?: pulumi.Input; /** * The name used for this key pair */ name?: pulumi.Input; /** * The private key in JSON format, base64 encoded. This is what you normally get as a file when creating * service account keys through the CLI or web console. This is only populated when creating a new key. */ privateKey?: pulumi.Input; /** * The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format. */ privateKeyType?: pulumi.Input; /** * The public key, base64 encoded */ publicKey?: pulumi.Input; /** * Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`. */ publicKeyData?: pulumi.Input; /** * The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format. */ publicKeyType?: pulumi.Input; /** * The Service account id of the Key. This can be a string in the format * `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. If the `{ACCOUNT}`-only syntax is used, either * the **full** email address of the service account or its name can be specified as a value, in which case the project will * automatically be inferred from the account. Otherwise, if the `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}` * syntax is used, the `{ACCOUNT}` specified can be the full email address of the service account or the service account's * unique id. Substituting `-` as a wildcard for the `{PROJECT_ID}` will infer the project from the account. */ serviceAccountId?: pulumi.Input; /** * The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". */ validAfter?: pulumi.Input; /** * The key can be used before this timestamp. * A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". */ validBefore?: pulumi.Input; } /** * The set of arguments for constructing a Key resource. */ export interface KeyArgs { /** * Arbitrary map of values that, when changed, will trigger a new key to be generated. */ keepers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The algorithm used to generate the key. KEY_ALG_RSA_2048 is the default algorithm. * Valid values are listed at * [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm) * (only used on create) */ keyAlgorithm?: pulumi.Input; /** * The output format of the private key. TYPE_GOOGLE_CREDENTIALS_FILE is the default output format. */ privateKeyType?: pulumi.Input; /** * Public key data to create a service account key for given service account. The expected format for this field is a base64 encoded X509_PEM and it conflicts with `publicKeyType` and `privateKeyType`. */ publicKeyData?: pulumi.Input; /** * The output format of the public key requested. TYPE_X509_PEM_FILE is the default output format. */ publicKeyType?: pulumi.Input; /** * The Service account id of the Key. This can be a string in the format * `{ACCOUNT}` or `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`. If the `{ACCOUNT}`-only syntax is used, either * the **full** email address of the service account or its name can be specified as a value, in which case the project will * automatically be inferred from the account. Otherwise, if the `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}` * syntax is used, the `{ACCOUNT}` specified can be the full email address of the service account or the service account's * unique id. Substituting `-` as a wildcard for the `{PROJECT_ID}` will infer the project from the account. */ serviceAccountId: pulumi.Input; }