Google Cloud Platform Key

google_service_account_key (Terraform)

The Key in Cloud Platform can be configured in Terraform with the resource name google_service_account_key. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

tuanchris/modern-data-stack

resource "google_service_account_key" "airbyte_sa_key" {
  service_account_id = google_service_account.airbyte_sa.name
  public_key_type    = "TYPE_X509_PEM_FILE"
  depends_on = [
    google_project.data_project,
  ]

ajotaops/terraform

resource "google_service_account_key" "traefik" {
  service_account_id = google_service_account.traefik.name
  public_key_type    = "TYPE_X509_PEM_FILE"
}

resource "google_service_account" "grafana" {

Parameters

• id optional computed - string
• keepers optional - map from string to string

Arbitrary map of values that, when changed, will trigger recreation of resource.

• key_algorithm optional - string

The algorithm used to generate the key, used only on create. KEY_ALG_RSA_2048 is the default algorithm. Valid values are: "KEY_ALG_RSA_1024", "KEY_ALG_RSA_2048".

• name optional computed - string

The name used for this key pair

• private_key optional computed - string

The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.

• private_key_type optional - string
• public_key optional computed - string

The public key, base64 encoded

• public_key_data optional - string

A field that allows clients to upload their own public key. If set, use this public key data to create a service account key for given service account. Please note, the expected format for this field is a base64 encoded X509_PEM.

• public_key_type optional - string
• service_account_id required - string

The ID of the parent service account of the key. This can be a string in the format [ACCOUNT] or projects/[PROJECT_ID]/serviceAccounts/[ACCOUNT], where [ACCOUNT] is the email address or unique id of the service account. If the [ACCOUNT] syntax is used, the project will be inferred from the account.

• valid_after optional computed - string

The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

• valid_before optional computed - string

The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

Explanation in Terraform Registry

Creates and manages service account keys, which allow the use of a service account outside of Google Cloud.

• API documentation
• How-to Guides
  • Official Documentation resource "time_rotating" "mykey_rotation" { rotation_days = 30 } resource "google_service_account_key" "mykey" { service_account_id = google_service_account.myaccount.name keepers = { rotation_time = time_rotating.mykey_rotation.rotation_rfc3339 } }

resource "google_service_account" "myaccount" {
  account_id   = "myaccount"
  display_name = "My Service Account"
}
resource "google_service_account_key" "mykey" {
  service_account_id = google_service_account.myaccount.name
}
resource "kubernetes_secret" "google-application-credentials" {
  metadata {
    name = "google-application-credentials"
  }
  data = {
    "credentials.json" = base64decode(google_service_account_key.mykey.private_key)
  }
}

Tips: Best Practices for The Other Google Cloud Platform Resources

In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_project

Ensure project-level default network creation is disabled

It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.