service_account_keys

Creates, updates, deletes, gets or lists a service_account_keys resource.

Overview

Name	`service_account_keys`
Type	Resource
Id	`google.iam.service_account_keys`

Fields

The following fields are returned by SELECT queries:

get
list

Successful response

Name	Datatype	Description
`name`	`string`	The resource name of the service account key in the following format `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
`disableReason`	`string`	Output only. optional. If the key is disabled, it may have a DisableReason describing why it was disabled.
`disabled`	`boolean`	The key status.
`extendedStatus`	`array`	Output only. Extended Status provides permanent information about a service account key. For example, if this key was detected as exposed or compromised, that information will remain for the lifetime of the key in the extended_status.
`keyAlgorithm`	`string`	Specifies the algorithm (and possibly key size) for the key.
`keyOrigin`	`string`	The key origin.
`keyType`	`string`	The key type.
`privateKeyData`	`string (byte)`	The private key data. Only provided in `CreateServiceAccountKey` responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account.
`privateKeyType`	`string`	The output format for the private key. Only provided in `CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or `ListServiceAccountKey` responses. Google never exposes system-managed private keys, and never retains user-managed private keys.
`publicKeyData`	`string (byte)`	The public key data. Only provided in `GetServiceAccountKey` responses.
`validAfterTime`	`string (google-datetime)`	The key can be used after this timestamp.
`validBeforeTime`	`string (google-datetime)`	The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time.

Successful response

Name	Datatype	Description
`name`	`string`	The resource name of the service account key in the following format `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
`disableReason`	`string`	Output only. optional. If the key is disabled, it may have a DisableReason describing why it was disabled.
`disabled`	`boolean`	The key status.
`extendedStatus`	`array`	Output only. Extended Status provides permanent information about a service account key. For example, if this key was detected as exposed or compromised, that information will remain for the lifetime of the key in the extended_status.
`keyAlgorithm`	`string`	Specifies the algorithm (and possibly key size) for the key.
`keyOrigin`	`string`	The key origin.
`keyType`	`string`	The key type.
`privateKeyData`	`string (byte)`	The private key data. Only provided in `CreateServiceAccountKey` responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account.
`privateKeyType`	`string`	The output format for the private key. Only provided in `CreateServiceAccountKey` responses, not in `GetServiceAccountKey` or `ListServiceAccountKey` responses. Google never exposes system-managed private keys, and never retains user-managed private keys.
`publicKeyData`	`string (byte)`	The public key data. Only provided in `GetServiceAccountKey` responses.
`validAfterTime`	`string (google-datetime)`	The key can be used after this timestamp.
`validBeforeTime`	`string (google-datetime)`	The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time.

Methods

The following methods are available for this resource:

Name	Accessible by	Required Params	Optional Params	Description
`get`	`select`	`projectsId`, `serviceAccountsId`, `keysId`	`publicKeyType`	Gets a ServiceAccountKey.
`list`	`select`	`projectsId`, `serviceAccountsId`	`keyTypes`	Lists every ServiceAccountKey for a service account.
`create`	`insert`	`projectsId`, `serviceAccountsId`		Creates a ServiceAccountKey.
`delete`	`delete`	`projectsId`, `serviceAccountsId`, `keysId`		Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.
`upload`	`exec`	`projectsId`, `serviceAccountsId`		Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount. After you upload the public key, you can use the private key from the key pair as a service account key.
`disable`	`exec`	`projectsId`, `serviceAccountsId`, `keysId`		Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.
`enable`	`exec`	`projectsId`, `serviceAccountsId`, `keysId`		Enable a ServiceAccountKey.

Parameters

Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.

Name	Datatype	Description
`keysId`	`string`
`projectsId`	`string`
`serviceAccountsId`	`string`
`keyTypes`	`string`
`publicKeyType`	`string`

`SELECT` examples

get
list

Gets a ServiceAccountKey.

SELECT
name,
disableReason,
disabled,
extendedStatus,
keyAlgorithm,
keyOrigin,
keyType,
privateKeyData,
privateKeyType,
publicKeyData,
validAfterTime,
validBeforeTime
FROM google.iam.service_account_keys
WHERE projectsId = '{{ projectsId }}' -- required
AND serviceAccountsId = '{{ serviceAccountsId }}' -- required
AND keysId = '{{ keysId }}' -- required
AND publicKeyType = '{{ publicKeyType }}';

Lists every ServiceAccountKey for a service account.

SELECT
name,
disableReason,
disabled,
extendedStatus,
keyAlgorithm,
keyOrigin,
keyType,
privateKeyData,
privateKeyType,
publicKeyData,
validAfterTime,
validBeforeTime
FROM google.iam.service_account_keys
WHERE projectsId = '{{ projectsId }}' -- required
AND serviceAccountsId = '{{ serviceAccountsId }}' -- required
AND keyTypes = '{{ keyTypes }}';

`INSERT` examples

create
Manifest

Creates a ServiceAccountKey.

INSERT INTO google.iam.service_account_keys (
data__privateKeyType,
data__keyAlgorithm,
projectsId,
serviceAccountsId
)
SELECT 
'{{ privateKeyType }}',
'{{ keyAlgorithm }}',
'{{ projectsId }}',
'{{ serviceAccountsId }}'
RETURNING
name,
disableReason,
disabled,
extendedStatus,
keyAlgorithm,
keyOrigin,
keyType,
privateKeyData,
privateKeyType,
publicKeyData,
validAfterTime,
validBeforeTime
;

# Description fields are for documentation purposes
- name: service_account_keys
  props:
    - name: projectsId
      value: string
      description: Required parameter for the service_account_keys resource.
    - name: serviceAccountsId
      value: string
      description: Required parameter for the service_account_keys resource.
    - name: privateKeyType
      value: string
      description: >
        The output format of the private key. The default value is `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File format.
        
      valid_values: ['TYPE_UNSPECIFIED', 'TYPE_PKCS12_FILE', 'TYPE_GOOGLE_CREDENTIALS_FILE']
    - name: keyAlgorithm
      value: string
      description: >
        Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.
        
      valid_values: ['KEY_ALG_UNSPECIFIED', 'KEY_ALG_RSA_1024', 'KEY_ALG_RSA_2048']

`DELETE` examples

delete

Deletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.

DELETE FROM google.iam.service_account_keys
WHERE projectsId = '{{ projectsId }}' --required
AND serviceAccountsId = '{{ serviceAccountsId }}' --required
AND keysId = '{{ keysId }}' --required;

Lifecycle Methods

upload
disable
enable

Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount. After you upload the public key, you can use the private key from the key pair as a service account key.

EXEC google.iam.service_account_keys.upload 
@projectsId='{{ projectsId }}' --required, 
@serviceAccountsId='{{ serviceAccountsId }}' --required 
@@json=
'{
"publicKeyData": "{{ publicKeyData }}"
}';

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.

EXEC google.iam.service_account_keys.disable 
@projectsId='{{ projectsId }}' --required, 
@serviceAccountsId='{{ serviceAccountsId }}' --required, 
@keysId='{{ keysId }}' --required 
@@json=
'{
"serviceAccountKeyDisableReason": "{{ serviceAccountKeyDisableReason }}", 
"extendedStatusMessage": "{{ extendedStatusMessage }}"
}';

Enable a ServiceAccountKey.

EXEC google.iam.service_account_keys.enable 
@projectsId='{{ projectsId }}' --required, 
@serviceAccountsId='{{ serviceAccountsId }}' --required, 
@keysId='{{ keysId }}' --required;

Overview​

Fields​

Methods​

Parameters​

SELECT examples​

INSERT examples​

DELETE examples​

Lifecycle Methods​