Property | Value |
---|---|
Google Cloud Service Name | Cloud IAM |
Google Cloud Service Documentation | /iam/docs/ |
Google Cloud REST Resource Name | v1.projects.serviceAccounts.key |
Google Cloud REST Resource Documentation | /iam/reference/rest/v1/projects.serviceAccounts.keys |
Config Connector Resource Short Names | gcpiamserviceaccountkey gcpiamserviceaccountkeys iamserviceaccountkey |
Config Connector Service Name | iam.googleapis.com |
Config Connector Resource Fully Qualified Name | iamserviceaccountkeys.iam.cnrm.cloud.google.com |
Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
When creating an IAMServiceAccountKey object, Config Connector automatically imports the key's credentials as a secret. The name and namespace of the auto-imported secret are the same as the IAMServiceAccountKey object. Secrets can be mounted as data volumes or be exposed as environment variables to be used by a container in a pod. To disable the secret auto-importing behavior, apply the following annotation to the IAMServiceAccountKey object YAML manifest.
...
metadata:
annotations:
cnrm.cloud.google.com/create-gsa-key-secret: false
...
Custom Resource Definition Properties
Spec
Schema
keyAlgorithm: string
privateKeyType: string
publicKeyData: string
publicKeyType: string
serviceAccountRef:
external: string
name: string
namespace: string
Fields | |
---|---|
Optional |
Immutable. The algorithm used to generate the key, used only on create. KEY_ALG_RSA_2048 is the default algorithm. Valid values are: "KEY_ALG_RSA_1024", "KEY_ALG_RSA_2048". |
Optional |
Immutable. |
Optional |
Immutable. A field that allows clients to upload their own public key. If set, use this public key data to create a service account key for given service account. Please note, the expected format for this field is a base64 encoded X509_PEM. |
Optional |
Immutable. |
Required |
|
Optional |
The email of an IAMServiceAccount. |
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
name: string
privateKey: string
publicKey: string
validAfter: string
validBefore: string
Fields | |
---|---|
conditions |
Conditions represents the latest available observation of the resource's current state. |
conditions.[] |
|
conditions.[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions.[].message |
Human-readable message indicating details about last transition. |
conditions.[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions.[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions.[].type |
Type is the type of the condition. |
name |
Immutable. The name used for this key pair |
privateKey |
The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key. |
publicKey |
Immutable. The public key, base64 encoded |
validAfter |
The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". |
validBefore |
The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". |
Sample YAML(s)
Typical Use Case
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccountKey
metadata:
name: iamserviceaccountkey-sample
labels:
label-one: "value-one"
spec:
publicKeyType: TYPE_X509_PEM_FILE
keyAlgorithm: KEY_ALG_RSA_2048
privateKeyType: TYPE_GOOGLE_CREDENTIALS_FILE
serviceAccountRef:
name: iamserviceaccountkey-dep
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iamserviceaccountkey-dep