IAMServiceAccountKey
| Property | Value |
|---|---|
| Google Cloud Service Name | IAM |
| Google Cloud Service Documentation | /iam/docs/ |
| Google Cloud REST Resource Name | v1.projects.serviceAccounts.key |
| Google Cloud REST Resource Documentation | /iam/reference/rest/v1/projects.serviceAccounts.keys |
| Config Connector Resource Short Names | gcpiamserviceaccountkey gcpiamserviceaccountkeys iamserviceaccountkey |
| Config Connector Service Name | iam.googleapis.com |
| Config Connector Resource Fully Qualified Name | iamserviceaccountkeys.iam.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
When creating an IAMServiceAccountKey object, Config Connector automatically imports the key's credentials as a secret. The name and namespace of the auto-imported secret are the same as the IAMServiceAccountKey object. Secrets can be mounted as data volumes or be exposed as environment variables to be used by a container in a pod. To disable the secret auto-importing behavior, apply the following annotation to the IAMServiceAccountKey object YAML manifest.
...
metadata:
annotations:
cnrm.cloud.google.com/create-gsa-key-secret: false
...
Custom Resource Definition Properties
Spec
Schema
keyAlgorithm: string
privateKeyType: string
publicKeyData: string
publicKeyType: string
serviceAccountRef:
external: string
name: string
namespace: string
| Fields | |
|---|---|
|
Optional |
Immutable. The algorithm used to generate the key, used only on create. KEY_ALG_RSA_2048 is the default algorithm. Valid values are: "KEY_ALG_RSA_1024", "KEY_ALG_RSA_2048". |
|
Optional |
Immutable. |
|
Optional |
Immutable. A field that allows clients to upload their own public key. If set, use this public key data to create a service account key for given service account. Please note, the expected format for this field is a base64 encoded X509_PEM. |
|
Optional |
Immutable. |
|
Required |
|
|
Optional |
Allowed value: The `email` field of an `IAMServiceAccount` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
name: string
observedGeneration: integer
privateKey: string
publicKey: string
validAfter: string
validBefore: string
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observation of the resource's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
name |
Immutable. The name used for this key pair. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
privateKey |
The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key. |
publicKey |
Immutable. The public key, base64 encoded. |
validAfter |
The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". |
validBefore |
The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z". |
Sample YAML(s)
Typical Use Case
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccountKey
metadata:
name: iamserviceaccountkey-sample
labels:
label-one: "value-one"
spec:
publicKeyType: TYPE_X509_PEM_FILE
keyAlgorithm: KEY_ALG_RSA_2048
privateKeyType: TYPE_GOOGLE_CREDENTIALS_FILE
serviceAccountRef:
name: iamserviceaccountkey-dep
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: iamserviceaccountkey-dep