IAMServiceAccountKey

Property	Value
Google Cloud Service Name	Cloud IAM
Google Cloud Service Documentation	/iam/docs/
Google Cloud REST Resource Name	v1.projects.serviceAccounts.key
Google Cloud REST Resource Documentation	/iam/reference/rest/v1/projects.serviceAccounts.keys
Config Connector Resource Short Names	gcpiamserviceaccountkey gcpiamserviceaccountkeys iamserviceaccountkey
Config Connector Service Name	iam.googleapis.com
Config Connector Resource Fully Qualified Name	iamserviceaccountkeys.iam.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember	No

When creating an IAMServiceAccountKey object, Config Connector automatically imports the key's credentials as a secret. The name and namespace of the auto-imported secret are the same as the IAMServiceAccountKey object. Secrets can be mounted as data volumes or be exposed as environment variables to be used by a container in a pod. To disable the secret auto-importing behavior, apply the following annotation to the IAMServiceAccountKey object YAML manifest.

...
metadata:
  annotations:
    cnrm.cloud.google.com/create-gsa-key-secret: false
...

Custom Resource Definition Properties

Spec

Schema

  keyAlgorithm: string
  privateKeyType: string
  publicKeyData: string
  publicKeyType: string
  serviceAccountRef:
    external: string
    name: string
    namespace: string

Fields

Fields
`keyAlgorithm` Optional	`string` Immutable. The algorithm used to generate the key, used only on create. KEY_ALG_RSA_2048 is the default algorithm. Valid values are: "KEY_ALG_RSA_1024", "KEY_ALG_RSA_2048".
`privateKeyType` Optional	`string` Immutable.
`publicKeyData` Optional	`string` Immutable. A field that allows clients to upload their own public key. If set, use this public key data to create a service account key for given service account. Please note, the expected format for this field is a base64 encoded X509_PEM.
`publicKeyType` Optional	`string` Immutable.
`serviceAccountRef` Required	`object`
`serviceAccountRef.external` Optional	`string` The email of an IAMServiceAccount.
`serviceAccountRef.name` Optional	`string` Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
`serviceAccountRef.namespace` Optional	`string` Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

keyAlgorithm

Optional

string

Immutable. The algorithm used to generate the key, used only on create. KEY_ALG_RSA_2048 is the default algorithm. Valid values are: "KEY_ALG_RSA_1024", "KEY_ALG_RSA_2048".

privateKeyType

Optional

string

Immutable.

publicKeyData

Optional

string

Immutable. A field that allows clients to upload their own public key. If set, use this public key data to create a service account key for given service account. Please note, the expected format for this field is a base64 encoded X509_PEM.

publicKeyType

Optional

string

Immutable.

serviceAccountRef

Required

object

serviceAccountRef.external

Optional

string

The email of an IAMServiceAccount.

serviceAccountRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

serviceAccountRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  name: string
  privateKey: string
  publicKey: string
  validAfter: string
  validBefore: string

Fields
`conditions`	`list (object)` Conditions represents the latest available observation of the resource's current state.
`conditions.[]`	`object`
`conditions.[].lastTransitionTime`	`string` Last time the condition transitioned from one status to another.
`conditions.[].message`	`string` Human-readable message indicating details about last transition.
`conditions.[].reason`	`string` Unique, one-word, CamelCase reason for the condition's last transition.
`conditions.[].status`	`string` Status is the status of the condition. Can be True, False, Unknown.
`conditions.[].type`	`string` Type is the type of the condition.
`name`	`string` Immutable. The name used for this key pair
`privateKey`	`string` The private key in JSON format, base64 encoded. This is what you normally get as a file when creating service account keys through the CLI or web console. This is only populated when creating a new key.
`publicKey`	`string` Immutable. The public key, base64 encoded
`validAfter`	`string` The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
`validBefore`	`string` The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

Sample YAML(s)

Typical Use Case

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccountKey
  metadata:
    name: iamserviceaccountkey-sample
    labels:
      label-one: "value-one"
  spec:
    publicKeyType: TYPE_X509_PEM_FILE
    keyAlgorithm: KEY_ALG_RSA_2048
    privateKeyType: TYPE_GOOGLE_CREDENTIALS_FILE
    serviceAccountRef:
      name: iamserviceaccountkey-dep
  ---
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMServiceAccount
  metadata:
    name: iamserviceaccountkey-dep