Skip to main content

service_account_keys

Creates, updates, deletes, gets or lists a service_account_keys resource.

Overview

Nameservice_account_keys
TypeResource
Idgoogle.iam.service_account_keys

Fields

NameDatatypeDescription
namestringThe resource name of the service account key in the following format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.
disableReasonstringOutput only. optional. If the key is disabled, it may have a DisableReason describing why it was disabled.
disabledbooleanThe key status.
extendedStatusarrayOutput only. Extended Status provides permanent information about a service account key. For example, if this key was detected as exposed or compromised, that information will remain for the lifetime of the key in the extended_status.
keyAlgorithmstringSpecifies the algorithm (and possibly key size) for the key.
keyOriginstringThe key origin.
keyTypestringThe key type.
privateKeyDatastringThe private key data. Only provided in CreateServiceAccountKey responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account.
privateKeyTypestringThe output format for the private key. Only provided in CreateServiceAccountKey responses, not in GetServiceAccountKey or ListServiceAccountKey responses. Google never exposes system-managed private keys, and never retains user-managed private keys.
publicKeyDatastringThe public key data. Only provided in GetServiceAccountKey responses.
validAfterTimestringThe key can be used after this timestamp.
validBeforeTimestringThe key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time.

Methods

NameAccessible byRequired ParamsDescription
getSELECTkeysId, projectsId, serviceAccountsIdGets a ServiceAccountKey.
listSELECTprojectsId, serviceAccountsIdLists every ServiceAccountKey for a service account.
createINSERTprojectsId, serviceAccountsIdCreates a ServiceAccountKey.
deleteDELETEkeysId, projectsId, serviceAccountsIdDeletes a ServiceAccountKey. Deleting a service account key does not revoke short-lived credentials that have been issued based on the service account key.
disableEXECkeysId, projectsId, serviceAccountsIdDisable a ServiceAccountKey. A disabled service account key can be re-enabled with EnableServiceAccountKey.
enableEXECkeysId, projectsId, serviceAccountsIdEnable a ServiceAccountKey.
uploadEXECprojectsId, serviceAccountsIdUploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount. After you upload the public key, you can use the private key from the key pair as a service account key.

SELECT examples

Lists every ServiceAccountKey for a service account.

SELECT
name,
disableReason,
disabled,
extendedStatus,
keyAlgorithm,
keyOrigin,
keyType,
privateKeyData,
privateKeyType,
publicKeyData,
validAfterTime,
validBeforeTime
FROM google.iam.service_account_keys
WHERE projectsId = '{{ projectsId }}'
AND serviceAccountsId = '{{ serviceAccountsId }}';

INSERT example

Use the following StackQL query and manifest file to create a new service_account_keys resource.

/*+ create */
INSERT INTO google.iam.service_account_keys (
projectsId,
serviceAccountsId,
privateKeyType,
keyAlgorithm
)
SELECT 
'{{ projectsId }}',
'{{ serviceAccountsId }}',
'{{ privateKeyType }}',
'{{ keyAlgorithm }}'
;

DELETE example

Deletes the specified service_account_keys resource.

/*+ delete */
DELETE FROM google.iam.service_account_keys
WHERE keysId = '{{ keysId }}'
AND projectsId = '{{ projectsId }}'
AND serviceAccountsId = '{{ serviceAccountsId }}';