[edit on GitHub]

Syntax

A google_service_account_key is used to test a Google ServiceAccountKey resource

Examples

google_service_account_keys(project: 'chef-gcp-inspec', service_account: "[email protected]").key_names.each do |sa_key_name|
	describe google_service_account_key(project: 'chef-gcp-inspec', service_account: "[email protected]", name: sa_key_name.split('/').last) do
		it { should exist }
		its('key_type') { should_not cmp 'USER_MANAGED' }
	end
end

Test that a GCP project IAM service account key has the expected key algorithm

describe google_service_account_key(name: "projects/sample-project/serviceAccounts/[email protected]/keys/c6bd986da9fac6d71178db41d1741cbe751a5080" ) do
  its('key_algorithm') { should eq "KEY_ALG_RSA_2048" }
end

Properties

Properties that can be accessed from the google_service_account_key resource:

name

The name of the key.

private_key_type

Output format for the service account key.

Possible values:

• TYPE_UNSPECIFIED
• TYPE_PKCS12_FILE
• TYPE_GOOGLE_CREDENTIALS_FILE

key_algorithm

Specifies the algorithm for the key.

Possible values:

• KEY_ALG_UNSPECIFIED
• KEY_ALG_RSA_1024
• KEY_ALG_RSA_2048

private_key_data

Private key data. Base-64 encoded.

public_key_data

Public key data. Base-64 encoded.

valid_after_time

Key can only be used after this time.

valid_before_time

Key can only be used before this time.

key_type

Specifies the type of the key.

Possible values:

• KEY_TYPE_UNSPECIFIED
• USER_MANAGED
• SYSTEM_MANAGED

service_account

The name of the serviceAccount.

path

The full name of the file that will hold the service account private key. The management of this file will depend on the value of sync_file parameter. File path must be absolute.

GCP Permissions

Ensure the Identity and Access Management (IAM) API is enabled for the current project.