Hi,
I am trying to figure out an automated way to rotate the service account key on daily basis and hourly basis.
I get to know that terraform supports key rotation from this document.
However, when I am trying below example, I am getting an error.
resource "google_service_account" "myaccount" {
account_id = "myaccount"
display_name = "My Service Account"
}
# note this requires the terraform to be run regularly
resource "time_rotating" "mykey_rotation" {
rotation_days = 30
}
resource "google_service_account_key" "mykey" {
service_account_id = google_service_account.myaccount.name
keepers = {
rotation_time = time_rotating.mykey_rotation.rotation_rfc3339
}
The error I am getting is -
Error: Unsupported argument
on service_accounts.tf line 29, in resource “google_service_account_key” “mykey”:
29: keepers = {
An argument named “keepers” is not expected here.
Below are the versions I am using for this -
“google” (hashicorp/google) 3.41.0
“template” (hashicorp/template) 2.2.0
“time” (hashicorp/time) 0.6.0
On this I have few questions.
- Why I am getting this error?
- If Terraform supports google service account key rotation then what is the minimum feasible duration for the rotation? Is it day, hour or minute?
- When a key has generated by using terraform, how can someone download or get the generated primary key?
Thank you !!