Terraform Google Service Account Key Rotation


I am trying to figure out an automated way to rotate the service account key on daily basis and hourly basis.
I get to know that terraform supports key rotation from this document.
However, when I am trying below example, I am getting an error.

resource "google_service_account" "myaccount" {
  account_id   = "myaccount"
  display_name = "My Service Account"

# note this requires the terraform to be run regularly
resource "time_rotating" "mykey_rotation" {
  rotation_days = 30

resource "google_service_account_key" "mykey" {
  service_account_id = google_service_account.myaccount.name

  keepers = {
    rotation_time = time_rotating.mykey_rotation.rotation_rfc3339

The error I am getting is -

Error: Unsupported argument
on service_accounts.tf line 29, in resource “google_service_account_key” “mykey”:
29: keepers = {
An argument named “keepers” is not expected here.

Below are the versions I am using for this -

“google” (hashicorp/google) 3.41.0
“template” (hashicorp/template) 2.2.0
“time” (hashicorp/time) 0.6.0

On this I have few questions.

  1. Why I am getting this error?
  2. If Terraform supports google service account key rotation then what is the minimum feasible duration for the rotation? Is it day, hour or minute?
  3. When a key has generated by using terraform, how can someone download or get the generated primary key?

Thank you !!

You should use Google 3.53.0. In that version keeper was released hashicorp/terraform-provider-google v3.53.0 on GitHub