Viewing docs for stackit v0.0.4
published on Friday, Feb 20, 2026 by stackitcloud
published on Friday, Feb 20, 2026 by stackitcloud
Viewing docs for stackit v0.0.4
published on Friday, Feb 20, 2026 by stackitcloud
published on Friday, Feb 20, 2026 by stackitcloud
Service account access token schema.
!> This resource is scheduled for deprecation and will be removed on December 17, 2025. To ensure a smooth transition, please refer to our migration guide at https://docs.stackit.cloud/platform/access-and-identity/service-accounts/migrate-flows/ for detailed instructions and recommendations.
Example Usage
Automatically rotate access tokens
resource "stackit_service_account" "sa" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
name = "sa01"
}
resource "time_rotating" "rotate" {
rotation_days = 80
}
resource "stackit_service_account_access_token" "sa_token" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
service_account_email = stackit_service_account.sa.email
ttl_days = 180
rotate_when_changed = {
rotation = time_rotating.rotate.id
}
}
Create ServiceAccountAccessToken Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ServiceAccountAccessToken(name: string, args: ServiceAccountAccessTokenArgs, opts?: CustomResourceOptions);@overload
def ServiceAccountAccessToken(resource_name: str,
args: ServiceAccountAccessTokenArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ServiceAccountAccessToken(resource_name: str,
opts: Optional[ResourceOptions] = None,
project_id: Optional[str] = None,
service_account_email: Optional[str] = None,
rotate_when_changed: Optional[Mapping[str, str]] = None,
ttl_days: Optional[int] = None)func NewServiceAccountAccessToken(ctx *Context, name string, args ServiceAccountAccessTokenArgs, opts ...ResourceOption) (*ServiceAccountAccessToken, error)public ServiceAccountAccessToken(string name, ServiceAccountAccessTokenArgs args, CustomResourceOptions? opts = null)
public ServiceAccountAccessToken(String name, ServiceAccountAccessTokenArgs args)
public ServiceAccountAccessToken(String name, ServiceAccountAccessTokenArgs args, CustomResourceOptions options)
type: stackit:ServiceAccountAccessToken
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ServiceAccountAccessTokenArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ServiceAccountAccessTokenArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ServiceAccountAccessTokenArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ServiceAccountAccessTokenArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ServiceAccountAccessTokenArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var serviceAccountAccessTokenResource = new Stackit.ServiceAccountAccessToken("serviceAccountAccessTokenResource", new()
{
ProjectId = "string",
ServiceAccountEmail = "string",
RotateWhenChanged =
{
{ "string", "string" },
},
TtlDays = 0,
});
example, err := stackit.NewServiceAccountAccessToken(ctx, "serviceAccountAccessTokenResource", &stackit.ServiceAccountAccessTokenArgs{
ProjectId: pulumi.String("string"),
ServiceAccountEmail: pulumi.String("string"),
RotateWhenChanged: pulumi.StringMap{
"string": pulumi.String("string"),
},
TtlDays: pulumi.Int(0),
})
var serviceAccountAccessTokenResource = new ServiceAccountAccessToken("serviceAccountAccessTokenResource", ServiceAccountAccessTokenArgs.builder()
.projectId("string")
.serviceAccountEmail("string")
.rotateWhenChanged(Map.of("string", "string"))
.ttlDays(0)
.build());
service_account_access_token_resource = stackit.ServiceAccountAccessToken("serviceAccountAccessTokenResource",
project_id="string",
service_account_email="string",
rotate_when_changed={
"string": "string",
},
ttl_days=0)
const serviceAccountAccessTokenResource = new stackit.ServiceAccountAccessToken("serviceAccountAccessTokenResource", {
projectId: "string",
serviceAccountEmail: "string",
rotateWhenChanged: {
string: "string",
},
ttlDays: 0,
});
type: stackit:ServiceAccountAccessToken
properties:
projectId: string
rotateWhenChanged:
string: string
serviceAccountEmail: string
ttlDays: 0
ServiceAccountAccessToken Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ServiceAccountAccessToken resource accepts the following input properties:
- Project
Id string - STACKIT project ID associated with the service account token.
- Service
Account stringEmail - Email address linked to the service account.
- Rotate
When Dictionary<string, string>Changed - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- Ttl
Days int - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
- Project
Id string - STACKIT project ID associated with the service account token.
- Service
Account stringEmail - Email address linked to the service account.
- Rotate
When map[string]stringChanged - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- Ttl
Days int - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
- project
Id String - STACKIT project ID associated with the service account token.
- service
Account StringEmail - Email address linked to the service account.
- rotate
When Map<String,String>Changed - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- ttl
Days Integer - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
- project
Id string - STACKIT project ID associated with the service account token.
- service
Account stringEmail - Email address linked to the service account.
- rotate
When {[key: string]: string}Changed - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- ttl
Days number - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
- project_
id str - STACKIT project ID associated with the service account token.
- service_
account_ stremail - Email address linked to the service account.
- rotate_
when_ Mapping[str, str]changed - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- ttl_
days int - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
- project
Id String - STACKIT project ID associated with the service account token.
- service
Account StringEmail - Email address linked to the service account.
- rotate
When Map<String>Changed - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- ttl
Days Number - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
Outputs
All input properties are implicitly available as output properties. Additionally, the ServiceAccountAccessToken resource produces the following output properties:
- Access
Token stringId - Identifier for the access token linked to the service account.
- Active bool
- Indicate whether the token is currently active or inactive
- Created
At string - Timestamp indicating when the access token was created.
- Id string
- The provider-assigned unique ID for this managed resource.
- Token string
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- Valid
Until string - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
- Access
Token stringId - Identifier for the access token linked to the service account.
- Active bool
- Indicate whether the token is currently active or inactive
- Created
At string - Timestamp indicating when the access token was created.
- Id string
- The provider-assigned unique ID for this managed resource.
- Token string
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- Valid
Until string - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
- access
Token StringId - Identifier for the access token linked to the service account.
- active Boolean
- Indicate whether the token is currently active or inactive
- created
At String - Timestamp indicating when the access token was created.
- id String
- The provider-assigned unique ID for this managed resource.
- token String
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- valid
Until String - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
- access
Token stringId - Identifier for the access token linked to the service account.
- active boolean
- Indicate whether the token is currently active or inactive
- created
At string - Timestamp indicating when the access token was created.
- id string
- The provider-assigned unique ID for this managed resource.
- token string
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- valid
Until string - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
- access_
token_ strid - Identifier for the access token linked to the service account.
- active bool
- Indicate whether the token is currently active or inactive
- created_
at str - Timestamp indicating when the access token was created.
- id str
- The provider-assigned unique ID for this managed resource.
- token str
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- valid_
until str - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
- access
Token StringId - Identifier for the access token linked to the service account.
- active Boolean
- Indicate whether the token is currently active or inactive
- created
At String - Timestamp indicating when the access token was created.
- id String
- The provider-assigned unique ID for this managed resource.
- token String
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- valid
Until String - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
Look up Existing ServiceAccountAccessToken Resource
Get an existing ServiceAccountAccessToken resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ServiceAccountAccessTokenState, opts?: CustomResourceOptions): ServiceAccountAccessToken@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_token_id: Optional[str] = None,
active: Optional[bool] = None,
created_at: Optional[str] = None,
project_id: Optional[str] = None,
rotate_when_changed: Optional[Mapping[str, str]] = None,
service_account_email: Optional[str] = None,
token: Optional[str] = None,
ttl_days: Optional[int] = None,
valid_until: Optional[str] = None) -> ServiceAccountAccessTokenfunc GetServiceAccountAccessToken(ctx *Context, name string, id IDInput, state *ServiceAccountAccessTokenState, opts ...ResourceOption) (*ServiceAccountAccessToken, error)public static ServiceAccountAccessToken Get(string name, Input<string> id, ServiceAccountAccessTokenState? state, CustomResourceOptions? opts = null)public static ServiceAccountAccessToken get(String name, Output<String> id, ServiceAccountAccessTokenState state, CustomResourceOptions options)resources: _: type: stackit:ServiceAccountAccessToken get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Token stringId - Identifier for the access token linked to the service account.
- Active bool
- Indicate whether the token is currently active or inactive
- Created
At string - Timestamp indicating when the access token was created.
- Project
Id string - STACKIT project ID associated with the service account token.
- Rotate
When Dictionary<string, string>Changed - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- Service
Account stringEmail - Email address linked to the service account.
- Token string
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- Ttl
Days int - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
- Valid
Until string - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
- Access
Token stringId - Identifier for the access token linked to the service account.
- Active bool
- Indicate whether the token is currently active or inactive
- Created
At string - Timestamp indicating when the access token was created.
- Project
Id string - STACKIT project ID associated with the service account token.
- Rotate
When map[string]stringChanged - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- Service
Account stringEmail - Email address linked to the service account.
- Token string
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- Ttl
Days int - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
- Valid
Until string - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
- access
Token StringId - Identifier for the access token linked to the service account.
- active Boolean
- Indicate whether the token is currently active or inactive
- created
At String - Timestamp indicating when the access token was created.
- project
Id String - STACKIT project ID associated with the service account token.
- rotate
When Map<String,String>Changed - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- service
Account StringEmail - Email address linked to the service account.
- token String
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- ttl
Days Integer - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
- valid
Until String - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
- access
Token stringId - Identifier for the access token linked to the service account.
- active boolean
- Indicate whether the token is currently active or inactive
- created
At string - Timestamp indicating when the access token was created.
- project
Id string - STACKIT project ID associated with the service account token.
- rotate
When {[key: string]: string}Changed - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- service
Account stringEmail - Email address linked to the service account.
- token string
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- ttl
Days number - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
- valid
Until string - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
- access_
token_ strid - Identifier for the access token linked to the service account.
- active bool
- Indicate whether the token is currently active or inactive
- created_
at str - Timestamp indicating when the access token was created.
- project_
id str - STACKIT project ID associated with the service account token.
- rotate_
when_ Mapping[str, str]changed - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- service_
account_ stremail - Email address linked to the service account.
- token str
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- ttl_
days int - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
- valid_
until str - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
- access
Token StringId - Identifier for the access token linked to the service account.
- active Boolean
- Indicate whether the token is currently active or inactive
- created
At String - Timestamp indicating when the access token was created.
- project
Id String - STACKIT project ID associated with the service account token.
- rotate
When Map<String>Changed - A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
- service
Account StringEmail - Email address linked to the service account.
- token String
- JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
- ttl
Days Number - Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
- valid
Until String - Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
Package Details
- Repository
- stackit stackitcloud/pulumi-stackit
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
stackitTerraform Provider.
Viewing docs for stackit v0.0.4
published on Friday, Feb 20, 2026 by stackitcloud
published on Friday, Feb 20, 2026 by stackitcloud
