ServiceAccountKey

stackit v0.0.4, Feb 20 26

Viewing docs for stackit v0.0.4
published on Friday, Feb 20, 2026 by stackitcloud

Schema (JSON)

stackitcloud/pulumi-stackit

Viewing docs for stackit v0.0.4
published on Friday, Feb 20, 2026 by stackitcloud

Schema (JSON)

stackitcloud/pulumi-stackit

Example Usage

Automatically rotate service account keys

resource "stackit_service_account" "sa" {
  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  name       = "sa01"
}

resource "time_rotating" "rotate" {
  rotation_days = 80
}

resource "stackit_service_account_key" "sa_key" {
  project_id            = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  service_account_email = stackit_service_account.sa.email
  ttl_days              = 90

  rotate_when_changed = {
    rotation = time_rotating.rotate.id
  }	
}

Create ServiceAccountKey Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ServiceAccountKey(name: string, args: ServiceAccountKeyArgs, opts?: CustomResourceOptions);

@overload
def ServiceAccountKey(resource_name: str,
                      args: ServiceAccountKeyArgs,
                      opts: Optional[ResourceOptions] = None)

@overload
def ServiceAccountKey(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      project_id: Optional[str] = None,
                      service_account_email: Optional[str] = None,
                      public_key: Optional[str] = None,
                      rotate_when_changed: Optional[Mapping[str, str]] = None,
                      ttl_days: Optional[int] = None)

func NewServiceAccountKey(ctx *Context, name string, args ServiceAccountKeyArgs, opts ...ResourceOption) (*ServiceAccountKey, error)

public ServiceAccountKey(string name, ServiceAccountKeyArgs args, CustomResourceOptions? opts = null)

public ServiceAccountKey(String name, ServiceAccountKeyArgs args)
public ServiceAccountKey(String name, ServiceAccountKeyArgs args, CustomResourceOptions options)

type: stackit:ServiceAccountKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ServiceAccountKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ServiceAccountKeyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ServiceAccountKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ServiceAccountKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ServiceAccountKeyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var serviceAccountKeyResource = new Stackit.ServiceAccountKey("serviceAccountKeyResource", new()
{
    ProjectId = "string",
    ServiceAccountEmail = "string",
    PublicKey = "string",
    RotateWhenChanged = 
    {
        { "string", "string" },
    },
    TtlDays = 0,
});

example, err := stackit.NewServiceAccountKey(ctx, "serviceAccountKeyResource", &stackit.ServiceAccountKeyArgs{
	ProjectId:           pulumi.String("string"),
	ServiceAccountEmail: pulumi.String("string"),
	PublicKey:           pulumi.String("string"),
	RotateWhenChanged: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	TtlDays: pulumi.Int(0),
})

var serviceAccountKeyResource = new ServiceAccountKey("serviceAccountKeyResource", ServiceAccountKeyArgs.builder()
    .projectId("string")
    .serviceAccountEmail("string")
    .publicKey("string")
    .rotateWhenChanged(Map.of("string", "string"))
    .ttlDays(0)
    .build());

service_account_key_resource = stackit.ServiceAccountKey("serviceAccountKeyResource",
    project_id="string",
    service_account_email="string",
    public_key="string",
    rotate_when_changed={
        "string": "string",
    },
    ttl_days=0)

const serviceAccountKeyResource = new stackit.ServiceAccountKey("serviceAccountKeyResource", {
    projectId: "string",
    serviceAccountEmail: "string",
    publicKey: "string",
    rotateWhenChanged: {
        string: "string",
    },
    ttlDays: 0,
});

type: stackit:ServiceAccountKey
properties:
    projectId: string
    publicKey: string
    rotateWhenChanged:
        string: string
    serviceAccountEmail: string
    ttlDays: 0

ServiceAccountKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ServiceAccountKey resource accepts the following input properties:

ProjectId string: The STACKIT project ID associated with the service account key.
ServiceAccountEmail string: The email address associated with the service account, used for account identification and communication.
PublicKey string: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
RotateWhenChanged Dictionary<string, string>: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
TtlDays int: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

ProjectId string: The STACKIT project ID associated with the service account key.
ServiceAccountEmail string: The email address associated with the service account, used for account identification and communication.
PublicKey string: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
RotateWhenChanged map[string]string: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
TtlDays int: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

projectId String: The STACKIT project ID associated with the service account key.
serviceAccountEmail String: The email address associated with the service account, used for account identification and communication.
publicKey String: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
rotateWhenChanged Map<String,String>: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
ttlDays Integer: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

projectId string: The STACKIT project ID associated with the service account key.
serviceAccountEmail string: The email address associated with the service account, used for account identification and communication.
publicKey string: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
rotateWhenChanged {[key: string]: string}: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
ttlDays number: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

project_id str: The STACKIT project ID associated with the service account key.
service_account_email str: The email address associated with the service account, used for account identification and communication.
public_key str: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
rotate_when_changed Mapping[str, str]: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
ttl_days int: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

projectId String: The STACKIT project ID associated with the service account key.
serviceAccountEmail String: The email address associated with the service account, used for account identification and communication.
publicKey String: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
rotateWhenChanged Map<String>: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
ttlDays Number: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

Outputs

All input properties are implicitly available as output properties. Additionally, the ServiceAccountKey resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Json string: The raw JSON representation of the service account key json, available for direct use.
KeyId string: The unique identifier for the key associated with the service account.

Id string: The provider-assigned unique ID for this managed resource.
Json string: The raw JSON representation of the service account key json, available for direct use.
KeyId string: The unique identifier for the key associated with the service account.

id String: The provider-assigned unique ID for this managed resource.
json String: The raw JSON representation of the service account key json, available for direct use.
keyId String: The unique identifier for the key associated with the service account.

id string: The provider-assigned unique ID for this managed resource.
json string: The raw JSON representation of the service account key json, available for direct use.
keyId string: The unique identifier for the key associated with the service account.

id str: The provider-assigned unique ID for this managed resource.
json str: The raw JSON representation of the service account key json, available for direct use.
key_id str: The unique identifier for the key associated with the service account.

id String: The provider-assigned unique ID for this managed resource.
json String: The raw JSON representation of the service account key json, available for direct use.
keyId String: The unique identifier for the key associated with the service account.

Look up Existing ServiceAccountKey Resource

Get an existing ServiceAccountKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ServiceAccountKeyState, opts?: CustomResourceOptions): ServiceAccountKey

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        json: Optional[str] = None,
        key_id: Optional[str] = None,
        project_id: Optional[str] = None,
        public_key: Optional[str] = None,
        rotate_when_changed: Optional[Mapping[str, str]] = None,
        service_account_email: Optional[str] = None,
        ttl_days: Optional[int] = None) -> ServiceAccountKey

func GetServiceAccountKey(ctx *Context, name string, id IDInput, state *ServiceAccountKeyState, opts ...ResourceOption) (*ServiceAccountKey, error)

public static ServiceAccountKey Get(string name, Input<string> id, ServiceAccountKeyState? state, CustomResourceOptions? opts = null)

public static ServiceAccountKey get(String name, Output<String> id, ServiceAccountKeyState state, CustomResourceOptions options)

resources:  _:    type: stackit:ServiceAccountKey    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Json string: The raw JSON representation of the service account key json, available for direct use.
KeyId string: The unique identifier for the key associated with the service account.
ProjectId string: The STACKIT project ID associated with the service account key.
PublicKey string: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
RotateWhenChanged Dictionary<string, string>: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
ServiceAccountEmail string: The email address associated with the service account, used for account identification and communication.
TtlDays int: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

Json string: The raw JSON representation of the service account key json, available for direct use.
KeyId string: The unique identifier for the key associated with the service account.
ProjectId string: The STACKIT project ID associated with the service account key.
PublicKey string: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
RotateWhenChanged map[string]string: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
ServiceAccountEmail string: The email address associated with the service account, used for account identification and communication.
TtlDays int: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

json String: The raw JSON representation of the service account key json, available for direct use.
keyId String: The unique identifier for the key associated with the service account.
projectId String: The STACKIT project ID associated with the service account key.
publicKey String: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
rotateWhenChanged Map<String,String>: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
serviceAccountEmail String: The email address associated with the service account, used for account identification and communication.
ttlDays Integer: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

json string: The raw JSON representation of the service account key json, available for direct use.
keyId string: The unique identifier for the key associated with the service account.
projectId string: The STACKIT project ID associated with the service account key.
publicKey string: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
rotateWhenChanged {[key: string]: string}: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
serviceAccountEmail string: The email address associated with the service account, used for account identification and communication.
ttlDays number: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

json str: The raw JSON representation of the service account key json, available for direct use.
key_id str: The unique identifier for the key associated with the service account.
project_id str: The STACKIT project ID associated with the service account key.
public_key str: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
rotate_when_changed Mapping[str, str]: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
service_account_email str: The email address associated with the service account, used for account identification and communication.
ttl_days int: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

json String: The raw JSON representation of the service account key json, available for direct use.
keyId String: The unique identifier for the key associated with the service account.
projectId String: The STACKIT project ID associated with the service account key.
publicKey String: Specifies the publickey (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a privatekey.
rotateWhenChanged Map<String>: A map of arbitrary key/value pairs designed to force key recreation when they change, facilitating key rotation based on external factors such as a changing timestamp. Modifying this map triggers the creation of a new resource.
serviceAccountEmail String: The email address associated with the service account, used for account identification and communication.
ttlDays Number: Specifies the key's validity duration in days. If left unspecified, the key is considered valid until it is deleted

Package Details

Repository: stackit stackitcloud/pulumi-stackit
License: Apache-2.0
Notes: This Pulumi package is based on the stackit Terraform Provider.

Viewing docs for stackit v0.0.4
published on Friday, Feb 20, 2026 by stackitcloud

Schema (JSON)

stackitcloud/pulumi-stackit

stackit.ServiceAccountKey

On this page

On this page

Example Usage

Automatically rotate service account keys

Create ServiceAccountKey Resource

Constructor syntax

Parameters

Constructor example

ServiceAccountKey Resource Properties

Inputs

Outputs

Look up Existing ServiceAccountKey Resource

Package Details

On this page

On this page