0

Is it possible to get a service account key that is deployed via Google Deployment Manager (iam.v1.serviceAccounts.key resource) as a result of request to DM?

I have seen an option to expose it in outputs (https://cloud.google.com/deployment-manager/docs/configuration/expose-information-outputs) , but can't see any possibility to get the key as a response of Deployment Manager insert/update API methods.

bleare
  • 48
  • 6

1 Answers1

1

To fetch the key you can set up output or reference to the PrivatekeyData in the same configuration as creating the key. If there is not a reference or output to that field, then DM will ignore it.

Example config looks like: 

outputs:
- name: key
  value: $(ref.iam-key.privateKeyData)

resources:
- name: iam-account
  type: iam.v1.serviceAccount
  properties:
    accountId: iam-account
    displayName: iam-account-display
- name: iam-key
  type: iam.v1.serviceAccounts.key
  properties:
    parent: $(ref.iam-account.name)

When running the above yaml file with 

gcloud deployment-manager deployments create [DemploymentName] --config key.yaml.

This creates a service account with an associated key. You can look up at the manifest associated with the configuration. You can also access Deployment-> Deployment properties-> Layout in the cloud console.

koma
  • 6,486
  • 2
  • 27
  • 53
KarthickN
  • 409
  • 2
  • 8
  • Thanks. I see https://cloud.google.com/deployment-manager/docs/reference/latest/manifests#resource layout field there, which returns YAML string. It indeed returns the output value, although I would prefer some method with more stable API than a YAML string. Accepting the answer as it seems the only way to do that now. – bleare Sep 07 '18 at 07:48