f3df55ad58
* Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>
747 lines
20 KiB
Plaintext
747 lines
20 KiB
Plaintext
---
|
||
layout: api
|
||
page_title: Google Cloud - Secrets Engines - HTTP API
|
||
description: This is the API documentation for the Vault Google Cloud secrets engine.
|
||
---
|
||
|
||
# Google Cloud Secrets Engine (API)
|
||
|
||
This is the API documentation for the Vault Google Cloud Platform (GCP)
|
||
secrets engine. For general information about the usage and operation of
|
||
the GCP secrets engine, please see [these docs](/vault/docs/secrets/gcp).
|
||
|
||
This documentation assumes the GCP secrets engine is enabled at the `/gcp` path
|
||
in Vault. Since it is possible to mount secrets engines at any path, please
|
||
update your API calls accordingly.
|
||
|
||
## Write Config
|
||
|
||
| Method | Path |
|
||
| :----- | :------------ |
|
||
| `POST` | `/gcp/config` |
|
||
|
||
This endpoint configures shared information for the secrets engine.
|
||
|
||
### Parameters
|
||
|
||
- `credentials` (`string:""`) - JSON credentials (either file contents or '@path/to/file')
|
||
See docs for [alternative ways](/vault/docs/secrets/gcp#setup)
|
||
to pass in to this parameter, as well as the
|
||
[required permissions](/vault/docs/secrets/gcp#required-permissions).
|
||
|
||
- `ttl` (`int: 0 || string:"0s"`) – Specifies default config TTL for long-lived credentials
|
||
(i.e. service account keys). Uses [duration format strings](/vault/docs/concepts/duration-format).
|
||
|
||
- `max_ttl` (`int: 0 || string:"0s"`)– Specifies the maximum config TTL for long-lived credentials
|
||
(i.e. service account keys). Uses [duration format strings](/vault/docs/concepts/duration-format).\*\*
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"credentials": "<JSON string>",
|
||
"ttl": 3600,
|
||
"max_ttl": 14400
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://127.0.0.1:8200/v1/gcp/config
|
||
```
|
||
|
||
## Rotate Root Credentials
|
||
|
||
Request to rotate the GCP service account credentials used by Vault
|
||
for this mount. A new key will be generated for the service account,
|
||
replacing the internal value, and then a deletion of the old service
|
||
account key is scheduled. Note that this does not create a new service
|
||
account, only a new version of the service account key.
|
||
|
||
This path is only valid if Vault has been configured to use GCP credentials via
|
||
the `config/` endpoint where "credentials" were specified. Additionally, the
|
||
provided service account must have permissions to create and delete service
|
||
account keys.
|
||
|
||
| Method | Path |
|
||
| :----- | :------------------------ |
|
||
| `POST` | `/gcp/config/rotate-root` |
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
https://127.0.0.1:8200/v1/gcp/config/rotate-root
|
||
```
|
||
|
||
## Read Config
|
||
|
||
| Method | Path |
|
||
| :----- | :------------ |
|
||
| `GET` | `/gcp/config` |
|
||
|
||
Credentials will be omitted from returned data.
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request GET \
|
||
https://127.0.0.1:8200/v1/gcp/config
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"data": {
|
||
"ttl": "1h",
|
||
"max_ttl": "4h"
|
||
}
|
||
}
|
||
```
|
||
|
||
## Create/Update Roleset
|
||
|
||
| Method | Path |
|
||
| :----- | :------------------- |
|
||
| `POST` | `/gcp/roleset/:name` |
|
||
|
||
This method allows you to create a roleset or update an existing roleset. See [docs](/vault/docs/secrets/gcp#bindings) for the GCP secrets backend
|
||
to learn more about what happens when you create or update a roleset.
|
||
|
||
**If you update a roleset's bindings, this will effectively revoke any secrets
|
||
generated under this roleset.**
|
||
|
||
### Parameters
|
||
|
||
- `name` (`string: <required>`): Required. Name of the role. Cannot be updated.
|
||
- `secret_type` (`string: "access_token"`): Type of secret generated for this role set. Accepted values: `access_token`, `service_account_key`. Cannot be updated.
|
||
- `project` (`string: <required>`): Name of the GCP project that this roleset's service account will belong to. Cannot be updated.
|
||
- `bindings` (`string: <required>`): Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string)
|
||
- `token_scopes` (`array: []`): List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only)
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"secret_type": "access_token",
|
||
"project": "mygcpproject",
|
||
"bindings": "...",
|
||
"token_scopes": [
|
||
"https://www.googleapis.com/auth/cloud-platform",
|
||
"https://www.googleapis.com/auth/bigquery"
|
||
]
|
||
}
|
||
```
|
||
|
||
#### Sample Bindings:
|
||
|
||
See [bindings format docs](/vault/docs/secrets/gcp#bindings) for more information.
|
||
|
||
```hcl
|
||
resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
|
||
roles = [
|
||
"roles/viewer"
|
||
],
|
||
}
|
||
|
||
resource "//bigquery.googleapis.com/projects/my-project/datasets/mydataset" {
|
||
roles = [
|
||
"roles/bigquery.dataViewer"
|
||
],
|
||
}
|
||
|
||
resource "https://selflink/to/my/resource" {
|
||
roles = [
|
||
"project/mygcpproject/roles/projcustomrole",
|
||
"organizations/myorg/roles/orgcustomrole"
|
||
],
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
|
||
```
|
||
|
||
## Rotate Roleset Account
|
||
|
||
| Method | Path | |
|
||
| :----- | :-------------------------- | ------------------ |
|
||
| `POST` | `/gcp/roleset/:name/rotate` | `204 (empty body)` |
|
||
|
||
This will rotate the service account this roleset uses to generate secrets.
|
||
(this also replaces the key `access_token` roleset). This can be used to invalidate
|
||
old secrets generated by the roleset or fix issues if a roleset's service account
|
||
(and/or keys) was changed outside of Vault (i.e. through GCP APIs/cloud console).
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset/rotate
|
||
```
|
||
|
||
## Rotate Roleset Account Key (`access_token` Roleset Only)
|
||
|
||
| Method | Path | |
|
||
| :----- | :------------------------------ | ------------------ |
|
||
| `POST` | `/gcp/roleset/:name/rotate-key` | `204 (empty body)` |
|
||
|
||
This will rotate the service account key this roleset uses to generate
|
||
access tokens. This does not recreate the roleset service account.
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset/rotate-key
|
||
```
|
||
|
||
## Read Roleset
|
||
|
||
| Method | Path |
|
||
| :----- | :------------------- |
|
||
| `GET` | `/gcp/roleset/:name` |
|
||
|
||
### Parameters
|
||
|
||
- `name` (`string:<required>`): Name of the roleset to read.
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request GET \
|
||
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"data": {
|
||
"secret_type": "access_token",
|
||
"service_account_email": "vault-myroleset-XXXXXXXXXX@myproject.gserviceaccounts.com",
|
||
"service_account_project": "service-account-project",
|
||
"bindings": {
|
||
"project/mygcpproject": ["roles/viewer"],
|
||
"https://selflink/to/my/resource": [
|
||
"project/mygcpproject/roles/projcustomrole",
|
||
"organizations/myorg/roles/orgcustomrole"
|
||
]
|
||
},
|
||
"token_scopes": ["https://www.googleapis.com/auth/cloud-platform"]
|
||
}
|
||
}
|
||
```
|
||
|
||
## List Rolesets
|
||
|
||
| Method | Path |
|
||
| :----- | :-------------- |
|
||
| `LIST` | `/gcp/rolesets` |
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request LIST \
|
||
https://127.0.0.1:8200/v1/gcp/rolesets
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"data": {
|
||
"keys": ["my-token-roleset", "my-sakey-roleset"]
|
||
}
|
||
}
|
||
```
|
||
|
||
## Delete Roleset
|
||
|
||
This endpoint deletes an existing roleset by the given name.
|
||
|
||
| Method | Path |
|
||
| :------- | :------------------- |
|
||
| `DELETE` | `/gcp/roleset/:name` |
|
||
|
||
### Parameters
|
||
|
||
- `name` (`string:<required>`): Name of the roleset to delete.
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request DELETE \
|
||
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset
|
||
```
|
||
|
||
## Create/Update Static Account
|
||
|
||
| Method | Path |
|
||
| :----- | :-------------------------- |
|
||
| `POST` | `/gcp/static-account/:name` |
|
||
|
||
This method allows you to create a static account or update an existing static account. See [docs](/vault/docs/secrets/gcp#bindings) for the GCP secrets backend
|
||
to learn more about what happens when you create or update a static account.
|
||
|
||
**If you update a static account's bindings, this will effectively revoke any secrets
|
||
generated under this static account.**
|
||
|
||
### Parameters
|
||
|
||
- `name` (`string: <required>`): Name of the static account. Cannot be updated.
|
||
- `secret_type` (`string: "access_token"`): Type of secret generated for this static account. Accepted values: `access_token`, `service_account_key`. Cannot be updated.
|
||
- `service_account_email` (`string: <required>`): Email of the GCP service account to manage. Cannot be updated.
|
||
- `bindings` (`string`): Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string). Optional.
|
||
- `token_scopes` (`array: []`): List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only)
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"secret_type": "access_token",
|
||
"service_account_email": "example@mygcpproject.iam.gserviceaccount.com",
|
||
"bindings": "...",
|
||
"token_scopes": [
|
||
"https://www.googleapis.com/auth/cloud-platform",
|
||
"https://www.googleapis.com/auth/bigquery"
|
||
]
|
||
}
|
||
```
|
||
|
||
#### Sample Bindings:
|
||
|
||
See [bindings format docs](/vault/docs/secrets/gcp#bindings) for more information.
|
||
|
||
```hcl
|
||
resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
|
||
roles = [
|
||
"roles/viewer"
|
||
],
|
||
}
|
||
|
||
resource "//bigquery.googleapis.com/projects/my-project/datasets/mydataset" {
|
||
roles = [
|
||
"roles/bigquery.dataViewer"
|
||
],
|
||
}
|
||
|
||
resource "https://selflink/to/my/resource" {
|
||
roles = [
|
||
"project/mygcpproject/roles/projcustomrole",
|
||
"organizations/myorg/roles/orgcustomrole"
|
||
],
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account
|
||
```
|
||
|
||
## Rotate Static Account Key (`access_token` Static Account Only)
|
||
|
||
| Method | Path | |
|
||
| :----- | :------------------------------ | ------------------------- |
|
||
| `POST` | `/gcp/static-account/:name/rotate-key` | `204 (empty body)` |
|
||
|
||
This will rotate the service account key this static account uses to generate
|
||
access tokens. This does not recreate the service account.
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account/rotate-key
|
||
```
|
||
|
||
## Read Static Account
|
||
|
||
| Method | Path |
|
||
| :----- | :-------------------------- |
|
||
| `GET` | `/gcp/static-account/:name` |
|
||
|
||
### Parameters
|
||
|
||
- `name` (`string:<required>`): Name of the static account to read.
|
||
|
||
This endpoint will only return bindings that are managed through the secrets engine. Bindings
|
||
manually managed outside of Vault will not be returned.
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request GET \
|
||
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"data": {
|
||
"secret_type": "access_token",
|
||
"service_account_email": "example@mygcpproject.iam.gserviceaccount.com",
|
||
"service_account_project": "mygcpproject",
|
||
"bindings": {
|
||
"project/mygcpproject": ["roles/viewer"],
|
||
"https://selflink/to/my/resource": [
|
||
"project/mygcpproject/roles/projcustomrole",
|
||
"organizations/myorg/roles/orgcustomrole"
|
||
]
|
||
},
|
||
"token_scopes": ["https://www.googleapis.com/auth/cloud-platform"]
|
||
}
|
||
}
|
||
```
|
||
|
||
## List Static Accounts
|
||
|
||
| Method | Path |
|
||
| :----- | :--------------------- |
|
||
| `LIST` | `/gcp/static-accounts` |
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request LIST \
|
||
https://127.0.0.1:8200/v1/gcp/static-accounts
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"data": {
|
||
"keys": ["my-token-account", "my-sakey-account"]
|
||
}
|
||
}
|
||
```
|
||
|
||
## Delete Static Account
|
||
|
||
This endpoint deletes an existing static account by the given name.
|
||
|
||
| Method | Path |
|
||
| :------- | :-------------------------- |
|
||
| `DELETE` | `/gcp/static-account/:name` |
|
||
|
||
### Parameters
|
||
|
||
- `name` (`string:<required>`): Name of the static account to delete.
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request DELETE \
|
||
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account
|
||
```
|
||
|
||
## Create/Update Impersonated Account
|
||
|
||
| Method | Path |
|
||
| :----- | :-------------------------------- |
|
||
| `POST` | `/gcp/impersonated-account/:name` |
|
||
|
||
This method allows you to create an impersonated account or update an existing
|
||
impersonated account.
|
||
|
||
### Parameters
|
||
|
||
- `name` (`string: <required>`): Name of the impersonated account. Cannot be updated.
|
||
- `service_account_email` (`string: <required>`): Email of the GCP service account to
|
||
manage. Cannot be updated.
|
||
- `token_scopes` (`array: []`): List of OAuth scopes to assign to access tokens
|
||
generated under this impersonation account.
|
||
- `ttl` (`duration: ""`): Lifetime of the token generated. Defaults to 1 hour and
|
||
is limited to a maximum of 12 hours. Uses [duration format strings](/vault/docs/concepts/duration-format).
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"service_account_email": "projectOwner@my-project.iam.gserviceaccount.com",
|
||
"token_scopes": [
|
||
"https://www.googleapis.com/auth/cloud-platform",
|
||
"https://www.googleapis.com/auth/bigquery"
|
||
],
|
||
"ttl": "2h"
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://127.0.0.1:8200/v1/gcp/impersonated-account/my-token-impersonate
|
||
```
|
||
|
||
## Read Impersonated Account
|
||
|
||
| Method | Path |
|
||
| :----- | :-------------------------------- |
|
||
| `GET` | `/gcp/impersonated-account/:name` |
|
||
|
||
### Parameters
|
||
|
||
- `name` (`string:<required>`): Name of the impersonated account to read.
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request GET \
|
||
https://127.0.0.1:8200/v1/gcp/impersonated-account/my-token-impersonate
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"data": {
|
||
"service_account_email": "projectOwner@my-project.iam.gserviceaccount.com",
|
||
"service_account_project": "my-project",
|
||
"token_scopes": [
|
||
"https://www.googleapis.com/auth/cloud-platform",
|
||
"https://www.googleapis.com/auth/bigquery"
|
||
],
|
||
"ttl": 7200
|
||
},
|
||
}
|
||
```
|
||
## List Impersonated Accounts
|
||
|
||
This endpoint lists the configured Vault roles for impersonated accounts.
|
||
|
||
| Method | Path |
|
||
| :----- | :--------------------- |
|
||
| `LIST` | `/gcp/impersonated-accounts` |
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request LIST \
|
||
https://127.0.0.1:8200/v1/gcp/impersonated-accounts
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"data": {
|
||
"keys": [
|
||
"my-token-impersonate",
|
||
"secondary-role"
|
||
]
|
||
}
|
||
}
|
||
```
|
||
|
||
## Delete Impersonated Account
|
||
|
||
This endpoint deletes an existing impersonated account by the given name.
|
||
|
||
| Method | Path |
|
||
| :------- | :-------------------------------- |
|
||
| `DELETE` | `/gcp/impersonated-account/:name` |
|
||
|
||
### Parameters
|
||
|
||
- `name` (`string:<required>`): Name of the impersonated account to delete.
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request DELETE \
|
||
https://127.0.0.1:8200/v1/gcp/impersonated-account/my-token-impersonate
|
||
```
|
||
|
||
## Generate Secret (IAM Service Account Creds): OAuth2 Access Token
|
||
|
||
| Method | Path |
|
||
| :------------- | :------------------------------------------------------ |
|
||
| `GET` / `POST` | `/gcp/roleset/:roleset/token` |
|
||
| `GET` / `POST` | `/gcp/static-account/:static-account/token` |
|
||
| `GET` / `POST` | `/gcp/impersonated-account/:impersonated-account/token` |
|
||
| `GET` / `POST` | `/gcp/token/:roleset` (deprecated) |
|
||
|
||
Generates an OAuth2 token with the scopes defined on the roleset, static
|
||
account, or impersonated account. This OAuth access token can
|
||
be used in GCP API calls, e.g. `curl -H "Authorization: Bearer $TOKEN" ...`
|
||
|
||
Tokens are non-revocable and non-renewable and have a static TTL of an hour. The TTL configured
|
||
for the backend (either through the default system TTLs or through the `config/` endpoint)
|
||
do not apply.
|
||
|
||
### Parameters
|
||
|
||
- `roleset` (`string:<required>`): Name of an roleset with secret type `access_token` to generate access_token under.
|
||
- `static-account` (`string:<required>`): Name of the static account with secret type `access_token` to generate access_token under.
|
||
- `impersonated-account` (`string:<required>`): Name of the impersonated account to
|
||
generate access_token_under.
|
||
|
||
### Sample Request
|
||
|
||
**Roleset:**
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request GET \
|
||
https://127.0.0.1:8200/v1/gcp/roleset/my-token-roleset/token
|
||
```
|
||
|
||
**Static account:**
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request GET \
|
||
https://127.0.0.1:8200/v1/gcp/static-account/my-token-account/token
|
||
```
|
||
|
||
**Impersonated account:**
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request GET \
|
||
https://127.0.0.1:8200/v1/gcp/impersonated-account/my-token-impersonate/token
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"request_id": "<uuid>",
|
||
"data": {
|
||
"token": "ya29.c.Elp5Be3ga87...",
|
||
"expires_at_seconds": 1537400046,
|
||
"token_ttl": 3599
|
||
},
|
||
"wrap_info": null,
|
||
"warnings": null,
|
||
"auth": null
|
||
}
|
||
```
|
||
|
||
## Generate Secret (IAM Service Account Creds): Service Account Key
|
||
|
||
| Method | Path |
|
||
| :------------- | :---------------------------------------- |
|
||
| `GET` / `POST` | `/gcp/roleset/:roleset/key` |
|
||
| `GET` / `POST` | `/gcp/static-account/:static-account/key` |
|
||
| `GET` / `POST` | `/gcp/key/:roleset` (deprecated) |
|
||
|
||
|
||
If using `GET` ('read'), the optional parameters will be set to their defaults. Use `POST` if you
|
||
want to specify different values for these params.
|
||
|
||
These keys are renewable and have TTL/max TTL as defined by either the backend config
|
||
or the system default if config was not defined.
|
||
|
||
### Parameters
|
||
|
||
- `roleset` (`string:<required>`): Name of an roleset with secret type `service_account_key` to generate key under.
|
||
- `static-account` (`string:<required>`): Name of an static account with secret type `service_account_key` to generate key under.
|
||
- `key_algorithm` (`string:"KEY_ALG_RSA_2048"`): Key algorithm used to generate key. Defaults to 2k RSA key
|
||
You probably should not choose other values (i.e. 1k), but accepted values are
|
||
`enum(`[`ServiceAccountKeyAlgorithm`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm)`)`
|
||
- `key_type` (`string:"TYPE_GOOGLE_CREDENTIALS_FILE`): Private key type to generate. Defaults to JSON credentials file.
|
||
Accepted values are `enum(`[`ServiceAccountPrivateKeyType`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountPrivateKeyType)`)`
|
||
- `ttl` (`string: ""`): Specifies the Time To Live value provided using a [duration format string](/vault/docs/concepts/duration-format). If not set, uses the system default value.
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"key_algorithm": "KEY_ALG_RSA_2048",
|
||
"key_type": "TYPE_GOOGLE_CREDENTIALS_FILE"
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request GET \
|
||
https://127.0.0.1:8200/v1/gcp/roleset/my-key-roleset/key
|
||
```
|
||
|
||
```shell-session
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://127.0.0.1:8200/v1/gcp/roleset/my-key-roleset/key
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"request_id": "<uuid>",
|
||
"lease_id": "gcp/roleset/my-key-roleset/key/<uuid>",
|
||
"renewable": true,
|
||
"lease_duration": 3600,
|
||
"data": {
|
||
"private_key_data": "<base64-encoded private key data>",
|
||
"key_algorithm": "TYPE_GOOGLE_CREDENTIALS_FILE",
|
||
"key_type": "KEY_ALG_RSA_2048"
|
||
},
|
||
"wrap_info": null,
|
||
"warnings": null,
|
||
"auth": null
|
||
}
|
||
```
|
||
|
||
## Revoking/Renewing Secrets
|
||
|
||
See docs on how to [renew](/vault/api-docs/system/leases#renew-lease) and [revoke](/vault/api-docs/system/leases#revoke-lease) leases.
|
||
Note this only applies to service account keys.
|