google_service_account

Use the google_service_account_key InSpec audit resource to test properties of a GCP project IAM service account key.


s

Syntax

A google_service_account_key resource block declares the tests for a single GCP project IAM service account key by fully qualified name.

describe google_service_account_key(name: "projects/sample-project/serviceAccounts/test-sa@sample-project.iam.gserviceaccount.com/keys/c6bd986da9fac6d71178db41d1741cbe751a5080" ) do
  it { should exist }
  its('name'){ should eq "projects/sample-project/serviceAccounts/test-sa@sample-project.iam.gserviceaccount.com/keys/c6bd986da9fac6d71178db41d1741cbe751a5080" }
end


Examples

The following examples show how to use this InSpec audit resource.

Test that a GCP project IAM service account key has the expected key algorithm

describe google_service_account_key(name: "projects/sample-project/serviceAccounts/test-sa@sample-project.iam.gserviceaccount.com/keys/c6bd986da9fac6d71178db41d1741cbe751a5080" ) do
  its('key_algorithm') { should eq "KEY_ALG_RSA_2048" }
end


Properties

  • key_algorithm, name, valid_after_time, valid_after_time_date, valid_before_time, valid_before_time_date


GCP Permissions

Ensure the Identity and Access Management (IAM) API is enabled for the project.