Create, manage and delete service account keys

Create a service account key (generate new key-pair)

Navigate to IAM and Management > Service accounts.
Select the service account you want to create a key for.
Navigate to Service Account Keys.
Select + Create service account key
Select Create new key pair.
Optional: Select an expiring date.
Select Create.

stackit service-account key create --email my-service-account-email

Refer to the Create service account key documentation in the API Explorer.

If you don’t send a public key within the payload, the service will create a new key-pair. The service will then respond with the private key in the payload of the response.

The response has the following format:

{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "publicKey": "public key",
  "createdAt": "2019-08-24T14:15:22Z",
  "validUntil": "2019-08-24T14:15:22Z",
  "keyType": "USER_MANAGED",
  "keyOrigin": "USER_PROVIDED",
  "keyAlgorithm": "RSA_2048",
  "active": true,
  "credentials": {
    "kid": "string",
    "iss": "my-sa@sa.stackit.cloud",
    "sub": "753487e7-10bc-4e69-b3b2-4da33721ea3e",
    "aud": "string",
    "privateKey": "private key when generated by the SA service"
  }
}

Important fields:

credentials.kid: This is the ID of the key. Must be used as kid of the self-signed token.
credentials.iss: This is the service account email. May be used as iss (issuer) of the self-signed token, or you can use your application or VM ID instead.
credentials.sub: This is the service account ID. Must be used as sub of the self-signed token.
credentials.aud: This is the service account service URL. Must be used as aud of the self-signed token.
credentials.privateKey: Only exists if private key was generated by the service account service. Not stored in the service account service. Must be securely stored by the client.

The private key is the one identifying the client. It must not be exposed, (preferably) not shared, and rotated. This is the task of the user.

Create a service account key (provide own key)

Navigate to IAM and Management > Service accounts.
Select the service account you want to create a key for.
Navigate to Service Account Keys.
Select + Create service account key
Select Upload public key.
Upload the .pem file.
Optional: Select an expiring date.
Select Create.

stackit service-account key create --email my-service-account-email --public-key @./public.pem

Public key of the user generated RSA 2048 key-pair. Must be in x509 format. Can be a string or path to the .pem file, if prefixed with ”@”.

Refer to the Create service account key documentation in the API Explorer.

Create a RSA key-pair

openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
-keyout /path/to/private_key.pem \
-out /path/to/public_key.pem \
-subj "/CN=unused"

If you created a key-pair like described above, add the public part to the payload.

The response has the following format:

{
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "publicKey": "public key",
  "createdAt": "2019-08-24T14:15:22Z",
  "validUntil": "2019-08-24T14:15:22Z",
  "keyType": "USER_MANAGED",
  "keyOrigin": "USER_PROVIDED",
  "keyAlgorithm": "RSA_2048",
  "active": true,
  "credentials": {
    "kid": "string",
    "iss": "my-sa@sa.stackit.cloud",
    "sub": "753487e7-10bc-4e69-b3b2-4da33721ea3e",
    "aud": "string",
    "privateKey": "private key when generated by the SA service"
  }
}

Important fields:

credentials.kid: This is the ID of the key. Must be used as kid of the self-signed token.
credentials.iss: This is the service account email. May be used as iss (issuer) of the self-signed token, or you can use your application or VM ID instead.
credentials.sub: This is the service account ID. Must be used as sub of the self-signed token.
credentials.aud: This is the service account service URL. Must be used as aud of the self-signed token.
credentials.privateKey: Only exists if private key was generated by the service account service. Not stored in the service account service. Must be securely stored by the client.

The private key is the one identifying the client. It must not be exposed, (preferably) not shared, and rotated. This is the task of the user.

List all service account keys

Navigate to IAM and Management > Service accounts.
Select the service account you want to list it’s key.
Navigate to Service Account Keys.

You are presented with an overview of service account keys, their creators and expiration dates.

stackit service-account key list --email my-service-account-email

Show details of a service account key

Navigate to IAM and Management > Service accounts.
Select the service account you want to list it’s key.
Navigate to Service Account Keys.
Select the service account key you want to get detailed information on.

You are presented with an overview of the creator, the status and the expiration date.

stackit service-account key describe <key_id> --email my-service-account-email

Update a service account key

Navigate to IAM and Management > Service accounts.
Select the service account you want to list it’s key.
Navigate to Service Account Keys.
Select the service account key you want to change.

stackit service-account key update <key_id> --email my-service-account-email --expires-in-days 30

Delete a service account key

Navigate to IAM and Management > Service accounts.
Select the service account you want to list it’s key.
Navigate to Service Account Keys.
Select the three dots at the end of the row of the service account key you want to delete.
Select Delete.
Enter the service account key id. Then select Delete.

stackit service-account key delete <key_id> --email my-service-account-email