🧠 Google IAM Service Account has User-Managed Keys - prod.logic.yaml 🟢

Contextual name: 🧠 prod.logic.yaml 🟢
ID: /ce/ca/google/iam/service-account-keys/prod.logic.yaml
Located in: 📝 Google IAM Service Account has User-Managed Keys 🟢

Flags

Input Type

	Type	API Name	Extracts	Extract Files	Logic Files
🔒	📕 Google IAM Service Account	`CA10__CaGoogleIamServiceAccount__c`	3	1	2

Uses

🔌 Google IAM Service Account - object.extracts.yaml
🧪 test-data.json

Test Results 🟢

Generated at: 2025-05-10T12:05:23.453973240Z Open

Result	Id	Condition Index	Condition Text	Runtime Error
🟢	aAL1	✔️ `199`	✔️ `not(extract('CA10__serviceAccountEmail__c').endsWith('iam.gserviceaccount.com'))`	✔️ `null`
🟢	aAL2	✔️ `299`	✔️ `CA10__Google_IAM_Service_Account_Keys__r.has(INCOMPLIANT)`	✔️ `null`
🟢	aAL3	✔️ `300`	✔️ `otherwise`	✔️ `null`

Generation

	File	MD5
Open	`/ce/ca/google/iam/service-account-keys/policy.yaml`	`D98FC422BC24227364397D6A3D35CAEB`
Open	`/ce/ca/google/iam/service-account-keys/prod.logic.yaml`	`9986C9797E80B1D3D113492B07743421`
Open	`/ce/ca/google/iam/service-account-keys/test-data.json`	`F2D71725B64986F97F9E2DEAD7468B02`
Open	`/types/CA10__CaGoogleIamServiceAccount__c/object.extracts.yaml`	`EB5FB013DE89FCA54D6B42804FC725D6`

Generate FULL script

java -jar repo-manager.jar policies generate FULL /ce/ca/google/iam/service-account-keys/prod.logic.yaml

Generate DEBUG script

java -jar repo-manager.jar policies generate DEBUG /ce/ca/google/iam/service-account-keys/prod.logic.yaml

Generate CAPTURE_TEST_DATA script

java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/google/iam/service-account-keys/prod.logic.yaml

Generate TESTS script

java -jar repo-manager.jar policies generate TESTS /ce/ca/google/iam/service-account-keys/prod.logic.yaml

Execute tests

java -jar repo-manager.jar policies test /ce/ca/google/iam/service-account-keys/prod.logic.yaml

Content

Open File

---
inputType: "CA10__CaGoogleIamServiceAccount__c"
testData:
  - file: test-data.json
importExtracts:
  - file: /types/CA10__CaGoogleIamServiceAccount__c/object.extracts.yaml
conditions:
  - status: "INAPPLICABLE"
    currentStateMessage: "Only for user-managed service accounts."
    check:
      NOT:
        arg:
          ENDS_WITH:
           arg:
            EXTRACT: CA10__serviceAccountEmail__c
           suffix: 
            TEXT: "iam.gserviceaccount.com"
  - status: "INCOMPLIANT"
    currentStateMessage: "User-managed service accounts should not have user-managed keys."
    remediationMessage: "You should delete a user managed Service Account Key."
    check:
      RELATED_LIST_HAS:
        status: "INCOMPLIANT"
        relationshipName: "CA10__Google_IAM_Service_Account_Keys__r"
otherwise:
  status: "COMPLIANT"
  currentStateMessage: "User-managed service accounts haven't user-managed keys."
relatedLists:
  - relationshipName: "CA10__Google_IAM_Service_Account_Keys__r"
    conditions: []
    otherwise:
      status: "INCOMPLIANT" 
      currentStateMessage: "Service Account Key is enabled."

Flags​

Input Type​

Uses​

Test Results 🟢​

Generation​

Generate FULL script​

Generate DEBUG script​

Generate CAPTURE_TEST_DATA script​

Generate TESTS script​

Execute tests​

Content​

Flags

Input Type

Uses

Test Results 🟢

Generation

Generate FULL script

Generate DEBUG script

Generate CAPTURE_TEST_DATA script

Generate TESTS script

Execute tests

Content