stackitcloud
diff --git a/‎docs/resources/service_account_access_token.md‎
Lines changed: 89 additions & 0 deletions b/‎docs/resources/service_account_access_token.md‎
Lines changed: 89 additions & 0 deletions
diff --git a/‎stackit/internal/services/serviceaccount/serviceaccount_acc_test.go‎
Lines changed: 16 additions & 1 deletion b/‎stackit/internal/services/serviceaccount/serviceaccount_acc_test.go‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎stackit/internal/services/serviceaccount/token/const.go‎
Lines changed: 31 additions & 0 deletions b/‎stackit/internal/services/serviceaccount/token/const.go‎
Lines changed: 31 additions & 0 deletions
@@ -0,0 +1,89 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_service_account_access_token Resource - stackit"
+subcategory: ""
+description: |-
+  Schema for a STACKIT service account access token resource.
+  ~> This resource is in beta and may be subject to breaking changes in the future. Use with caution. See our guide https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources for how to opt-in to use beta resources.
+  Example Usage
+  Automatically rotate access tokens
+  
+  resource "stackit_service_account" "sa" {
+    project_id = var.stackit_project_id
+    name       = "sa01"
+  }
+  
+  resource "time_rotating" "rotate" {
+    rotation_days = 80
+  }
+  
+  // The access token is valid for 180 days but is configured to rotate every 80 days
+  // when a Terraform apply is triggered.
+  resource "stackit_service_account_access_token" "sa1" {
+    project_id            = var.stackit_project_id
+    service_account_email = stackit_service_account.sa.email
+    ttl_days              = 180
+  
+    // Trigger token rotation based on time_rotating changes.
+    rotate_when_changed = {
+      rotation = time_rotating.rotate.id
+    }
+  }
+---
+
+# stackit_service_account_access_token (Resource)
+
+Schema for a STACKIT service account access token resource.
+
+~> This resource is in beta and may be subject to breaking changes in the future. Use with caution. See our [guide](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources) for how to opt-in to use beta resources.
+## Example Usage
+
+
+### Automatically rotate access tokens
+```terraform
+resource "stackit_service_account" "sa" {
+  project_id = var.stackit_project_id
+  name       = "sa01"
+}
+
+resource "time_rotating" "rotate" {
+  rotation_days = 80
+}
+
+// The access token is valid for 180 days but is configured to rotate every 80 days
+// when a Terraform apply is triggered.
+resource "stackit_service_account_access_token" "sa1" {
+  project_id            = var.stackit_project_id
+  service_account_email = stackit_service_account.sa.email
+  ttl_days              = 180
+
+  // Trigger token rotation based on time_rotating changes.
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+
+```
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `project_id` (String) STACKIT project ID associated with the service account token.
+- `service_account_email` (String) Email address linked to the service account.
+
+### Optional
+
+- `rotate_when_changed` (Map of String) A map of arbitrary key/value pairs that will force recreation of the token when they change, enabling token rotation based on external conditions such as a rotating timestamp. Changing this forces a new resource to be created.
+- `ttl_days` (Number) Specifies the token's validity duration in days. If unspecified, defaults to 90 days.
+
+### Read-Only
+
+- `access_token_id` (String) Identifier for the access token linked to the service account.
+- `created_at` (String) Timestamp indicating when the access token was created.
+- `id` (String) Unique internal resource ID for Terraform, formatted as "project_id,access_token_id".
+- `token` (String, Sensitive) JWT access token for API authentication. Prefixed by 'Bearer' and should be stored securely as it is irretrievable once lost.
+- `valid_until` (String) Estimated expiration timestamp of the access token. For precise validity, check the JWT details.
@@ -30,6 +30,11 @@ func inputServiceAccountResourceConfig(name string) string {
 					project_id = "%s"
 					name = "%s"
 				}
+
+				resource "stackit_service_account_access_token" "token" {
+					project_id = stackit_service_account.sa.project_id
+  					service_account_email = stackit_service_account.sa.email
+				}
 				`,
 		testutil.ServiceAccountProviderConfig(),
 		serviceAccountResource["project_id"],
@@ -55,13 +60,18 @@ func TestServiceAccount(t *testing.T) {
 		ProtoV6ProviderFactories: testutil.TestAccProtoV6ProviderFactories,
 		CheckDestroy:             testAccCheckServiceAccountDestroy,
 		Steps: []resource.TestStep{
-			// Creation
+			// Create
 			{
 				Config: inputServiceAccountResourceConfig(serviceAccountResource["name01"]),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					resource.TestCheckResourceAttr("stackit_service_account.sa", "project_id", serviceAccountResource["project_id"]),
 					resource.TestCheckResourceAttr("stackit_service_account.sa", "name", serviceAccountResource["name01"]),
 					resource.TestCheckResourceAttrSet("stackit_service_account.sa", "email"),
+					resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "token"),
+					resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "created_at"),
+					resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "valid_until"),
+					resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "service_account_email"),
+					resource.TestCheckResourceAttrPair("stackit_service_account.sa", "email", "stackit_service_account_access_token.token", "service_account_email"),
 				),
 			},
 			// Update
@@ -71,6 +81,11 @@ func TestServiceAccount(t *testing.T) {
 					resource.TestCheckResourceAttr("stackit_service_account.sa", "project_id", serviceAccountResource["project_id"]),
 					resource.TestCheckResourceAttr("stackit_service_account.sa", "name", serviceAccountResource["name02"]),
 					resource.TestCheckResourceAttrSet("stackit_service_account.sa", "email"),
+					resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "token"),
+					resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "created_at"),
+					resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "valid_until"),
+					resource.TestCheckResourceAttrSet("stackit_service_account_access_token.token", "service_account_email"),
+					resource.TestCheckResourceAttrPair("stackit_service_account.sa", "email", "stackit_service_account_access_token.token", "service_account_email"),
 				),
 			},
 			// Data source
 
@@ -0,0 +1,31 @@
+package token
+
+const markdownDescription = `
+Schema for a STACKIT service account access token resource.` + "\n" + `
+~> This resource is in beta and may be subject to breaking changes in the future. Use with caution. See our [guide](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources) for how to opt-in to use beta resources.
+## Example Usage` + "\n" + `
+
+### Automatically rotate access tokens` + "\n" +
+	"```terraform" + `
+resource "stackit_service_account" "sa" {
+  project_id = var.stackit_project_id
+  name       = "sa01"
+}
+
+resource "time_rotating" "rotate" {
+  rotation_days = 80
+}
+
+// The access token is valid for 180 days but is configured to rotate every 80 days
+// when a Terraform apply is triggered.
+resource "stackit_service_account_access_token" "sa1" {
+  project_id            = var.stackit_project_id
+  service_account_email = stackit_service_account.sa.email
+  ttl_days              = 180
+
+  // Trigger token rotation based on time_rotating changes.
+  rotate_when_changed = {
+    rotation = time_rotating.rotate.id
+  }
+}
+` + "\n```"