As a template administrator, I want to give my users a cloud service account for particular workspaces. The cleanest way I can do this is by using a cloud service account key resource likethis.

I could inject via environment variables, but very long environment variables are an anti-pattern. I could also inject via thestartup_script, but that is bug prone since I would need to consider escaping.

My ideal UX is something like this:

resource"google_service_account_key""mykey" {service_account_id=google_service_account.myaccount.namekeepers={    rotation_time= time_rotating.mykey_rotation.rotation_rfc3339  }}resource"coder_agent""dev" {# ...files=[    {       name="~/.gcp_creds.json       contents = google_service_account_key.mykey.private_key       mode ="0600"    },  ]  env = {     GOOGLE_APPLICATION_CREDENTIALS ="~/.gcp_creds.json"  }}

Related#2989#3047