Service account keys are private keys that let youauthenticate as a service account.Key rotation is the process of replacing your existing keys with new keys andthen invalidating the replaced keys. We recommend that you routinelyrotate all keys that you manage, including your service account keys.
Rotating service account keys can help reduce the risk posed by leaked or stolenkeys. If a key is leaked, it might take bad actors days or weeks to discover thekey. If you regularly rotate your service account keys, there's a higher chancethat the leaked keys will be invalid by the time a bad actor gets them.
Having an established process for rotating service account keys also helps youact quickly if you suspect that a service account key has been compromised.
How often to rotate keys
We recommend rotating your keys at least every 90 days to reducethe risk posed by leaked keys.
If you believe that a service account key has been compromised, we recommendthat you rotate it immediately.
Key rotation process
To rotate service account keys, do the following:
- Identify the service account keys that need to be rotated.
- Create new keys for the same service accounts.
- Replace the existing keys with the new keys across all applications.
- Disable the replaced keys and monitor the applications to confirm that theywork as expected.
- Delete the service account keys that were replaced.
You can complete these steps by using a centralized secret management service,or by using a custom notification system.
Centralized secret management service
Many centralized secret management services, like HashiCorp Vault, provide automatic secret rotation. You can use these servicesto store and rotate your service account keys.
We don't recommend using Google Cloud's Secret Manager to storeand rotate service account keys. This is because, to accessSecret Manager secrets, your application needs an identity thatGoogle Cloud can recognize. If your application already has an identitythat Google Cloud can recognize, then your application can use thatidentity to authenticate to Google Cloud instead of using a serviceaccount key.
The same concept applies for other cloud-based secret management services, likeAzure KeyVault and AWS Secret Manager. If an application already has an identitythat these cloud providers can recognize, your application would be able to usethat identity to authenticate to Google Cloud instead of using a serviceaccount key.
Custom notification system
Another approach to service account key rotation is to create a system thatsends notifications when keys need to be rotated. For example, you could createa system that sends alerts when it detects keys that were created more than90 days ago.
First, you need to identify the keys that need to be rotated. To identify thesekeys, we recommend using Cloud Asset Inventory to search for all service accountkeys that were created before a certain time.
For example, the following command lists all service account keys that werecreated before 2023-03-10 00:00:00 UTC in the organization with the ID123456789012:
gcloud asset search-all-resources \ --scope="organizations/123456789012" \ --query="createTime < 2023-03-10" \ --asset-types="iam.googleapis.com/ServiceAccountKey" \ --order-by="createTime"
To learn more about searching resources in Cloud Asset Inventory, see Searchingresources.After identifying the keys that need to be rotated, you can send outnotifications to the appropriate teams.
When someone is notified to rotate a key, they should do the following:
- Create a new key for the same service account.
- Replace the existing key with the new key across all applications.
- Disable the key that they replaced and monitor theapplications to confirm that they work as expected.
- After they confirm that the applications are working as expected, delete thereplaced key.
Expiring service account keys
We don't recommend using expiring service account keys for key rotation. This isbecause expiring keys can cause outages if they aren't rotated properly. Formore information about the use cases for expiring service account keys, seeexpiry times for user-managed keys.
What's next
- Use Cloud Asset Inventory to search for resources,including service account keys, by creation time.
- Create, disable, and delete serviceaccount keys.
