What is Service Account Key?

Service Account Key is a private key (user-managed key pairs for a service account) to be used to authenticate with Google APIs.

Visit the link below for detail explanation.
https://cloud.google.com/iam/docs/service-accounts#user-managed-keys

Why do I need to rotate the Service Account keys regularly?

Because the private key lets you authenticate as the service account, having access to the private key is similar to knowing a user's password. The private key is known as a service account key.

Service account keys can become a security risk if not managed carefully.

Visit the link below for detail explanation.
https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys

Who is responsible of the rotation of Service Account Key?

The team of rotatiing of service account key are defined as the following:

• The team who request and install the service account key into the application. (Responsible)
• The team who generate and provide the service account key.
  • For Landing Zone GCP projects:
    • CloudOps.
  • For non-Landing Zone GCP projects:
    • the team with Owner/Editor permission (primary)
    • If no one, CloudOps.

How to request for the new service account key from CloudOps?

1. Refer to this page on Process to request for Google Cloud Platform support
2. Provide the following as subject title for the request, "GCP - Rotation of Service Account Key"
3. Provide the following information (the following information can be obtained from the original service account key file):
   1. GCP project ID
   2. Service account name or email

Service Account Key will be provided in the following file format:
<GCP-Project id>_<Service-Account name>_<Created Date in yyyymmdd>.json