What is Service Account Key?
Service Account Key is a private key (user-managed key pairs for a service account) to be used to authenticate with Google APIs.
Visit the link below for detail explanation.
https://cloud.google.com/iam/docs/service-accounts#user-managed-keys
Why do I need to rotate the Service Account keys regularly?
Because the private key lets you authenticate as the service account, having access to the private key is similar to knowing a user's password. The private key is known as a service account key.
Service account keys can become a security risk if not managed carefully.
Visit the link below for detail explanation.
https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys
Who is responsible of the rotation of Service Account Key?
The team of rotatiing of service account key are defined as the following:
- The team who request and install the service account key into the application. (Responsible)
- The team who generate and provide the service account key.
- For Landing Zone GCP projects:
- CloudOps.
- For non-Landing Zone GCP projects:
- the team with Owner/Editor permission (primary)
- If no one, CloudOps.
- For Landing Zone GCP projects:
How often do I need to rotate my service account key?
With alignment with Group Security, service account key will need to be rotated every 365 days (starting from the creation date of the key).
How to request for the new service account key from CloudOps?
- Refer to this page on Process to request for Google Cloud Platform support
- Provide the following as subject title for the request, "GCP - Rotation of Service Account Key"
- Provide the following information (the following information can be obtained from the original service account key file):
- GCP project ID
- Service account name or email
Service Account Key will be provided in the following file format:
<GCP-Project id>_<Service-Account name>_<Created Date in yyyymmdd>.json