What is Google's Service Account Key?

Google's Service Account Key is a private key (user-managed key pairs for a service account) to be used to authenticate with Google APIs.
This key is a credential for the Service Account created within GCP. (Please be aware that this service account is not the service account managed by the Solvay's Active Directory team and it is only used for Google's usage)

Visit the link below for detail explanation.
https://cloud.google.com/iam/docs/service-accounts#user-managed-keys


Why do I need to rotate the Service Account keys regularly?

Because the private key lets you authenticate as the service account, having access to the private key is similar to knowing a user's password. The private key is known as a service account key.

Service account keys can become a security risk if not managed carefully.

Visit the link below for detail explanation.
https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys


Who is responsible of the rotation of Service Account Key?

The team of rotating of service account key are defined as the following:

  • The team who request and install the service account key into the application. (Responsible)
  • The team who generate and provide the service account key.
    • For Landing Zone GCP projects:
      • CloudOps.
    • For non-Landing Zone GCP projects:
      • the team with Owner/Editor permission (primary)
      • If no one, CloudOps.


How often do I need to rotate my service account key?

With alignment with Group Security, service account key will need to be rotated every 365 days (starting from the creation date of the key).

IMPORTANT: The mechanism of the service account key rotation can be seen in this slide. Only available on Landing Zone projects.
 

How to request for the new service account key from CloudOps?

  1. Refer to this page on Process to request for Google Cloud Platform support
  2. Provide the following as subject title for the request, "GCP - Rotation of Service Account Key"
  3. Provide the following information (the following information can be obtained from the original service account key file):
    1. GCP project ID
    2. Service account name or email


Service Account Key will be provided in the following file format:
<GCP-Project id>_<Service-Account name>_<Created Date in yyyymmdd>.json