Rotating a user-managed Service Account key involves creating a new key, updating your application

to use the new key, and then deleting the old key to maintain security. Here’s the step-by-step

process:

Create a New Key: Use the Google Cloud Console or gcloud command-line tool to create a new key

for the service account. This generates a new key pair and provides you with the private key.

gcloud iam service-accounts keys create new-key-file.json --iam-

account=YOUR_SERVICE_ACCOUNT_EMAIL

Update Application: Update your application configuration to use the new key. This might involve

replacing the old key file with the new one or updating the environment variables or configurations

that point to the key file.

Delete the Old Key: Once you have confirmed that the application is working correctly with the new

key, delete the old key from the service account to ensure it cannot be used for unauthorized access.

gcloud iam service-accounts keys delete OLD_KEY_ID --iam-

account=YOUR_SERVICE_ACCOUNT_EMAIL

This process ensures that your service account keys are regularly rotated, reducing the risk of key

compromise.

Reference:

Managing Service Account Keys

Service Account Key Rotation