Rotating a user-managed Service Account key involves creating a new key, updating your application
to use the new key, and then deleting the old key to maintain security. Here’s the step-by-step
process:
Create a New Key: Use the Google Cloud Console or gcloud command-line tool to create a new key
for the service account. This generates a new key pair and provides you with the private key.
gcloud iam service-accounts keys create new-key-file.json --iam-
account=YOUR_SERVICE_ACCOUNT_EMAIL
Update Application: Update your application configuration to use the new key. This might involve
replacing the old key file with the new one or updating the environment variables or configurations
that point to the key file.
Delete the Old Key: Once you have confirmed that the application is working correctly with the new
key, delete the old key from the service account to ensure it cannot be used for unauthorized access.
gcloud iam service-accounts keys delete OLD_KEY_ID --iam-
account=YOUR_SERVICE_ACCOUNT_EMAIL
This process ensures that your service account keys are regularly rotated, reducing the risk of key
compromise.
Reference:
Managing Service Account Keys
Service Account Key Rotation
