In our project we are planning to rotate the GCP Service account key for every 60days, Now we are rotating those manually. I found the GCP opensource key rotator "https://opensource.google/projects/keyrotator", Is there any other way to do it from the GCP console?
2 Answers
No, there is no built in feature to achieve this.; And that's why it's always complex to use and manage service account key files.
Things and new features/products are coming, the first one is workload federated pool to use an external authentication, and then to impersonate a service account without having a key, only with API calls. However, IMO, it's not yet mature to be easy to use and the UI is still in development.
About KeyRotator, it could work, maybe... Personally when I'm seeing this in an open source project
I prefer to skip and build something myself!
We have implemented the same in our project.
You could enable key admin role for the service account to enable it to rotate its own keys.
First you need to authenticate using the current active service account. And then use the below command to create a new one:
gcloud iam service-accounts keys create --iam-account $key --project=${project_id} ${new_json_file}
Thereafter delete the old one.
gcloud iam service-accounts keys delete $name --iam-account $key --project=${project_id} --quiet
You can automate the above using a script in unix.