Service account key rotation
Service account keys are private keys that let youauthenticate as a service account.Key rotation is the process of replacing your existing keys with new keys andthen invalidating the replaced keys. We recommend that you routinelyrotate all keys that you manage, including your service account keys.
Rotating service account keys can help reduce the risk posed by leaked or stolenkeys. If a key is leaked, it might take bad actors days or weeks to discover thekey. If you regularly rotate your service account keys, there's a higher chancethat the leaked keys will be invalid by the time a bad actor gets them.
Having an established process for rotating service account keys also helps youact quickly if you suspect that a service account key has been compromised.
Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keyswhenever possible. If you must authenticate with a service account key, you are responsible for thesecurity of the private key and for other operations described by Best practices for managing service account keys.If you are prevented from creating a service account key, service account key creation mightbe disabled for your organization. For more information, see Managing secure-by-default organization resources.If you acquired the service account key from an external source, you must validate it before use.For more information, see Security requirements for externally sourced credentials.
How often to rotate keys
We recommend rotating your keys at least every 90 days to reducethe risk posed by leaked keys.
If you believe that a service account key has been compromised, we recommendthat you rotate it immediately.
Key rotation process
To rotate service account keys, do the following:
- Identify the service account keys that need to be rotated.
- Create new keys for the same service accounts.
- Replace the existing keys with the new keys across all applications.
- Disable the replaced keys and monitor the applications to confirm that theywork as expected.
- Delete the service account keys that were replaced.
You can complete these steps by using a centralized secret management service,or by using a custom notification system.
Centralized secret management service
Many centralized secret management services, likeHashiCorp Vault, provide automatic secret rotation. You can use these servicesto store and rotate your service account keys.
We don't recommend using Google Cloud's Secret Manager to storeand rotate service account keys. This is because, to accessSecret Manager secrets, your application needs an identity thatGoogle Cloud can recognize. If your application already has an identitythat Google Cloud can recognize, then your application can use thatidentity to authenticate to Google Cloud instead of using a serviceaccount key.The same concept applies for other cloud-based secret management services, likeAzure KeyVault and AWS Secret Manager. If an application already has an identitythat these cloud providers can recognize, your application would be able to usethat identity to authenticate to Google Cloud instead of using a serviceaccount key.
Custom notification system
Another approach to service account key rotation is to create a system thatsends notifications when keys need to be rotated. For example, you could createa system that sends alerts when it detects keys that were created more than90 days ago.
First, you need to identify the keys that need to be rotated. To identify thesekeys, we recommend using Cloud Asset Inventory to search for all service accountkeys that were created before a certain time.
For example, the following command lists all service account keys that werecreated before2023-03-10 00:00:00 UTC in the organization with the ID123456789012:
gcloud asset search-all-resources \ --scope="organizations/123456789012" \ --query="createTime< 2023-03-10" \ --asset-types="iam.googleapis.com/ServiceAccountKey" \ --order-by="createTime"
To learn more about searching resources in Cloud Asset Inventory, seeSearchingresources.After identifying the keys that need to be rotated, you can send outnotifications to the appropriate teams.
When someone is notified to rotate a key, they should do the following:
- Create a new key for the same service account.
- Replace the existing key with the new key across all applications.
- Disable the key that they replaced and monitor theapplications to confirm that they work as expected.
- After they confirm that the applications are working as expected,delete thereplaced key.
Expiring service account keys
We don't recommend using expiring service account keys for key rotation. This isbecause expiring keys can cause outages if they aren't rotated properly. Formore information about the use cases for expiring service account keys, seeexpiry times for user-managed keys.
What's next
- Use Cloud Asset Inventory tosearch for resources,including service account keys, by creation time.
- Create,disable, anddelete serviceaccount keys.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.