Console

To view the metrics for a monitored resource by using theMetrics Explorer, do the following:

1. In the Google Cloud console, go to theleaderboard Metrics explorer page:

   Go toMetrics explorer

   If you use the search bar to find this page, then select the result whose subheading isMonitoring.

2. In the toolbar of the Google Cloud console, select your Google Cloud project. ForApp Hub configurations, select the App Hub host project or the app-enabled folder's management project.
3. In theMetric element, expand theSelect a metric menu, enterIAM Service Account in the filter bar, and then use the submenus to select a specific resource type and metric:
   1. In theActive resources menu, selectIAM Service Account.
   2. In theActive metric categories menu, selectService_account.
   3. In theActive metrics menu, select a service account metric. The following metrics are available within your selected time interval:
      • For service account usage metrics, selectService account authentication events.
      • For service account key usage metrics, selectService account key authentication events.
   4. ClickApply.

4. To add filters, which remove time series from the query results, use theFilter element.

5. To combine time series, use the menus on theAggregation element. For example, to display the CPU utilization for your VMs, based on their zone, set the first menu toMean and the second menu tozone.

   All time series are displayed when the first menu of theAggregation element is set toUnaggregated. The default settings for theAggregation element are determined by the metric type you selected.

6. For quota and other metrics that report one sample per day, do the following:
   1. In theDisplay pane, set theWidget type toStacked bar chart.
   2. Set the time period to at least one week.

REST

The Cloud Monitoring API API'stimeSeries.list method allows you to access usage metrics programmatically.

Before using any of the request data, make the following replacements:

• PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
• METRIC_TYPE: The type of metric you want to check. Use one of the following values:
  • For service account usage metrics, useiam.googleapis.com%2Fservice_account%2Fauthn_events_count.
  • For service account key usage metrics, useiam.googleapis.com%2Fservice_account%2Fkey%2Fauthn_events_count.
• END_TIME: The end of the time intervalthat you want to check, in percent-encodedRFC 3339 format. For example,2020-06-12T00%3A00%3A00.00Z.
• START_TIME: The start of the time intervalthat you want to check, in percent-encodedRFC 3339 format. For example,2020-04-12T00%3A00%3A00.00Z.

Note: If you are sending the request using the API Explorer, do not use percent-encoded values.

HTTP method and URL:

GET https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22METRIC_TYPE%22&interval.endTime=END_TIME&interval.startTime=START_TIME

To send your request, expand one of these options:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22METRIC_TYPE%22&interval.endTime=END_TIME&interval.startTime=START_TIME"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22METRIC_TYPE%22&interval.endTime=END_TIME&interval.startTime=START_TIME" | Select-Object -Expand Content

For more information about programmatically reading usage metrics, seeReading metric data in the Monitoring documentation.

Console

1. In the Google Cloud console, go to theService Accounts page.

   Go to Service Accounts

2. Select the project that contains your service account.

3. Click the email address of your service account.

4. Click theMetrics tab. TheAuthentication traffic chart showsthe usage metrics for the service account.

5. Optional: To view the chart on theMetrics explorer page, which offersadditional filtering and viewing options, clickmore_vert >View in Metrics Explorer.

REST

The Cloud Monitoring API'stimeSeries.list method , when used with specific filters, allows you to get usage metrics fora single service account. You can then use those metrics to determine when the account was lastused.

Before using any of the request data, make the following replacements:

• PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
• SERVICE_ACCOUNT_ID: The unique numeric ID of your service account. To find your service account's unique numeric ID, follow these steps:

  1. In the Google Cloud console, go to theService Accounts page.

     Go to the Service Accounts page
  2. Click the email address of your service account. Your service account's unique numeric ID is the value in theUnique ID field.
• END_TIME: The end of the time intervalthat you want to check, in percent-encodedRFC 3339 format. For example,2020-06-12T00%3A00%3A00.00Z.
• START_TIME: The start of the time intervalthat you want to check, in percent-encodedRFC 3339 format. For example,2020-04-12T00%3A00%3A00.00Z.

Note: If you are sending the request using the API Explorer, do not use percent-encoded values.

HTTP method and URL:

GET https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22iam.googleapis.com%2Fservice_account%2Fauthn_events_count%22%20AND%20resource.labels.unique_id%3D%22SERVICE_ACCOUNT_ID%22&interval.endTime=END_TIME&interval.startTime=START_TIME

To send your request, expand one of these options:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22iam.googleapis.com%2Fservice_account%2Fauthn_events_count%22%20AND%20resource.labels.unique_id%3D%22SERVICE_ACCOUNT_ID%22&interval.endTime=END_TIME&interval.startTime=START_TIME"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22iam.googleapis.com%2Fservice_account%2Fauthn_events_count%22%20AND%20resource.labels.unique_id%3D%22SERVICE_ACCOUNT_ID%22&interval.endTime=END_TIME&interval.startTime=START_TIME" | Select-Object -Expand Content

The response contains atimeSeries object with all of the recent authentication events for the specified service account.

Console

1. In the Google Cloud console, go to theService Accounts page.

   Go to Service Accounts

2. Select the project that contains the service account associated withyour key.

3. Click the email address of the service account associated with your key.

4. Click theMetrics tab. TheAuthentication traffic per key chartshows usage metrics for all keys associated with the service account.

5. In the chart legend, click the ID of the service account key that you want toview usage metrics for. The chart updates to show metrics for only thatservice account key.

6. Optional: To view the chart on theMetrics explorer page, which offersadditional filtering and viewing options, clickmore_vert >View in Metrics Explorer.

REST

First, get the service account key's ID.

1. List the service account keys:

   Theprojects.serviceAccounts.keys.list method lists all of the service account keys for a service account.

   Before using any of the request data, make the following replacements:

   • PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
   • SA_NAME: The name of the service account whose keys you want to list.
   • KEY_TYPES: Optional. A comma-separated list of key types that you want to include in the response. The key type indicates whether a key is user-managed (USER_MANAGED) or system-managed (SYSTEM_MANAGED). If left blank, all keys are returned.

   HTTP method and URL:

   GET https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys?keyTypes=KEY_TYPES

   To send your request, expand one of these options:

   curl (Linux, macOS, or Cloud Shell)

   Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

   Execute the following command:

   curl -X GET \
        -H "Authorization: Bearer $(gcloud auth print-access-token)" \
        "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys?keyTypes=KEY_TYPES"

   PowerShell (Windows)

   Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

   Execute the following command:

   $cred = gcloud auth print-access-token
   $headers = @{ "Authorization" = "Bearer $cred" }
   
   Invoke-WebRequest `
       -Method GET `
       -Headers $headers `
       -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys?keyTypes=KEY_TYPES" | Select-Object -Expand Content

   APIs Explorer (browser)

   Open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and clickExecute.

   You should receive a JSON response similar to the following:

   {  "keys": [    {      "name": "projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com/keys/90c48f61c65cd56224a12ab18e6ee9ca9c3aee7c",      "validAfterTime": "2020-03-04T17:39:47Z",      "validBeforeTime": "9999-12-31T23:59:59Z",      "keyAlgorithm": "KEY_ALG_RSA_2048",      "keyOrigin": "GOOGLE_PROVIDED",      "keyType": "USER_MANAGED"    },    {      "name": "projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com/keys/e5e3800831ac1adc8a5849da7d827b4724b1fce8",      "validAfterTime": "2020-03-31T23:50:09Z",      "validBeforeTime": "9999-12-31T23:59:59Z",      "keyAlgorithm": "KEY_ALG_RSA_2048",      "keyOrigin": "GOOGLE_PROVIDED",      "keyType": "USER_MANAGED"    },    {      "name": "projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com/keys/b97699f042b8eee6a846f4f96259fbcd13e2682e",      "validAfterTime": "2020-05-17T18:58:13Z",      "validBeforeTime": "9999-12-31T23:59:59Z",      "keyAlgorithm": "KEY_ALG_RSA_2048",      "keyOrigin": "GOOGLE_PROVIDED",      "keyType": "USER_MANAGED",      "disabled": true      "disable_reason": "SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED"      "extended_status": "SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_EXPOSED"      "extended_status_message": "exposed at: https://www.github.com/SomePublicRepo"    }  ]}

2. Use the metadata in the response to identify the key you want to track.Then, copy the key's unique ID from the end of thename field.

   Thename field has the following format:

   "name":"projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL/keys/KEY_ID"

   The key's unique ID is everything afterkeys/.

   For example, the unique ID in the following key name is0f561cc41650ff521899de2fd653bd3de08e2da4:

   "name":"projects/my-project/serviceAccounts/my-account@my-project.iam.gserviceaccount.com/keys/0f561cc41650ff521899de2fd653bd3de08e2da4"

Then, use the ID to view usage metrics for the service account key.

The Cloud Monitoring API'stimeSeries.list method , when used with specific filters, allows you to get usage metrics fora single service account key. You can then use those metrics to determine when the key was lastused.

Before using any of the request data, make the following replacements:

• PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
• KEY_ID: The unique ID of your service account key.
• END_TIME: The end of the time intervalthat you want to check, in percent-encodedRFC 3339 format. For example,2020-06-12T00%3A00%3A00.00Z.
• START_TIME: The start of the time intervalthat you want to check, in percent-encodedRFC 3339 format. For example,2020-04-12T00%3A00%3A00.00Z.

Note: If you are sending the request using the API Explorer, do not use percent-encoded values.

HTTP method and URL:

GET https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22iam.googleapis.com%2Fservice_account%2Fkey%2Fauthn_events_count%22%20AND%20metric.labels.key_id%3D%22KEY_ID%22&interval.endTime=END_TIME&interval.startTime=START_TIME

To send your request, expand one of these options:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22iam.googleapis.com%2Fservice_account%2Fkey%2Fauthn_events_count%22%20AND%20metric.labels.key_id%3D%22KEY_ID%22&interval.endTime=END_TIME&interval.startTime=START_TIME"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%3D%22iam.googleapis.com%2Fservice_account%2Fkey%2Fauthn_events_count%22%20AND%20metric.labels.key_id%3D%22KEY_ID%22&interval.endTime=END_TIME&interval.startTime=START_TIME" | Select-Object -Expand Content

The response contains atimeSeries object with all of the recent authentication events for the specified service account key.