Rotate User-Managed Service Account Keys

Risk Level: Low (generally tolerable level of risk)

Rule ID: CloudIAM-008

Ensure that the user-managed keys associated with your Google Cloud Platform (GCP) service accounts are regularly rotated. It is recommended to rotate keys every 90 days or less. Each GCP service account is associated with a key pair managed by Google and used for service-to-service authentication within Google Cloud. GCP provides the option to create one or more user-managed (external) key pairs for use outside your cloud account. When a new key pair is created, you have the ability to download the private key (which is not retained by Google), therefore you are responsible for keeping the private key secure and managing the key rotation.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Rotating user-managed service account keys will significantly reduce the chance for an access key that is associated with a compromised or terminated account to be used. Google Cloud Platform (GCP) account keys should be rotated to ensure that data can't be accessed with an old key that might have been lost, compromised, or stolen.

Audit

To determine if your GCP user-managed service account keys have been rotated recently (recommended every 90 days), perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.

04 In the main navigation panel, select Service Accounts.

05 Click on the email (link) of the user-managed service account that you want to examine.

06 Select the KEYS tab to access the user-managed key(s) associated with the selected service account.

07 Check the date available in the Key creation date column for each active user-managed key listed in the Keys section. If there are active user-managed keys older than maximum allowed age (recommended 90 days), follow the steps outlined in the Remediation/Resolution section to rotate those keys in order to maintain a secure programmatic access to your GCP cloud resources.

08 Repeat steps no. 5 – 7 for each user-managed service account that you want to examine, created for the selected GCP project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to describe the ID of each project deployed within your GCP account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-web-app-prod-123123
cc-project5-app-123123
cc-internal-app-123123

03 Run iam service-accounts list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the email address of each user-managed service account created for the selected project:

gcloud iam service-accounts list
  --project=cc-web-app-prod-123123
  --format="table(email)"

04 The command output should return the corresponding email addresses:

EMAIL
cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccount.com
cc-testing-account@cc-web-app-prod-123123.iam.gserviceaccount.com

05 Run iam service-accounts keys list command (Windows/macOS/Linux) using the email address of the service account that you want to examine as the identifier parameter, to describe the creation date of each user-managed key associated with the selected service account:

gcloud iam service-accounts keys list
  --iam-account=cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccoung.com
  --managed-by=user
  --format="table(name,validAfterTime)"

06 The command output should return the ID and the creation date for each available key:

KEY_ID: abcd1234abcd1234abcd1234abcd1234abcd1234
CREATED_AT: 2021-12-14T18:03:22Z

Check the creation date returned by the CREATED_AT attribute for each user-managed key associated with the selected account. If one or more user-managed keys have the creation date older than the maximum allowed age (recommended 90 days), follow the steps outlined in the Remediation/Resolution section to rotate those keys in order to maintain a secure programmatic access to your GCP cloud resources.

07 Repeat steps no. 5 and 6 for each user-managed service account that you want to examine, created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To rotate any external (i.e. user-managed) keys, older than the maximum allowed age (recommended 90 days), associated with your GCP service accounts, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Identity and Access Management (IAM) console at https://console.cloud.google.com/iam-admin/iam.

04 In the main navigation panel, select Service Accounts.

05 Click on the email (link) of the user-managed service account that you want to access.

06 Create a new, external key, required to replace the old one. Select the KEYS tab and perform the following operations:

Choose ADD KEY and select Create new key to initiate the key setup.
In the Create private key for "<service-account-name>" configuration box, select JSON or P12 (for backward compatibility only) for the Key type, then choose CREATE to create the new user-managed key.
Save the associated private key to a safe location on your computer, then choose CLOSE to return to the IAM console.

07 Configure the key-dependent application(s) in order to reference the new external key ID displayed in the Key column and the private key downloaded at the previous step.

08 Once the new user-managed (external) key is referenced within your application(s) code, navigate back to your service account page, select the KEYS tab, and remove the old (non-compliant) key by performing the following actions:

Chose the non-compliant user-managed key that you want to remove and click on the delete icon available next to the selected key.
In the Delete key ID confirmation box, review the key details, then choose DELETE to confirm the removal.

09 Repeat steps no. 6 – 8 to rotate other external keys that are older than the maximum allowed age (recommended 90 days), associated with the selected service account.

10 Repeat steps no. 5 – 9 for each user-managed service account created for the selected GCP project.

11 Repeat steps no. 2 – 10 for each project deployed within your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run iam service-accounts keys create command (Windows/macOS/Linux) using the email address of the service account that you want to access as the identifier parameter, to create a new external key, required to replace the old (non-compliant) one. Provide a name (e.g. private-key.json) for the JSON file that will store the private key:

gcloud iam service-accounts keys create
  --iam-account=cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccoung.com
  --key-file-type json private-key.json

02 The command output should return the ID of the newly created key:

created key [abcdabcdabcd1234123412234abcdabcdabcdacd] of type [json] as [private-key.json] for [cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccoung.com]

03 Run iam service-accounts keys delete command (Windows/macOS/Linux) using the email address of the service account that you want to access and the ID of the old, corresponding key as the identifier parameters, to delete the non-compliant user-managed key:

gcloud iam service-accounts keys delete
  --iam-account=cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccoung.com
abcd1234abcd1234abcd1234abcd1234abcd1234

04 The iam service-accounts keys delete command should ask you for confirmation. Type Y to confirm the key removal. Once removed, the command output should return the ID of the deleted key:

deleted key [abcd1234abcd1234abcd1234abcd1234abcd1234] for service account [cc-devops-account@cc-web-app-prod-123123.iam.gserviceaccoung.com]

05 Repeat steps no. 1 – 4 to rotate other external keys that are older than 90 days, associated with the selected service account.

06 Repeat steps no. 1 – 5 for each user-managed service account created for the selected GCP project.

07 Repeat steps no. 1 – 6 for each project deployed in your Google Cloud Platform (GCP) account.

References

Google Cloud Platform (GCP) Documentation
Cloud Identity and Access Management (IAM)
Service accounts
Understanding service accounts
Creating and managing service account keys

CIS Security Documentation
Securing Google Cloud Computing Platform

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud iam service-accounts list
gcloud iam service-accounts keys list
gcloud iam service-accounts keys create
gcloud iam service-accounts keys delete

Publication date Feb 4, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Rotate User-Managed Service Account Keys

Risk Level: Low

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudIAM rules