Bird
Raised Fist0
GCPcloud~5 mins

Service account keys management in GCP - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Service account keys let programs prove who they are when talking to Google Cloud. Managing these keys carefully helps keep your cloud resources safe from unauthorized access.
When you want a program outside Google Cloud to access your cloud resources securely.
When you need to rotate keys regularly to reduce security risks.
When you want to delete old or unused keys to prevent misuse.
When you want to create a new key for a service account to allow new access.
When you want to list all keys to check which ones are active or expired.
Commands
This command creates a new key for the service account and saves it as 'my-key.json'. You use this key file to authenticate your program.
Terminal
gcloud iam service-accounts keys create my-key.json --iam-account my-service-account@example-project.iam.gserviceaccount.com
Expected OutputExpected
created key [KEY_ID] for [my-service-account@example-project.iam.gserviceaccount.com]
--iam-account - Specifies which service account to create the key for.
This command lists all keys for the service account so you can see which keys exist and their creation dates.
Terminal
gcloud iam service-accounts keys list --iam-account my-service-account@example-project.iam.gserviceaccount.com
Expected OutputExpected
NAME CREATED_AT KEY_TYPE 1234567890abcdef1234567890abcdef12345678 2024-05-01T12:00:00.000Z USER_MANAGED abcdef1234567890abcdef1234567890abcdef12 2024-04-01T12:00:00.000Z USER_MANAGED
--iam-account - Specifies which service account's keys to list.
This command deletes the specified key from the service account to prevent it from being used again.
Terminal
gcloud iam service-accounts keys delete 1234567890abcdef1234567890abcdef12345678 --iam-account my-service-account@example-project.iam.gserviceaccount.com --quiet
Expected OutputExpected
Deleted key [1234567890abcdef1234567890abcdef12345678].
--iam-account - Specifies which service account the key belongs to.
--quiet - Skips confirmation prompt to delete the key.
Key Concept

If you remember nothing else from this pattern, remember: always create, list, and delete service account keys carefully to keep your cloud access secure.

Common Mistakes
Creating multiple keys and not deleting old ones.
Old keys can be stolen or misused, increasing security risks.
Regularly list keys and delete any that are no longer needed.
Sharing the key file publicly or storing it insecurely.
Anyone with the key file can access your cloud resources as that service account.
Keep key files private and store them securely, like in secret managers.
Not specifying the correct service account in commands.
Commands will fail or affect the wrong account, causing confusion or errors.
Always use the --iam-account flag with the full service account email.
Summary
Use 'gcloud iam service-accounts keys create' to make a new key and save it securely.
Use 'gcloud iam service-accounts keys list' to see all keys for a service account.
Use 'gcloud iam service-accounts keys delete' to remove keys you no longer need.

Practice

(1/5)
1. What is the main purpose of a service account key in Google Cloud?
easy
A. To manage billing information for Google Cloud projects
B. To store user passwords for Google Cloud accounts
C. To allow programs to securely access Google Cloud resources
D. To create virtual machines automatically

Solution

  1. Step 1: Understand service account keys

    Service account keys are used by programs, not humans, to access Google Cloud securely.

  2. Step 2: Identify the correct purpose

    They provide credentials for applications to authenticate and interact with cloud services.

  3. Final Answer:

    To allow programs to securely access Google Cloud resources -> Option C

  4. Quick Check:

    Service account keys = secure program access [OK]
Hint: Keys let programs access cloud securely, not users [OK]
Common Mistakes:
  • Confusing keys with user passwords
  • Thinking keys manage billing
  • Believing keys create virtual machines
2. Which gcloud command correctly creates a new service account key for the account my-service-account@my-project.iam.gserviceaccount.com?
easy
A. gcloud iam service-accounts keys create key.json --iam-account=my-service-account@my-project.iam.gserviceaccount.com
B. gcloud iam service-accounts create key.json --account=my-service-account@my-project.iam.gserviceaccount.com
C. gcloud service-accounts keys create key.json --account=my-service-account@my-project.iam.gserviceaccount.com
D. gcloud iam keys create key.json --iam-account=my-service-account@my-project.iam.gserviceaccount.com

Solution

  1. Step 1: Identify correct gcloud command syntax

    The correct command to create a key is gcloud iam service-accounts keys create with the --iam-account flag.

  2. Step 2: Match the command with the options

    gcloud iam service-accounts keys create key.json --iam-account=my-service-account@my-project.iam.gserviceaccount.com matches the correct syntax exactly.

  3. Final Answer:

    gcloud iam service-accounts keys create key.json --iam-account=my-service-account@my-project.iam.gserviceaccount.com -> Option A

  4. Quick Check:

    Correct command syntax = gcloud iam service-accounts keys create key.json --iam-account=my-service-account@my-project.iam.gserviceaccount.com [OK]
Hint: Use 'iam service-accounts keys create' with --iam-account [OK]
Common Mistakes:
  • Using 'create' without 'keys'
  • Wrong flag like --account instead of --iam-account
  • Omitting 'iam' in the command
3. What will be the output of the following command?

gcloud iam service-accounts keys list --iam-account=my-service-account@my-project.iam.gserviceaccount.com

Assuming there are two active keys for this service account.
medium
A. A prompt to create a new key
B. An error saying no keys found
C. A list of all service accounts in the project
D. A list showing details of the two active keys including key IDs and creation dates

Solution

  1. Step 1: Understand the command purpose

    The command lists keys for the specified service account.

  2. Step 2: Interpret expected output

    Since two active keys exist, the output will show their details like key IDs and creation dates.

  3. Final Answer:

    A list showing details of the two active keys including key IDs and creation dates -> Option D

  4. Quick Check:

    Listing keys shows active keys details [OK]
Hint: List keys command shows active keys info [OK]
Common Mistakes:
  • Expecting an error if keys exist
  • Confusing keys list with service accounts list
  • Thinking it prompts for key creation
4. You run the command:

gcloud iam service-accounts keys delete 123abc --iam-account=my-service-account@my-project.iam.gserviceaccount.com

But get an error saying the key ID does not exist. What is the most likely cause?
medium
A. The key ID is incorrect or does not belong to the specified service account
B. The service account email is misspelled
C. You need to create a new key before deleting
D. The project ID is missing from the command

Solution

  1. Step 1: Analyze the error message

    The error says the key ID does not exist, meaning the key ID is invalid or not linked to the service account.

  2. Step 2: Check command components

    The service account email may be correct, and project ID is not required here if default is set. Creating a key before deleting is unnecessary.

  3. Final Answer:

    The key ID is incorrect or does not belong to the specified service account -> Option A

  4. Quick Check:

    Invalid key ID causes deletion error [OK]
Hint: Check key ID matches service account keys [OK]
Common Mistakes:
  • Assuming project ID is mandatory in this command
  • Thinking you must create a key before deleting
  • Ignoring key ID correctness
5. You want to rotate service account keys to improve security. Which sequence of actions is the best practice?
hard
A. Delete the old key first, then create a new key and update applications
B. Create a new key, update your applications to use it, then delete the old key
C. Create multiple keys and use them all simultaneously without deleting any
D. Keep using the old key until it expires, then create a new key

Solution

  1. Step 1: Understand key rotation best practice

    To avoid downtime, first create a new key and update applications to use it.

  2. Step 2: Remove old key after update

    Once applications use the new key, delete the old key to reduce risk.

  3. Final Answer:

    Create a new key, update your applications to use it, then delete the old key -> Option B

  4. Quick Check:

    New key first, then delete old key [OK]
Hint: Add new key before deleting old one to avoid downtime [OK]
Common Mistakes:
  • Deleting old key before updating apps
  • Using multiple keys unnecessarily
  • Waiting for old key to expire before rotating