GCPcloud~5 mins

Service account keys management in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Service account keys let programs prove who they are when talking to Google Cloud. Managing these keys carefully helps keep your cloud resources safe from unauthorized access.

When you want a program outside Google Cloud to access your cloud resources securely.

When you need to rotate keys regularly to reduce security risks.

When you want to delete old or unused keys to prevent misuse.

When you want to create a new key for a service account to allow new access.

When you want to list all keys to check which ones are active or expired.

Commands

This command creates a new key for the service account and saves it as 'my-key.json'. You use this key file to authenticate your program.

Terminal

gcloud iam service-accounts keys create my-key.json --iam-account my-service-account@example-project.iam.gserviceaccount.com

Expected OutputExpected

created key [KEY_ID] for [my-service-account@example-project.iam.gserviceaccount.com]

→

--iam-account - Specifies which service account to create the key for.

This command lists all keys for the service account so you can see which keys exist and their creation dates.

Terminal

gcloud iam service-accounts keys list --iam-account my-service-account@example-project.iam.gserviceaccount.com

Expected OutputExpected

NAME CREATED_AT KEY_TYPE 1234567890abcdef1234567890abcdef12345678 2024-05-01T12:00:00.000Z USER_MANAGED abcdef1234567890abcdef1234567890abcdef12 2024-04-01T12:00:00.000Z USER_MANAGED

→

--iam-account - Specifies which service account's keys to list.

This command deletes the specified key from the service account to prevent it from being used again.

Terminal

gcloud iam service-accounts keys delete 1234567890abcdef1234567890abcdef12345678 --iam-account my-service-account@example-project.iam.gserviceaccount.com --quiet

Expected OutputExpected

Deleted key [1234567890abcdef1234567890abcdef12345678].

→

--iam-account - Specifies which service account the key belongs to.

→

--quiet - Skips confirmation prompt to delete the key.

Key Concept

If you remember nothing else from this pattern, remember: always create, list, and delete service account keys carefully to keep your cloud access secure.

Common Mistakes

Creating multiple keys and not deleting old ones.

Old keys can be stolen or misused, increasing security risks.

Regularly list keys and delete any that are no longer needed.

Sharing the key file publicly or storing it insecurely.

Anyone with the key file can access your cloud resources as that service account.

Keep key files private and store them securely, like in secret managers.

Not specifying the correct service account in commands.

Commands will fail or affect the wrong account, causing confusion or errors.

Always use the --iam-account flag with the full service account email.

Summary

Use 'gcloud iam service-accounts keys create' to make a new key and save it securely.

Use 'gcloud iam service-accounts keys list' to see all keys for a service account.

Use 'gcloud iam service-accounts keys delete' to remove keys you no longer need.