Bird
Raised Fist0
GCPcloud~5 mins

Service account keys management in GCP - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a service account key in Google Cloud?
A service account key is a special credential file that allows applications or users to authenticate as a service account to access Google Cloud resources securely.
Click to reveal answer
intermediate
Why should you avoid long-lived service account keys?
Long-lived keys increase the risk of unauthorized access if the key is leaked. It's best to rotate keys regularly and delete unused keys to keep your environment secure.
Click to reveal answer
intermediate
How can you rotate a service account key safely?
Create a new key, update your applications to use the new key, then delete the old key once the new key is confirmed working.
Click to reveal answer
advanced
What is the recommended way to manage service account keys instead of downloading them?
Use Workload Identity Federation or Google Cloud IAM roles with short-lived tokens to avoid managing long-lived keys.
Click to reveal answer
beginner
Where can you manage service account keys in Google Cloud Console?
In the Google Cloud Console, go to IAM & Admin > Service Accounts, select the service account, then go to the Keys tab to create, view, or delete keys.
Click to reveal answer
What is the main risk of keeping service account keys for a long time?
AThey can be leaked and used by attackers
BThey expire automatically
CThey slow down your application
DThey increase your billing costs
Which of the following is a best practice for service account key management?
AShare keys via email
BUse the same key for all projects
CRotate keys regularly
DNever delete old keys
Where do you find the option to create a new service account key in Google Cloud Console?
ACompute Engine > VM Instances
BIAM & Admin > Service Accounts > Keys tab
CCloud Storage > Buckets
DBilling > Payment Settings
What is a safer alternative to using service account keys for authentication?
ADisabling authentication
BUsing user passwords
CSharing keys publicly
DWorkload Identity Federation
What should you do after creating a new service account key for rotation?
ADelete the old key after updating applications
BKeep both keys active forever
CShare the key with everyone
DIgnore the new key
Explain the steps to safely rotate a service account key in Google Cloud.
Think about how to avoid downtime and security risks.
You got /3 concepts.
    Describe why managing service account keys properly is important for cloud security.
    Consider what happens if keys fall into the wrong hands.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of a service account key in Google Cloud?
      easy
      A. To manage billing information for Google Cloud projects
      B. To store user passwords for Google Cloud accounts
      C. To allow programs to securely access Google Cloud resources
      D. To create virtual machines automatically

      Solution

      1. Step 1: Understand service account keys

        Service account keys are used by programs, not humans, to access Google Cloud securely.

      2. Step 2: Identify the correct purpose

        They provide credentials for applications to authenticate and interact with cloud services.

      3. Final Answer:

        To allow programs to securely access Google Cloud resources -> Option C

      4. Quick Check:

        Service account keys = secure program access [OK]
      Hint: Keys let programs access cloud securely, not users [OK]
      Common Mistakes:
      • Confusing keys with user passwords
      • Thinking keys manage billing
      • Believing keys create virtual machines
      2. Which gcloud command correctly creates a new service account key for the account my-service-account@my-project.iam.gserviceaccount.com?
      easy
      A. gcloud iam service-accounts keys create key.json --iam-account=my-service-account@my-project.iam.gserviceaccount.com
      B. gcloud iam service-accounts create key.json --account=my-service-account@my-project.iam.gserviceaccount.com
      C. gcloud service-accounts keys create key.json --account=my-service-account@my-project.iam.gserviceaccount.com
      D. gcloud iam keys create key.json --iam-account=my-service-account@my-project.iam.gserviceaccount.com

      Solution

      1. Step 1: Identify correct gcloud command syntax

        The correct command to create a key is gcloud iam service-accounts keys create with the --iam-account flag.

      2. Step 2: Match the command with the options

        gcloud iam service-accounts keys create key.json --iam-account=my-service-account@my-project.iam.gserviceaccount.com matches the correct syntax exactly.

      3. Final Answer:

        gcloud iam service-accounts keys create key.json --iam-account=my-service-account@my-project.iam.gserviceaccount.com -> Option A

      4. Quick Check:

        Correct command syntax = gcloud iam service-accounts keys create key.json --iam-account=my-service-account@my-project.iam.gserviceaccount.com [OK]
      Hint: Use 'iam service-accounts keys create' with --iam-account [OK]
      Common Mistakes:
      • Using 'create' without 'keys'
      • Wrong flag like --account instead of --iam-account
      • Omitting 'iam' in the command
      3. What will be the output of the following command?

      gcloud iam service-accounts keys list --iam-account=my-service-account@my-project.iam.gserviceaccount.com

      Assuming there are two active keys for this service account.
      medium
      A. A prompt to create a new key
      B. An error saying no keys found
      C. A list of all service accounts in the project
      D. A list showing details of the two active keys including key IDs and creation dates

      Solution

      1. Step 1: Understand the command purpose

        The command lists keys for the specified service account.

      2. Step 2: Interpret expected output

        Since two active keys exist, the output will show their details like key IDs and creation dates.

      3. Final Answer:

        A list showing details of the two active keys including key IDs and creation dates -> Option D

      4. Quick Check:

        Listing keys shows active keys details [OK]
      Hint: List keys command shows active keys info [OK]
      Common Mistakes:
      • Expecting an error if keys exist
      • Confusing keys list with service accounts list
      • Thinking it prompts for key creation
      4. You run the command:

      gcloud iam service-accounts keys delete 123abc --iam-account=my-service-account@my-project.iam.gserviceaccount.com

      But get an error saying the key ID does not exist. What is the most likely cause?
      medium
      A. The key ID is incorrect or does not belong to the specified service account
      B. The service account email is misspelled
      C. You need to create a new key before deleting
      D. The project ID is missing from the command

      Solution

      1. Step 1: Analyze the error message

        The error says the key ID does not exist, meaning the key ID is invalid or not linked to the service account.

      2. Step 2: Check command components

        The service account email may be correct, and project ID is not required here if default is set. Creating a key before deleting is unnecessary.

      3. Final Answer:

        The key ID is incorrect or does not belong to the specified service account -> Option A

      4. Quick Check:

        Invalid key ID causes deletion error [OK]
      Hint: Check key ID matches service account keys [OK]
      Common Mistakes:
      • Assuming project ID is mandatory in this command
      • Thinking you must create a key before deleting
      • Ignoring key ID correctness
      5. You want to rotate service account keys to improve security. Which sequence of actions is the best practice?
      hard
      A. Delete the old key first, then create a new key and update applications
      B. Create a new key, update your applications to use it, then delete the old key
      C. Create multiple keys and use them all simultaneously without deleting any
      D. Keep using the old key until it expires, then create a new key

      Solution

      1. Step 1: Understand key rotation best practice

        To avoid downtime, first create a new key and update applications to use it.

      2. Step 2: Remove old key after update

        Once applications use the new key, delete the old key to reduce risk.

      3. Final Answer:

        Create a new key, update your applications to use it, then delete the old key -> Option B

      4. Quick Check:

        New key first, then delete old key [OK]
      Hint: Add new key before deleting old one to avoid downtime [OK]
      Common Mistakes:
      • Deleting old key before updating apps
      • Using multiple keys unnecessarily
      • Waiting for old key to expire before rotating