0
0
GCPcloud~10 mins

Service account keys management in GCP - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Service account keys management
Create Service Account
Generate Key for Account
Store Key Securely
Use Key for Authentication
Rotate Key Periodically
Delete Old/Unused Keys
End
This flow shows how to create a service account, generate keys, use them securely, rotate keys regularly, and delete old keys to keep security strong.
Execution Sample
GCP
1. gcloud iam service-accounts create my-sa
2. gcloud iam service-accounts keys create key.json --iam-account=my-sa@PROJECT_ID.iam.gserviceaccount.com
3. Use key.json in app
4. gcloud iam service-accounts keys list --iam-account=my-sa@PROJECT_ID.iam.gserviceaccount.com
5. gcloud iam service-accounts keys delete KEY_ID --iam-account=my-sa@PROJECT_ID.iam.gserviceaccount.com
This sequence creates a service account, generates a key, lists keys, and deletes a key.
Process Table
StepActionCommand/OperationResult/State Change
1Create service accountgcloud iam service-accounts create my-saService account 'my-sa' created
2Generate key for 'my-sa'gcloud iam service-accounts keys create key.json --iam-account=my-sa@PROJECT_ID.iam.gserviceaccount.comKey file 'key.json' created and downloaded
3Use key in appApp uses 'key.json' to authenticateApp authenticated as 'my-sa'
4List keys for 'my-sa'gcloud iam service-accounts keys list --iam-account=my-sa@PROJECT_ID.iam.gserviceaccount.comShows list of keys with IDs and creation dates
5Delete old keygcloud iam service-accounts keys delete KEY_ID --iam-account=my-sa@PROJECT_ID.iam.gserviceaccount.comKey with KEY_ID deleted
6End-No further action
💡 All keys managed: created, used, listed, and deleted as needed to maintain security.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 4After Step 5Final
Service AccountNonemy-sa createdmy-sa with key generatedmy-sa with keys listedmy-sa with key deletedmy-sa with updated keys
Key FileNoneNonekey.json createdkey.json knownkey.json deleted if oldNo unused keys remain
Key Moments - 3 Insights
Why do we need to delete old service account keys?
Old keys increase security risk if leaked. Deleting them reduces attack surface. See execution_table step 5 where key deletion happens.
Can we use a service account without generating a key file?
Yes, if running on Google Cloud resources with default service accounts. But for external apps, keys are needed. Step 3 shows using the key file for authentication.
What happens if we lose the key file?
You cannot authenticate with that key anymore. You must create a new key and delete the lost one to keep security. See steps 2 and 5 for key creation and deletion.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the result after step 2?
AKey file 'key.json' created and downloaded
BApp authenticated as 'my-sa'
CService account 'my-sa' created
DKey with KEY_ID deleted
💡 Hint
Check the 'Result/State Change' column for step 2 in execution_table.
At which step do we remove an old key?
AStep 1
BStep 3
CStep 5
DStep 4
💡 Hint
Look for the action 'Delete old key' in execution_table.
If we skip step 5, what happens to the keys according to variable_tracker?
ANo keys exist
BAll keys remain, including old ones
COnly new keys exist
DService account is deleted
💡 Hint
Check variable_tracker row for 'Key File' after step 5.
Concept Snapshot
Service account keys management:
- Create service account
- Generate keys for authentication
- Use keys securely in apps
- List keys to monitor
- Rotate and delete old keys regularly
- Keep keys safe to protect access
Full Transcript
This lesson shows how to manage service account keys in Google Cloud. First, create a service account. Then generate a key file to authenticate apps outside Google Cloud. Use the key file in your app to access resources. Regularly list keys to see which exist. Delete old or unused keys to keep your project secure. Losing keys means you must create new ones. Managing keys carefully protects your cloud resources.