More Info:

Service account keys should be rotated periodically.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP

Remediation

Using Console

To remediate the misconfiguration “Service Account Keys Should Be Rotated” for GCP using GCP console, follow the steps below:

  1. Login to the Google Cloud Console using your credentials.
  2. Navigate to the IAM & Admin page from the left-hand menu.
  3. Click on Service Accounts from the list of options.
  4. Select the service account for which you want to rotate the keys.
  5. Click on the Edit button for the selected service account.
  6. Scroll down to the Keys section and click on the Add Key button.
  7. Select the type of key you want to add from the dropdown list.
  8. Click on the Create button to generate the new key.
  9. Once the new key is created, download it and store it securely.
  10. Delete the old key(s) that are no longer required.

By following these steps, you have successfully rotated the service account keys for your GCP project. Make sure to repeat this process periodically to keep your service account keys up to date.

Using CLI

To remediate the misconfiguration “Service Account Keys Should Be Rotated” for GCP using GCP CLI, you can follow the below steps:

  1. First, you need to identify the Service Account Keys that need to be rotated. You can use the below command to list all the Service Accounts in your project:
gcloud iam service-accounts list
  1. Once you have identified the Service Account that needs to be rotated, you can create a new key for that Service Account using the below command:
gcloud iam service-accounts keys create [FILE_NAME].json --iam-account [SERVICE_ACCOUNT_EMAIL]

Replace [FILE_NAME] with the name of the file you want to create for the new key and replace [SERVICE_ACCOUNT_EMAIL] with the email of the Service Account that needs to be rotated.

  1. After creating the new key, you need to delete the old key. You can use the below command to list all the keys for a Service Account:
gcloud iam service-accounts keys list --iam-account [SERVICE_ACCOUNT_EMAIL]
  1. Once you have identified the old key that needs to be deleted, you can use the below command to delete it:
gcloud iam service-accounts keys delete [KEY_ID] --iam-account [SERVICE_ACCOUNT_EMAIL]

Replace [KEY_ID] with the ID of the key that needs to be deleted and replace [SERVICE_ACCOUNT_EMAIL] with the email of the Service Account.

  1. Finally, you need to ensure that the new key is being used by all the applications that were using the old key. You can update the applications with the new key manually or by using automation tools like Ansible or Terraform.

By following the above steps, you can remediate the misconfiguration “Service Account Keys Should Be Rotated” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Service Account Keys Should Be Rotated” in GCP using Python, you can follow the below steps:

Step 1: Install the required libraries

Install the Google Cloud SDK and the Python client library using pip.

!pip install google-cloud-storage

Step 2: Authenticate the client

Authenticate the client using the service account key that you want to rotate.

from google.oauth2 import service_account
from google.cloud import storage

key_path = 'path/to/service_account_key.json'
credentials = service_account.Credentials.from_service_account_file(key_path)
client = storage.Client(credentials=credentials)

Step 3: Rotate the service account key

Create a new service account key and delete the old one.

from google.cloud import iam

iam_client = iam.IAMClient(credentials=credentials)

# Get the service account ID
service_account_email = '[email protected]'
service_account_id = service_account_email.split('@')[0]

# Create a new service account key
new_key = iam_client.create_service_account_key(name=f'projects/-/serviceAccounts/{service_account_email}')['privateKeyData']

# Delete the old service account key
keys = iam_client.list_service_account_keys(name=f'projects/-/serviceAccounts/{service_account_email}')
for key in keys:
    if key.key_id != 'latest':
        iam_client.delete_service_account_key(name=key.name)

Step 4: Save the new service account key

Save the new service account key to a file.

import base64

new_key = base64.b64decode(new_key).decode('utf-8')
with open('path/to/new_service_account_key.json', 'w') as f:
    f.write(new_key)

Step 5: Update the service account key in the application

Update the service account key in the application with the new key that you have generated.

Note: Make sure to update the service account key in all the places where it is being used.

By following these steps, you can remediate the misconfiguration “Service Account Keys Should Be Rotated” in GCP using Python.