0

I have a service account in GCP and I hold its key in a Secret Manager.

Is there a way to set a scheduled secret rotation for that secret holding service account key, so the Pub/Sub would be a GCP one, and not managed by me? Does GCP provide such a managed Pub/Sub service?

David Taub
  • 734
  • 1
  • 7
  • 27
  • 2
    The short answer is: no, there is nothing to rotate automatically secret, only tool to remind you to do it. However, why are you storing a service account key file in Google Cloud? AFAIK, it's a dead lock pattern: to access the secret, you need a credential. That credential is stored in Secret manager. To access the secret, you need a credential,.... – guillaume blaquiere Jan 17 '22 at 10:15
  • the secret can be accessed by user accounts, which then in turn run application that uses the service account – David Taub Jan 17 '22 at 11:39
  • 2
    Use impersonation, or allow the user account (or a group of account) to access to the same resource as the service account. I'm a service account key file hater, when I can advocate to avoid them, I do!!! – guillaume blaquiere Jan 17 '22 at 12:56

2 Answers2

2

There is no built-in function for that, but Google advises using tool such as Keyrotator to keep the Service Account keys safe.
You can also write your own script using Cloud SDK that will create a new key, obtain it and update it in the Secrets Manager:

# create the key
gcloud iam service-accounts keys create key-file \
    --iam-account=sa-name@project-id.iam.gserviceaccount.com

# obtain new key
gcloud beta iam service-accounts keys get-public-key KEY_ID \
    --iam-account=SA_NAME --output-file=FILENAME

#update the secret in secrets manager
gcloud secrets update secret-id \
    --update-labels=key=value

# remove the old one
gcloud iam service-accounts keys disable key-id \
    --iam-account=sa-name@project-id.iam.gserviceaccount.com

This is of course a simplified code, you can find more information on those commands here - 1, 2.
Such script can be run periodically, e.g. using crontab on a GCE instance or Cloud Scheduler.

Sergiusz
  • 1,175
  • 4
  • 13
  • Actually Google [advises against](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#secret-manager) storing service account keys in Secrets Manager. – Diogo Simões Jul 20 '23 at 14:06
0

@david - Doppler actually supports automatic secrets rotation for GCP Cloud SQL — including MySQL, Postgres, and SQL Server. Also, since Cloud SQL has a rich admin API, the rotation can be performed entirely through the API - no serverless proxy required!

Hope this helps https://docs.doppler.com/docs/gcp_cloudsql

Charrah
  • 1