google-cloud-rust icon indicating copy to clipboard operation
google-cloud-rust copied to clipboard
verified publisher icon googleapis

Rotate Auth integration service account keys

Open dbolduc opened this issue 11 months ago • 2 comments

Terraform can be used to rotate service account keys.

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#example-usage-creating-and-regularly-rotating-a-key

Somebody/something needs to run terraform plan ... && terraform apply ... to do the checks though.

If we do not rotate the keys, our build will fail every ~90 days.

dbolduc avatar Jan 31 '25 19:01 dbolduc

I think you want something like:

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_scheduler_job

Though now you want to think about what service account will run that job, and what permissions it will need to have.

coryan avatar Jan 31 '25 20:01 coryan

Added the rotation in terraform, and instructions for how to run it.

I did not set up a scheduled job to do this. Unassigning, and leaving open.

dbolduc avatar May 02 '25 18:05 dbolduc

@PhongChuong / @dbolduc can we close this?

coryan avatar Oct 21 '25 18:10 coryan

Yes, we can close. Here is a successful run of terraform for rust-auth-testing triggered by the Scheduler job.

https://pantheon.corp.google.com/cloud-build/builds;region=us-central1/56d43a7a-6e22-4e17-908c-c667498b0dec?project=rust-auth-testing

dbolduc avatar Oct 21 '25 18:10 dbolduc