Rotating service account keys

This page describes how to rotate your service account keys using gkectl for Cloud Audit Logs, Usage Metering, and Stackdriver components on Google Distributed Cloud.

To rotate your service account keys:

  1. Create a directory to store a backup of your current secrets:

    mkdir backup

  2. Note the following information for the relevant component:

    Cloud Audit Logs

    Cluster Secret Namespace
    Admin admin-cluster-creds kube-system
    Admin user-cluster-creds CLUSTER_NAME-gke-onprem-mgmt
    Admin kube-apiserver CLUSTER_NAME

    Usage Metering

    Cluster Secret Namespace
    Admin user-cluster-creds CLUSTER_NAME-gke-onprem-mgmt
    User usage-metering-bigquery-service-account-key kube-system

    Stackdriver

    Cluster Secret Namespace
    Admin admin-cluster-creds kube-system
    Admin user-cluster-creds CLUSTER_NAME-gke-onprem-mgmt
    User google-cloud-credentials kube-system
    User stackdriver-service-account-key knative-serving

  3. Create a backup of each secret using the following command:

    kubectl get secret SECRET --namespace NAMESPACE \
    --kubeconfig KUBECONFIG -o json > backup/SECRET-NAMESPACE.json

    Replace the following:

    • NAMESPACE: the namespace where the secret is located. For example, kube-system.
    • KUBECONFIG: the path to the kubeconfig file for the admin or user cluster.
    • SECRET: the name of the secret. For example, admin-cluster-creds.

    For example, run the following commands for the Cloud Audit Logs component:

    kubectl get secret admin-cluster-creds --namespace kube-system \
        --kubeconfig KUBECONFIG -o json > backup/admin-cluster-creds-kube-system.json

kubectl get secret user-cluster-creds --namespace NAMESPACE \
        --kubeconfig KUBECONFIG -o json > backup/user-cluster-creds-NAMESPACE.json

kubectl get secret kube-apiserver --namespace NAMESPACE \
        --kubeconfig KUBECONFIG -o json > backup/kube-apiserver-NAMESPACE.json

  4. To create a new service account key file, run the following command:

    gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT

    Replace the following:

    • NEW_KEY_FILE: the name for your new service account key file
    • IAM_ACCOUNT: your service account email address for either Cloud Audit Logs, Usage Metering, or Stackdriver.

  5. In the corresponding configuration files for both the admin cluster and user clusters, find the cloudauditlogging, usagemetering, or stackdriver section.

  6. Replace the serviceAccountKeyPath field with the NEW_KEY_FILE you created earlier.

  7. Save the changes you made using the following commands:

    gkectl update credentials COMPONENT --admin-cluster --kubeconfig \
  ADMIN_CLUSTER_KUBECONFIG --config ADMIN_CLUSTER_CONFIG

gkectl update credentials COMPONENT --kubeconfig \
   ADMIN_CLUSTER_KUBECONFIG --config USER_CLUSTER_CONFIG

    Replace the following;

    • COMPONENT: one of cloudauditlogging, usagemetering, or stackdriver.
    • ADMIN_CLUSTER_KUBECONFIG: the path to the kubeconfig file for the admin cluster.
    • ADMIN_CLUSTER_CONFIG: the path to the admin cluster configuration file.
    • USER_CLUSTER_CONFIG: the path to the user cluster configuration file.