This page describes how to rotate your service account keys using gkectl for
Cloud Audit Logs, Usage Metering, and Stackdriver components on Google Distributed Cloud.
To rotate your service account keys:
Create a directory to store a backup of your current secrets:
mkdir backup
Note the following information for the relevant component:
Cloud Audit Logs
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Admin
kube-apiserver
CLUSTER_NAME
Usage Metering
Cluster
Secret
Namespace
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
usage-metering-bigquery-service-account-key
kube-system
Stackdriver
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
google-cloud-credentials
kube-system
User
stackdriver-service-account-key
knative-serving
Create a backup of each secret using the following command:
In the corresponding configuration files for both the admin cluster and user clusters, find the cloudauditlogging, usagemetering, or stackdriver section.
Replace the serviceAccountKeyPath field with the NEW_KEY_FILE you created earlier.
Save the changes you made using the following commands:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page details the process of rotating service account keys for Cloud Audit Logs, Usage Metering, and Stackdriver components in Google Distributed Cloud using \u003ccode\u003egkectl\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves backing up existing secrets, which are located in specific namespaces and clusters, before proceeding.\u003c/p\u003e\n"],["\u003cp\u003eNew service account key files are generated using \u003ccode\u003egcloud iam service-accounts keys create\u003c/code\u003e, specifying the service account and desired file name.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration files for admin and user clusters are then updated to use the new key files by modifying the \u003ccode\u003eserviceAccountKeyPath\u003c/code\u003e field.\u003c/p\u003e\n"],["\u003cp\u003eFinally, the changes are applied using \u003ccode\u003egkectl update credentials\u003c/code\u003e with the respective component, admin/user cluster kubeconfig, and cluster configuration paths, with a note to restore the backup should it be necessary.\u003c/p\u003e\n"]]],[],null,["# Rotating service account keys\n\n\u003cbr /\u003e\n\nThis page describes how to rotate your service account keys using `gkectl` for\nCloud Audit Logs, Usage Metering, and Stackdriver components on Google Distributed Cloud.\n| **Note:** For information on rotating the connect-register service account key file for a cluster, see [Rotate a connect-register service account key for the admin cluster](/anthos/clusters/docs/on-prem/1.11/how-to/updating-general#rotate_a_connect-register_service_account_key_for_the_admin_cluster) or [Rotate a connect-register service account key for a user cluster](/anthos/clusters/docs/on-prem/1.11/how-to/updating-general#rotate_a_connect-register_service_account_key_for_a_user_cluster).\n\nTo rotate your service account keys:\n\n1. Create a directory to store a backup of your current secrets:\n\n ```\n mkdir backup\n ```\n2. Note the following information for the relevant component:\n\n **Cloud Audit Logs**\n\n **Usage Metering**\n\n **Stackdriver**\n\n3. Create a backup of each secret using the following command:\n\n ```\n kubectl get secret SECRET --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/SECRET-NAMESPACE.json\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the namespace where the secret is located. For example, `kube-system`.\n - \u003cvar translate=\"no\"\u003eKUBECONFIG\u003c/var\u003e: the path to the kubeconfig file for the admin or user cluster.\n - \u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e: the name of the secret. For example, `admin-cluster-creds`.\n\n For example, run the following commands for the Cloud Audit Logs component: \n\n ```\n kubectl get secret admin-cluster-creds --namespace kube-system \\\n --kubeconfig KUBECONFIG -o json \u003e backup/admin-cluster-creds-kube-system.json\n\n kubectl get secret user-cluster-creds --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/user-cluster-creds-NAMESPACE.json\n\n kubectl get secret kube-apiserver --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/kube-apiserver-NAMESPACE.json\n ```\n4. To create a new service account key file, run the following command:\n\n ```\n gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNEW_KEY_FILE\u003c/var\u003e: the name for your new service account key file\n - \u003cvar translate=\"no\"\u003eIAM_ACCOUNT\u003c/var\u003e: your service account email address for either [Cloud Audit Logs](/anthos/clusters/docs/on-prem/1.11/how-to/service-accounts#audit_logging_service_account), [Usage Metering](/anthos/clusters/docs/on-prem/1.11/how-to/service-accounts#usage_metering_service_account), or Stackdriver.\n5. In the corresponding configuration files for both the admin cluster and user clusters, find the `cloudauditlogging`, `usagemetering`, or `stackdriver` section.\n\n6. Replace the `serviceAccountKeyPath` field with the \u003cvar translate=\"no\"\u003eNEW_KEY_FILE\u003c/var\u003e you created earlier.\n\n7. Save the changes you made using the following commands:\n\n ```\n gkectl update credentials COMPONENT --admin-cluster --kubeconfig \\\n ADMIN_CLUSTER_KUBECONFIG --config ADMIN_CLUSTER_CONFIG\n\n gkectl update credentials COMPONENT --kubeconfig \\\n ADMIN_CLUSTER_KUBECONFIG --config USER_CLUSTER_CONFIG\n ```\n\n Replace the following;\n - \u003cvar translate=\"no\"\u003eCOMPONENT\u003c/var\u003e: one of `cloudauditlogging`, `usagemetering`, or `stackdriver`.\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_KUBECONFIG\u003c/var\u003e: the path to the kubeconfig file for the admin cluster.\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_CONFIG\u003c/var\u003e: the path to the admin cluster configuration file.\n - \u003cvar translate=\"no\"\u003eUSER_CLUSTER_CONFIG\u003c/var\u003e: the path to the user cluster configuration file.\n\n| **Note:** If you need to restore the backup of the secret you made earlier, run the following command: \n|\n| ```\n| kubectl apply -f backup/\n| ```"]]
