Create a directory to store a backup of your current secrets:
mkdir backup
Note the following information for the relevant service account:
Component access
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Admin
private-registry-creds
kube-system
User
private-registry-creds
kube-system
If you are not using a
private registry,
the private-registry-creds Secret holds the key for your component access
service account.
If you are using a private registry, the
private-registry-creds Secret holds the credentials for your private
registry, not the component access service account key.
Connect-register
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Logging-monitoring
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
google-cloud-credentials
kube-system
User
stackdriver-service-account-key
knative-serving
Audit logging
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Admin
kube-apiserver
CLUSTER_NAME
Usage Metering
Cluster
Secret
Namespace
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
usage-metering-bigquery-service-account-key
kube-system
Stackdriver
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
google-cloud-credentials
kube-system
User
stackdriver-service-account-key
knative-serving
Create a backup of each secret using the following command:
To create a new service account key file, run the following command:
gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT
Replace the following:
NEW_KEY_FILE: the name for your new service account key file
IAM_ACCOUNT: the email address of the service account
In the admin cluster configuration file, find the
componentAccessServiceAccountKeyPath field, the gkeConnect section, the
stackdriver section, and the cloudAuditLogging section. In those places,
replace the paths to the service account key files.
In the user cluster configuration file, find the
componentAccessServiceAccountKeyPath field, the gkeConnect section, the
stackdriver section, the cloudAudigLogging section, and the
usageMetering section. In those places, replace the paths to the service
account key files.
Save the changes you made using the following commands:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide provides instructions on how to rotate keys for various service accounts, including component access, connect-register, logging-monitoring, audit logging, and usage metering.\u003c/p\u003e\n"],["\u003cp\u003eBefore rotating keys, you should create a backup of the current secrets by creating a directory and storing them using the \u003ccode\u003ekubectl get secret\u003c/code\u003e command, ensuring that the namespace, kubeconfig, and secret name is specified correctly.\u003c/p\u003e\n"],["\u003cp\u003eRotating keys involves creating a new service account key file with the \u003ccode\u003egcloud iam service-accounts keys create\u003c/code\u003e command, and then updating the paths in both the admin and user cluster configuration files.\u003c/p\u003e\n"],["\u003cp\u003eAfter updating the configurations, use the \u003ccode\u003egkectl update credentials\u003c/code\u003e command to apply the changes, specifying the relevant component, admin cluster kubeconfig, and configuration files.\u003c/p\u003e\n"],["\u003cp\u003eCertain service account key rotations may require node re-creation, such as component access when using Container Registry, or audit logging in both the Admin cluster, and user cluster when running Contrlplane V2, with node re-creation being limited to the control plane nodes.\u003c/p\u003e\n"]]],[],null,["# Rotating service account keys\n\n\u003cbr /\u003e\n\nThis page describes how to rotate keys for the following service accounts:\n\n- [Component access](/anthos/clusters/docs/on-prem/1.16/how-to/service-accounts#component_access_service_account)\n- [Connect-register](/anthos/clusters/docs/on-prem/1.16/how-to/service-accounts#connect_register_service_account)\n- [Logging-monitoring](/anthos/clusters/docs/on-prem/1.16/how-to/service-accounts#logging_monitoring_service_account)\n- [Audit logging](/anthos/clusters/docs/on-prem/1.16/how-to/service-accounts#audit_logging_service_account)\n- [Usage metering](/anthos/clusters/docs/on-prem/1.16/how-to/service-accounts#usage_metering_service_account)\n\nTo rotate your service account keys:\n\n1. Create a directory to store a backup of your current secrets:\n\n ```\n mkdir backup\n ```\n2. Note the following information for the relevant service account:\n\n **Component access**\n\n - If you are not using a [private registry](/anthos/clusters/docs/on-prem/1.16/how-to/admin-cluster-configuration-file#privateregistry-section), the `private-registry-creds` Secret holds the key for your component access service account.\n - If you are using a private registry, the `private-registry-creds` Secret holds the credentials for your private registry, **not** the component access service account key.\n\n **Connect-register**\n\n **Logging-monitoring**\n\n **Audit logging**\n\n **Usage Metering**\n\n **Stackdriver**\n\n3. Create a backup of each secret using the following command:\n\n ```\n kubectl get secret SECRET --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/SECRET-NAMESPACE.json\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the namespace where the secret is located. For example, `kube-system`.\n - \u003cvar translate=\"no\"\u003eKUBECONFIG\u003c/var\u003e: the path to the kubeconfig file for the admin or user cluster.\n - \u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e: the name of the secret. For example, `admin-cluster-creds`.\n\n For example, run the following commands for the audit logging service\n account: \n\n ```\n kubectl get secret admin-cluster-creds --namespace kube-system \\\n --kubeconfig KUBECONFIG -o json \u003e backup/admin-cluster-creds-kube-system.json\n\n kubectl get secret user-cluster-creds --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/user-cluster-creds-NAMESPACE.json\n\n kubectl get secret kube-apiserver --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/kube-apiserver-NAMESPACE.json\n ```\n4. To create a new service account key file, run the following command:\n\n ```\n gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNEW_KEY_FILE\u003c/var\u003e: the name for your new service account key file\n - \u003cvar translate=\"no\"\u003eIAM_ACCOUNT\u003c/var\u003e: the email address of the service account\n5. In the admin cluster configuration file, find the\n `componentAccessServiceAccountKeyPath` field, the `gkeConnect` section, the\n `stackdriver` section, and the `cloudAuditLogging` section. In those places,\n replace the paths to the service account key files.\n\n6. In the user cluster configuration file, find the\n `componentAccessServiceAccountKeyPath` field, the `gkeConnect` section, the\n `stackdriver` section, the `cloudAudigLogging` section, and the\n `usageMetering` section. In those places, replace the paths to the service\n account key files.\n\n7. Save the changes you made using the following commands:\n\n ```\n gkectl update credentials COMPONENT \\\n --kubeconfig ADMIN_CLUSTER_KUBECONFIG \\\n --config ADMIN_CLUSTER_CONFIG \\\n --admin-cluster\n\n gkectl update credentials COMPONENT \\\n --kubeconfig ADMIN_CLUSTER_KUBECONFIG \\\n --config USER_CLUSTER_CONFIG\n ```\n\n Replace the following;\n - \u003cvar translate=\"no\"\u003eCOMPONENT\u003c/var\u003e: one of `componentaccess`, `register`,\n `cloudauditlogging`, `usagemetering`, or `stackdriver`.\n\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_KUBECONFIG\u003c/var\u003e: the path to the\n kubeconfig file for the admin cluster.\n\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_CONFIG\u003c/var\u003e: the path to the admin\n cluster configuration file.\n\n - \u003cvar translate=\"no\"\u003eUSER_CLUSTER_CONFIG\u003c/var\u003e: the path to the user\n cluster configuration file.\n\nNode re-creation\n----------------\n\nSome service account key rotations may take longer time because node\nre-creation is required:\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nRestoring backups\n-----------------\n\nIf you need to restore the backups of the secrets you made earlier, run the\nfollowing command:\n\n```\nkubectl apply -f backup/\n```"]]
