Rotating service account keys

This page describes how to rotate your service account keys using gkectl for Cloud Audit Logs, Usage Metering, and Stackdriver components on Google Distributed Cloud.

To rotate your service account keys:

  1. Create a directory to store a backup of your current secrets:

    mkdir backup
  2. Note the following information for the relevant component:

    Cloud Audit Logs

    Cluster Secret Namespace
    Admin create-config kube-system
    Admin create-config CLUSTER_NAME
    Admin audit-logging-config kube-system
    Admin kube-apiserver CLUSTER_NAME

    Usage Metering

    Cluster Secret Namespace
    Admin create-config CLUSTER_NAME
    User usage-metering-bigquery-service-account-key kube-system

    Stackdriver

    Cluster Secret Namespace
    Admin create-config kube-system
    Admin create-config CLUSTER_NAME
    User google-cloud-credentials kube-system
    User stackdriver-service-account-key knative-serving
  3. Create a backup of each secret using the following command:

    kubectl get secret SECRET --namespace NAMESPACE \
        --kubeconfig KUBECONFIG -o json > backup/SECRET-NAMESPACE.json

    Where:

    • NAMESPACE is the namespace where the secret is located. For example, kube-system.
    • KUBECONFIG is the path to the kubeconfig file for the admin or user cluster.
    • SECRET is the name of the secret. For example, create-config.

    For example, run the following commands for the Cloud Audit Logs component:

    kubectl get secret create-config --namespace kube-system \
            --kubeconfig KUBECONFIG -o json > backup/admin-create-config-kube-system.json
    
    kubectl get secret create-config --namespace NAMESPACE \
            --kubeconfig KUBECONFIG -o json > backup/admin-create-config-NAMESPACE.json
    
    kubectl get secret audit-logging-config --namespace kube-system \
            --kubeconfig KUBECONFIG -o json > backup/audit-logging-config-kube-system.json
    
    kubectl get secret kube-apiserver --namespace NAMESPACE \
            --kubeconfig KUBECONFIG -o json > backup/kube-apiserver-NAMESPACE.json
  4. To create a new service account key file, run the following command:

    gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT

    Where:

    • NEW_KEY_FILE is the name for your new service account key file
    • IAM_ACCOUNT is your service account email address for either Cloud Audit Logs, Usage Metering, or Stackdriver.
  5. In the config yaml file for both the admin and user cluster, find the cloudauditlogging, usagemetering, or stackdriver section.

  6. Replace the serviceAccountKeyPath field with the NEW_KEY_FILE you created earlier.

  7. Save the changes you made using the following commands:

    gkectl update credentials COMPONENT --admin-cluster --kubeconfig \
      KUBECONFIG --config ADMIN_CONFIG
    
    gkectl update credentials COMPONENT --kubeconfig \
       KUBECONFIG --config USER_CONFIG

    Where:

    • KUBECONFIG is the path to the kubeconfig file for the admin cluster.
    • ADMIN_CONFIG is the path to the config file for the admin cluster.
    • USER_CONFIG is the path to the config file for the user cluster.
    • COMPONENT is cloudauditlogging, usagemetering, or stackdriver.