Version 1.7. This version is no longer supported. For more information see the version support policy.

Rotating service account keys

This page describes how to rotate your service account keys using gkectl for Cloud Audit Logs, Usage Metering, and Stackdriver components on Google Distributed Cloud.

To rotate your service account keys:

Create a directory to store a backup of your current secrets:
```
mkdir backup
```

Note the following information for the relevant component:

Cloud Audit Logs

Cluster	Secret	Namespace
Admin	create-config	kube-system
Admin	create-config	`CLUSTER_NAME`
Admin	audit-logging-config	kube-system
Admin	kube-apiserver	`CLUSTER_NAME`

Usage Metering

Cluster	Secret	Namespace
Admin	create-config	`CLUSTER_NAME`
User	usage-metering-bigquery-service-account-key	kube-system

Stackdriver

Cluster	Secret	Namespace
Admin	create-config	kube-system
Admin	create-config	`CLUSTER_NAME`
User	google-cloud-credentials	kube-system
User	stackdriver-service-account-key	knative-serving

Create a backup of each secret using the following command:

kubectl get secret SECRET --namespace NAMESPACE \
    --kubeconfig KUBECONFIG -o json > backup/SECRET-NAMESPACE.json

Where:

NAMESPACE is the namespace where the secret is located. For example, kube-system.
KUBECONFIG is the path to the kubeconfig file for the admin or user cluster.
SECRET is the name of the secret. For example, create-config.

For example, run the following commands for the Cloud Audit Logs component:

kubectl get secret create-config --namespace kube-system \
        --kubeconfig KUBECONFIG -o json > backup/admin-create-config-kube-system.json

kubectl get secret create-config --namespace NAMESPACE \
        --kubeconfig KUBECONFIG -o json > backup/admin-create-config-NAMESPACE.json

kubectl get secret audit-logging-config --namespace kube-system \
        --kubeconfig KUBECONFIG -o json > backup/audit-logging-config-kube-system.json

kubectl get secret kube-apiserver --namespace NAMESPACE \
        --kubeconfig KUBECONFIG -o json > backup/kube-apiserver-NAMESPACE.json

To create a new service account key file, run the following command:
```
gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT
```
Where:
- NEW_KEY_FILE is the name for your new service account key file
- IAM_ACCOUNT is your service account email address for either Cloud Audit Logs, Usage Metering, or Stackdriver.
In the config yaml file for both the admin and user cluster, find the cloudauditlogging, usagemetering, or stackdriver section.
Replace the serviceAccountKeyPath field with the NEW_KEY_FILE you created earlier.
Save the changes you made using the following commands:
```
gkectl update credentials COMPONENT --admin-cluster --kubeconfig \
  KUBECONFIG --config ADMIN_CONFIG

gkectl update credentials COMPONENT --kubeconfig \
   KUBECONFIG --config USER_CONFIG
```
Where:
- KUBECONFIG is the path to the kubeconfig file for the admin cluster.
- ADMIN_CONFIG is the path to the config file for the admin cluster.
- USER_CONFIG is the path to the config file for the user cluster.
- COMPONENT is cloudauditlogging, usagemetering, or stackdriver.