Service accounts should only have Google-managed service account keys¶
Description¶
Google-managed service account keys are automatically managed and rotated by Google and cannot be downloaded. For user-managed service account keys, the user must take ownership of management activities including key storage, distribution, revocation, and rotation. And even with key owner precautions, user-managed keys can be easily leaked into source code or left on support blogs. Google-managed service account keys should therefore be used.
Remediation Steps¶
Google Cloud Console¶
Navigate to IAM.
In the left navigation, select Service Accounts.
Select the service account and select edit > delete the keys.
gcloud CLI¶
To delete a user managed Service Account Key:
gcloud iam service-accounts keys delete --iam-account=<user-managed-service-account-EMAIL> <KEY-ID>