Service accounts should only have Google-managed service account keys

Description

Google-managed service account keys are automatically managed and rotated by Google and cannot be downloaded. For user-managed service account keys, the user must take ownership of management activities including key storage, distribution, revocation, and rotation. And even with key owner precautions, user-managed keys can be easily leaked into source code or left on support blogs. Google-managed service account keys should therefore be used.

Remediation Steps

Google Cloud Console

  • Navigate to IAM.

  • In the left navigation, select Service Accounts.

  • Select the service account and select edit > delete the keys.

gcloud CLI

  • To delete a user managed Service Account Key:

    • gcloud iam service-accounts keys delete --iam-account=<user-managed-service-account-EMAIL> <KEY-ID>