This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Service account key expiry alert

Posted on 05-02-2023 10:51 PM
DhanshriI
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

In GCP as we have different service accounts and there keys we need to rotate every 90 days. Is there any way we can set up alert which inform us that key is going to expiry in few days.

Solved Solved
0 3 1,597
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

In GCP, you could configure a scheduled job to query the status of the Service Account keys, and then send an administrative alert, or an email, or ping some other webhook, if the SA key is set to expire in less than 72 hours, or whatever your desired threshold is. 

https://cloud.google.com/scheduler/docs/creating

There is a similar question on stackoverflow.

Logically, you would need to do something like this in the scheduled job:

  1. list the service accounts
  2. for each service account, list the keys
  3. for each key, evaluate the expiry. If "expires soon", add to the list
  4. Notify "someone" in some way of the list of "soon to expire" keys.

If you were doing this from a script, you could use the gcloud command line tool to inquire:

 

$ gcloud iam service-accounts list
(get a list of accounts)

# for each account: 

$ gcloud iam service-accounts keys list --iam-account=my-sa-account@my-project-92422.iam.gserviceaccount.com
KEY_ID: 80d3e24eb9838371d01a235deef9be9abb5c0fd6
CREATED_AT: 2022-01-07T20:10:43Z
EXPIRES_AT: 2022-02-06T20:10:43Z
DISABLED: 

KEY_ID: bde0a109f0445c1689aff8b3e36fc59adf52cb54
CREATED_AT: 2022-07-14T23:19:12Z
EXPIRES_AT: 2024-08-07T17:48:05Z
DISABLED:

 

But the gcloud command line tool is simply built on public APIs , exposed by GCP. For example, the API for listing SA keys. So you can write a program (in Java, C#, python, whatever) to query those APIs and then do the right thing for your case. There are even code examples in the documentation pages for these various languages, on the documentation page. 

As far as I know there is no "checkbox" solution within GCP to accomplish the same thing.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

In GCP, you could configure a scheduled job to query the status of the Service Account keys, and then send an administrative alert, or an email, or ping some other webhook, if the SA key is set to expire in less than 72 hours, or whatever your desired threshold is. 

https://cloud.google.com/scheduler/docs/creating

There is a similar question on stackoverflow.

Logically, you would need to do something like this in the scheduled job:

  1. list the service accounts
  2. for each service account, list the keys
  3. for each key, evaluate the expiry. If "expires soon", add to the list
  4. Notify "someone" in some way of the list of "soon to expire" keys.

If you were doing this from a script, you could use the gcloud command line tool to inquire:

 

$ gcloud iam service-accounts list
(get a list of accounts)

# for each account: 

$ gcloud iam service-accounts keys list --iam-account=my-sa-account@my-project-92422.iam.gserviceaccount.com
KEY_ID: 80d3e24eb9838371d01a235deef9be9abb5c0fd6
CREATED_AT: 2022-01-07T20:10:43Z
EXPIRES_AT: 2022-02-06T20:10:43Z
DISABLED: 

KEY_ID: bde0a109f0445c1689aff8b3e36fc59adf52cb54
CREATED_AT: 2022-07-14T23:19:12Z
EXPIRES_AT: 2024-08-07T17:48:05Z
DISABLED:

 

But the gcloud command line tool is simply built on public APIs , exposed by GCP. For example, the API for listing SA keys. So you can write a program (in Java, C#, python, whatever) to query those APIs and then do the right thing for your case. There are even code examples in the documentation pages for these various languages, on the documentation page. 

As far as I know there is no "checkbox" solution within GCP to accomplish the same thing.

Jump to Solution

Posted on --/--/---- --:-- AM
gaurav_gupta
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@DhanshriI were you able to achieve the solution? Cloud Function(python) to fetch all the user-managed SA keys & their expiry date from cloud asset inventory?

Jump to Solution

Posted on --/--/---- --:-- AM
DhanshriI
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi @gaurav_gupta yes we were able to achieve it using gcloud commands and management server apis. We used gcloud and mgt api to get the Service account keys details and then used scripting to extract required information like created-at and type of SA-Key. Then either extract expiry-date from SAkey mgt api response or you can calculate expiry date by adding 90 days and then send alert before 7 days.

Jump to Solution
0 Likes