Google Cloud Platform (GCP) offers robust service account key management capabilities to help ensure that only authorized and properly authenticated entities can access resources running on GCP.
Best Practices :
- Use a service account, an identity whose credentials your application code can use to access other GCP services.
- You can create a custom service account, and grant least-privilege permissions to the service account using IAM. For example, if your application only needs to access Google Cloud Storage, then grant the service account the roles/storage.admin role.
- Any SDK you will use, application can use the service account credentials to authenticate applications running on the instance. You don’t need to download any keys because you are using a Compute Engine instance, and we automatically create and rotate the keys.
- When you need to perform any action outside of GCP, you’ll need to create a new key pair for the service account, and download the private key. You can authenticate using the service account for which the key was generated by pointing the GOOGLE_APPLICATION_CREDENTIALS environment variable to the location where you downloaded the key.
- Only download development account access keys. Implement a daily or regular key rotation.
- Audit service accounts and keys using either the serviceAccount.keys.list() method or the Logs Viewer page in the console.
- Utilize Keyrotator — a Python tool for rotation service account rotation process. Run it as a cron job. write the new key to Cloud Storage for developers to download everyday.
- To prevent exposures of keys use private git repos. You can also put in place preventive measures to stop keys from being committed to your git repo. One open-source tool you can use is git-secrets.
- Additionally use open-source tool trufflehog.