GCP Security : Use of Cloud Service Account

Google Cloud Platform (GCP) offers robust service account key management capabilities to help ensure that only authorized and properly authenticated entities can access resources running on GCP.

Best Practices :

  1. Use a service account, an identity whose credentials your application code can use to access other GCP services.
  2. You can create a custom service account, and grant least-privilege permissions to the service account using IAM. For example, if your application only needs to access Google Cloud Storage, then grant the service account the roles/storage.admin role.
  3. Any SDK you will use, application can use the service account credentials to authenticate applications running on the instance. You don’t need to download any keys because you are using a Compute Engine instance, and we automatically create and rotate the keys.
  4. When you need to perform any action outside of GCP, you’ll need to create a new key pair for the service account, and download the private key. You can authenticate using the service account for which the key was generated by pointing the GOOGLE_APPLICATION_CREDENTIALS environment variable to the location where you downloaded the key.
  5. Only download development account access keys. Implement a daily or regular key rotation.
  6. Audit service accounts and keys using either the serviceAccount.keys.list() method or the Logs Viewer page in the console.
  7. Utilize Keyrotator — a Python tool for rotation service account rotation process. Run it as a cron job. write the new key to Cloud Storage for developers to download everyday.
  8. To prevent exposures of keys use private git repos. You can also put in place preventive measures to stop keys from being committed to your git repo. One open-source tool you can use is git-secrets.
  9. Additionally use open-source tool trufflehog.