Ensure there are only GCP-managed service account keys for each service account

Error: There are not only GCP-managed service account keys for each service account

Bridgecrew Policy ID: BC_GCP_GENERAL_8
Checkov Check ID: CKV2_GCP_3
Severity: LOW

There are not only GCP-managed service account keys for each service account

Description

Anyone who has access to the keys will be able to access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.

For user-managed keys, the user has to take ownership of key management activities which include:

  • Key storage
  • Key distribution
  • Key revocation
  • Key rotation
  • Protecting the keys from unauthorized users
  • Key recovery
    Even with key owner precautions, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in the Downloads directory, or accidentally leaving them on support blogs/channels.
    We recommended you prevent user-managed service account keys.

Fix - Buildtime

Terraform

  • Resource: google_service_account, google_service_account_key
  • Argument: service_account_id
resource "google_service_account" "account_ok" {
  account_id = "dev-foo-account"
}

resource "google_service_account_key" "ok_key" {
  service_account_id = google_service_account.account_ok.name
}