- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Service Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.
Rotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.
Each service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.
GCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google.
With external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.
Delete any external, user-managed Service Account Keys older than 90 days:
To create an external, user-managed Service Account Key for a Service Account:
You are redirected to the APIs & Services > Credentials page and you can see the new ID displayed in the Service Account Keys section.
Rotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the Service Account Keys section and the user needs to download the private key.