GCP service-account JSON key sits in the repo
A service-account JSON key is a password. In git it's a leak. Workload Identity is the way out.
Try this first
- 1Rotate or disable the leaked key in IAM right away
- 2For GKE/Cloud Run, use Workload Identity so no key is needed
- 3For external CI/CD, use Workload Identity Federation with OIDC
- 4Clean git history with git-filter-repo or BFG, force-push
When to bring us in
If the key was public, check billing and audit logs for abuse. Crypto-mining is the usual first sign.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.