We have service-account keys with a six-month-old rotation date
The right fix isn't to rotate, but to remove keys altogether. Workload Identity Federation lets systems authenticate without long-lived keys.
Try this first
- 1Inventory all SA keys: gcloud iam service-accounts keys list per SA, plus self-managed JSONs in CI secrets.
- 2For GitHub Actions: set up Workload Identity Federation. GitHub OIDC token exchanges for a GCP token, no JSON key needed.
- 3For GKE pods: Workload Identity (see separate entry). For Cloud Run and Cloud Functions: default service account or assigned SA, no JSON key.
- 4For on-prem systems: Workload Identity Federation with an external identity provider (Okta, Entra ID).
- 5Only after everything is migrated: delete keys, not just rotate. constraints/iam.disableServiceAccountKeyCreation as hard policy.
When to bring us in
If your SA-key inventory spans hundreds of files, a one-time migration with a DevOps engineer who knows WIF is usually two weeks' work that closes a large risk.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.