Sprinto Dashboard

How to resolve Sprinto check to ensure external service account keys are rotated within 90 days

About:

Sprinto check: Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer

The above-mentioned Sprinto check verifies that any user-managed or external keys associated with service accounts on Google Cloud Platform (GCP) are rotated at least every 90 days or fewer.

Purpose:

GCP does not provide an automation option for External (user-managed) Service key rotation. You need to delete all the external (user-managed) service account keys equal to or older than 90 days and replace them with new ones if required.

How to fix this check:

Follow the below steps to resolve the check:

Before you begin

  • Ensure you have administrator privileges on the GCP account where you want to make configuration changes.

Updating via GCP Console

GCP does not provide an automation option for External (user-managed) Service key rotation. You need to delete all the external (user-managed) service account keys that are older equal to or older than 90 days, and replace it with new keys.

Delete 90 days old keys

  1. Log in to the GCP Console using your credentials.

  2. Navigate to the IAM & Admin service and select Service Accounts from the left navigation bar.

  3. Select any service account from the list, then select the Keys tab.

  4. Review the key creation date and ensure it is not older than 90 days. If it is older than 90 days, delete it. If necessary, you can create a new API key for the service account. Refer to the next section for detailed steps..

  5. Repeat the above steps for each service account and ensure no service account has an API key older than 90 days.

Create a new API key for the service account

  1. On Credentials section under API & Services, click Create credentials and select the Service account key.

  2. Enter the Service account name, ID, and email address, then click Create and Continue.

  3. Optionally, you can define the projects and services you want to grant access, then click Done.

  4. Repeat the above steps to any service account you wish to create API key. Note: Make a note of the new ID displayed in the Service account keys section.

Sprinto will detect the configuration change and set the check status to "Passing."

Contact Sprinto support if you have any queries related to the check or need assistance.

PreviousHow to resolve Sprinto check to enable the SSL connection enforcement on Azure PostgreSQL Database serverNextHow to resolve Sprinto check to ensure GCP KMS crypto keys are not anonymously or publicly accessible