A company's application is deployed with a user-managed Service Account key.
You want to use Google-recommended practices to rotate the key.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
https://cloud.google.com/iam/docs/understanding-service-accountsThe correct answer for this question is option C: "Create a new key, and use the new key in the application. Delete the old key from the Service Account."
Here's a detailed explanation of why this is the recommended approach:
Service accounts are used by applications to authenticate with other Google Cloud services. When a user-managed service account key is created, it has a limited validity period (by default, 10 years). However, there may be situations where you need to rotate the service account key before its expiry date. For example, if a service account key is compromised or if a user who has access to the key leaves the organization, it's best to rotate the key immediately.
Rotating a service account key involves generating a new key and replacing the old key with the new one in the application. Here are the steps to rotate a user-managed service account key using Google-recommended practices:
Create a new key: To create a new key, go to the Cloud Console, navigate to the service account page, select the service account for which you want to rotate the key, and click on the "Add Key" button. Select "JSON" as the key type and click on "Create".
Use the new key in the application: Once you have the new key, you should update the application to use it for authentication. Depending on the application, this may involve updating a configuration file, modifying code, or restarting the application.
Delete the old key from the Service Account: Once the application is using the new key, you can safely delete the old key from the service account. To do this, go to the service account page in the Cloud Console, select the service account, click on the "Actions" menu, and select "Delete Key". Make sure you select the correct key to delete (i.e., the old key).
Option A is incorrect because it enables auto-rotation of service account keys. Auto-rotation is a useful feature that automatically rotates service account keys at regular intervals. However, it's not recommended for user-managed keys because it can cause disruptions if an application is not designed to handle key rotation.
Option B is incorrect because it rotates a specific key rather than creating a new one. This approach can be used if you suspect that a particular key has been compromised. However, it's not the recommended approach for general key rotation because it doesn't provide a fresh key with a new validity period.
Option D is incorrect because it stores the old key on the system as a backup key. Storing old keys can be risky because they can be misused if they fall into the wrong hands. It's better to delete old keys and generate fresh ones when needed.