# Limit lifetime of GCP IAM service account keys > By default GCP IAM service account keys never expire. Use Steampipe to find expiration dates and prioritize updates for better protection. By Steampipe Team Published: 2023-03-13 Service account keys are crucial to secure access to Google Cloud Platform (GCP) resources. They allow applications and services to authenticate and authorize access to resources like Compute Engine, Cloud Storage, and BigQuery. By default, GCP IAM service account keys never expire, posing a significant security risk if not properly managed. Identifying which account keys do not have an expiration set can be challenging. ## GCP IAM Service Account Key Expiration Using Steampipe, you can simply query all your GCP IAM service account keys across your GCP projects to quickly identify which keys do not expire. Example of a Steampipe SQL query to check the validity time for the service account keys: ```sql select title, service_account_name as service_account, valid_after_time, key_type from gcp_service_account_key where valid_before_time != '9999-12-31T18:59:59-05:00' +------------------------------------------+--------------------------------------------------+---------------------------+----------------+ | title | service_account | valid_after_time | key_type | +------------------------------------------+--------------------------------------------------+---------------------------+----------------+ | 6f22b1444d9a77c90500950db82a6ebc42709c4b | service1@friedpiper-prod.iam.gserviceaccount.com | 2023-03-13T11:51:38-04:00 | SYSTEM_MANAGED | +------------------------------------------+--------------------------------------------------+---------------------------+----------------+ ``` Any key with an expiration of 9999-12-31 will not expire. If your organization has a defined credential rotation duration (e.g. teams must rotate credentials every 90 days), you can track which specific keys do not meet this condition over time. ```sql select service_account_name, name as key_id, now() :: date - valid_after_time :: date as "Age in Days", valid_after_time as "Create Date", valid_before_time as "Expiration Date" from gcp_service_account_key where key_type = 'USER_MANAGED' order by "Age in Days" desc ``` ## GCP IAM Service Account Key Age Report Steampipe already includes a [GCP IAM Service Account Key Age Report](https://hub.steampipe.io/mods/turbot/gcp_insights/dashboards/dashboard.service_account_key_age_report) in the [GCP Insights Mod](https://hub.steampipe.io/mods/turbot/gcp_insights) for ongoing tracking of your keys. ![Steampipe GCP Service Account Key Age Report](/images/blog/2023-03-gcp-key-expiration/agereport.png "Steampipe GCP Service Account Key Age Report") With [scheduled dashboard snapshots](https://steampipe.io/blog/schedule-snapshots), you can run periodic reports to track them over time. Doing so can ensure your organization's cloud resources are secure and free from unauthorized access. Long-term credentials in any cloud provider are a security and management risk but are often necessary. Steampipe can help audit and track them in [AWS](https://hub.steampipe.io/plugins/turbot/aws/tables/aws_iam_access_key), [GCP](https://hub.steampipe.io/plugins/turbot/gcp/tables/gcp_service_account_key), and [Azure](https://hub.steampipe.io/plugins/turbot/azure/tables/azure_ad_service_principal), along with over [100 cloud services](https://hub.steampipe.io/plugins) such as SaaS providers like [CircleCI](https://hub.steampipe.io/plugins/turbot/circleci), [Vercel](https://hub.steampipe.io/plugins/turbot/vercel), [Snowflake](https://hub.steampipe.io/plugins/turbot/snowflake), and [GitHub](https://hub.steampipe.io/plugins/turbot/github).