Launch Week 01 announcements & demos →
How To

Limit lifetime of GCP IAM service account keys

By default GCP IAM service account keys never expire. Use Steampipe to find expiration dates and prioritize updates for better protection.

Steampipe Team
4 min. read - March 13, 2023

Service account keys are crucial to secure access to Google Cloud Platform (GCP) resources. They allow applications and services to authenticate and authorize access to resources like Compute Engine, Cloud Storage, and BigQuery. By default, GCP IAM service account keys never expire, posing a significant security risk if not properly managed. Identifying which account keys do not have an expiration set can be challenging.

GCP IAM Service Account Key Expiration

Using Steampipe, you can simply query all your GCP IAM service account keys across your GCP projects to quickly identify which keys do not expire. Example of a Steampipe SQL query to check the validity time for the service account keys:

service_account_name as service_account,
valid_before_time != '9999-12-31T18:59:59-05:00'
| title | service_account | valid_after_time | key_type |
| 6f22b1444d9a77c90500950db82a6ebc42709c4b | | 2023-03-13T11:51:38-04:00 | SYSTEM_MANAGED |

Any key with an expiration of 9999-12-31 will not expire.

If your organization has a defined credential rotation duration (e.g. teams must rotate credentials every 90 days), you can track which specific keys do not meet this condition over time.

name as key_id,
now() :: date - valid_after_time :: date as "Age in Days",
valid_after_time as "Create Date",
valid_before_time as "Expiration Date"
where key_type = 'USER_MANAGED'
order by "Age in Days" desc

GCP IAM Service Account Key Age Report

Steampipe already includes a GCP IAM Service Account Key Age Report in the GCP Insights Mod for ongoing tracking of your keys.

Steampipe GCP Service Account Key Age Report

With scheduled dashboard snapshots, you can run periodic reports to track them over time. Doing so can ensure your organization's cloud resources are secure and free from unauthorized access.

Long-term credentials in any cloud provider are a security and management risk but are often necessary. Steampipe can help audit and track them in AWS, GCP, and Azure, along with over 100 cloud services such as SaaS providers like CircleCI, Vercel, Snowflake, and GitHub.