v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods
Steampipe logo
← Back
How To

Limit lifetime of GCP IAM service account keys

By default GCP IAM service account keys never expire. Use Steampipe to find expiration dates and prioritize updates for better protection.

Steampipe Team
4 min. read - Mar 13, 2023
By default GCP IAM service account keys never expire. Use Steampipe to find expiration dates and prioritize updates for better protection.

Service account keys are crucial to secure access to Google Cloud Platform (GCP) resources. They allow applications and services to authenticate and authorize access to resources like Compute Engine, Cloud Storage, and BigQuery. By default, GCP IAM service account keys never expire, posing a significant security risk if not properly managed. Identifying which account keys do not have an expiration set can be challenging.

GCP IAM Service Account Key Expiration

Using Steampipe, you can simply query all your GCP IAM service account keys across your GCP projects to quickly identify which keys do not expire. Example of a Steampipe SQL query to check the validity time for the service account keys:

select
  title,
  service_account_name as service_account,
  valid_after_time,
  key_type
from
  gcp_service_account_key
where
valid_before_time != '9999-12-31T18:59:59-05:00'


+------------------------------------------+--------------------------------------------------+---------------------------+----------------+
| title                                    | service_account                                  | valid_after_time          | key_type       |
+------------------------------------------+--------------------------------------------------+---------------------------+----------------+
| 6f22b1444d9a77c90500950db82a6ebc42709c4b | service1@friedpiper-prod.iam.gserviceaccount.com | 2023-03-13T11:51:38-04:00 | SYSTEM_MANAGED |
+------------------------------------------+--------------------------------------------------+---------------------------+----------------+

Any key with an expiration of 9999-12-31 will not expire.

If your organization has a defined credential rotation duration (e.g. teams must rotate credentials every 90 days), you can track which specific keys do not meet this condition over time.

select
  service_account_name,
  name as key_id,
  now() :: date - valid_after_time :: date as "Age in Days",
  valid_after_time as "Create Date",
  valid_before_time as "Expiration Date"
from
  gcp_service_account_key
  where key_type = 'USER_MANAGED'
order by "Age in Days" desc

GCP IAM Service Account Key Age Report

Steampipe already includes a GCP IAM Service Account Key Age Report in the GCP Insights Mod for ongoing tracking of your keys.

With scheduled dashboard snapshots, you can run periodic reports to track them over time. Doing so can ensure your organization's cloud resources are secure and free from unauthorized access.

Long-term credentials in any cloud provider are a security and management risk but are often necessary. Steampipe can help audit and track them in AWS, GCP, and Azure, along with over 100 cloud services such as SaaS providers like CircleCI, Vercel, Snowflake, and GitHub.