Best practices for managing service account keys

Service accounts play a key role in Google Cloud IAM, and there are multiple ways how service accounts can authenticate. One of them is by using a service account key – but service account keys turn into a security risk if they aren’t managed carefully.

Today, I published a new guide on the Google Cloud website, Best practices for managing service account keys, that describes how you can secure service account keys and how to protect against common threats, including:

  • Credential leakage: Service account keys might inadvertently end up in places where they are not supposed to be stored. A bad actor can use a leaked service account key to authenticate and gain a foothold in your environment.
  • Privilege escalation: If a bad actor gets access to a poorly secured service account key, they might be able to use the key to escalate their privileges.
  • Information disclosure: Service account keys might inadvertently disclose confidential metadata.
  • Non-repudiation: By authenticating using a service account key and letting the service account carry out operations on their behalf, a bad actor might conceal their identity and actions.

Earlier this year, I published two other articles covering service accounts:

If you have feedback or comments about these guides, don’t hesitate to click the Send feedback button at the top of the page to let us know (or drop me a message directly).

For a full list of articles I’ve published on the Google Cloud website, see Articles on cloud.google.com.

Any opinions expressed on this blog are Johannes' own. Refer to the respective vendor’s product documentation for authoritative information.
« Back to home