Best practices for using service accounts in deployment pipelinesTo deploy software or infrastructure automatically, many deployment pipelines need access to Google Cloud, so we let the pipelines use a service account. The more we rely on deployment pipelines and their service accounts, the more extensive and privileged their access to Google Cloud can become. And that creates new risks. Continue »
Service account keys aren’t like AWS access keysAWS lets us use access keys to authenticate programmatically. That’s useful for local development, or if we want to let tools access AWS on our behalf. The closest thing to access keys on Google Cloud seem to be service account keys. But are they really that similar? Continue »
Using a CNG-backed key as service account key in JavaOne of the best ways to store a service account key on Windows is to use a CryptoNG key storage provider. That even works with Java. Continue »
Best practices for using workload identity federationWorkload identity federation lets us impersonate a Google Cloud service account by using credentials from an external identity provider. That’s a useful and powerful feature, but there are some things to watch out for. Continue »
Best practices for managing service account keysService accounts play a key role in Google Cloud IAM, and there are multiple ways how service accounts can authenticate. One of them is by using a service account key – but service account keys turn into a security risk if they aren’t managed carefully. Continue »
Limiting the validity of service account keysWhen you create a service account key, Google Cloud doesn’t let you specify an expiry date. The key stays valid until you either delete the key or the entire service account. But there’s a way to limit the validity of a service account key. Continue »
Using a CNG-backed key as service account keyLast time, we looked at how you can use a CryptoAPI-backed key as a service account and use it to authenticate. Now let’s see how you can do the same with CNG. Continue »
Using a CryptoAPI-backed key as service account keyUsing service account keys to authenticate a service account is generally discouraged on Google Cloud, but sometimes difficult to avoid. The most common way to use service account keys is to create a new key by using the Cloud Console or gcloud, but you can also upload existing keys, including CryptoAPI-based keys. Continue »
Best practices for using, managing, and securing service accounts on Google CloudService accounts play a key role in Google Cloud IAM, but they are easy to get wrong. If you’re not careful, you quickly end up with over-permissioned service accounts, accounts that are used across multiple applications, and service account keys being spread all across your environment. Continue »