Source: medium.com
Stop downloading Google Cloud service account keys!Category: Security, Terraform, Hashicorp, github
TL;DR: Generating and distributing service account keys poses severe security risks to your organization. These keys can be leaked accidentally or maliciously allowing attackers to gain access to your sensitive GCP resources.
You should never need to generate and download a service account key to use a service account within Google Cloud infrastructure.
Let’s further say that my user ryan@example.com isn’t allowed to download the key to this service account and doesn’t have direct permissions to mess with GKE but what I do have is the magic role roles/iam.serviceAccountTokenCreator.
To illustrate, this is the only info you get in the logs if I could download the k8s service account key and used it.
You should never need to generate and download a service account key to use a service account within Google Cloud infrastructure.
Let’s further say that my user ryan@example.com isn’t allowed to download the key to this service account and doesn’t have direct permissions to mess with GKE but what I do have is the magic role roles/iam.serviceAccountTokenCreator.
To illustrate, this is the only info you get in the logs if I could download the k8s service account key and used it.
Related Articles
Community Partners
DevOps Careers