I have a service account in GCP and I hold its key in a Secret Manager.
Is there a way to set a scheduled secret rotation for that secret holding service account key, so the Pub/Sub would be a GCP one, and not managed by me? Does GCP provide such a managed Pub/Sub service?
There is no built-in function for that, but Google advises using tool such as Keyrotator to keep the Service Account keys safe.
You can also write your own script using Cloud SDK that will create a new key, obtain it and update it in the Secrets Manager:
# create the key
gcloud iam service-accounts keys create key-file \
[email protected]
# obtain new key
gcloud beta iam service-accounts keys get-public-key KEY_ID \
--iam-account=SA_NAME --output-file=FILENAME
#update the secret in secrets manager
gcloud secrets update secret-id \
--update-labels=key=value
# remove the old one
gcloud iam service-accounts keys disable key-id \
[email protected]
This is of course a simplified code, you can find more information on those commands here - 1, 2.
Such script can be run periodically, e.g. using crontab on a GCE instance or Cloud Scheduler.