Service Account Key Expiration Date

[Swarnim Shukla]

Hi,

I have created a JSON key in service account. But once it is created it shows me an key expiration date of 1 month after which the key expires.

Is there a way I could increase the key expiration date or is there any setting that I am missing while creating the key?

I do not want to create the key manually everytime it expires so want a solution for this.

Thanks in advance.

Regards,

Swarnim

[Lucas (Cloud Platform Support)]

Hello Swarnim,

Have you followed this guide on how to create a JSON key in service account [1]?

When you enter this in the command line, what does the expiration show [2]?

gcloud iam service-accounts keys list \
--iam-account <sa-name>@<project-id>.iam.gserviceaccount.com

Also, if you are using a user managed service account, there is no expiration date [3].

I would recommend you use a user managed key as you wouldn't have to recreate a new one.

If you are using a Google managed key, it should rotate with a renewal.

[1] https://docs.bmc.com/docs/PATROL4GoogleCloudPlatform/10/creating-a-service-account-key-in-the-google-cloud-platform-project-799095477.html
[2] https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list
[3] https://cloud.google.com/iam/docs/understanding-service-accounts#authentication_using_rsa_private_keys

[Swarnim Shukla]

Hi Lucas,

1] Yes I have followed these steps to create a service account. Once I create the key it automatically comes with an expiration date.

2] When i run the command in the cloud shell it shows a 1 month expiry date from the creation date. Below is the screenshot.

Do we have some configuration that I am missing?

Regards,

Swarnim

--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Cloud Identity for Customers & Partners Discussion Google Group (google-cicp...@googlegroups.com).
---
You received this message because you are subscribed to a topic in the Google Groups "google-cicp-discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-cicp-discussion/Wuny9PahA7c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-cicp-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cicp-discussion/b9ca1364-4c0c-4391-879d-3b1eb101e764n%40googlegroups.com.

[Julio Colino]

Hello Swarnim,

I just created a testing Service Account in a testing project, then created manually a new key and there is no expiration for it by default. This is a default behaviour.

[Swarnim Shukla]

Hi Julio,

Thanks for trying it out. This is strange it is happening for me.

Do we have any settings while creating a project ? Or some configuration that I am not aware of?

Regards,

Swarnim

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cicp-discussion/239655ff-b4fb-4191-a66d-b0e20d75f1bcn%40googlegroups.com.

[Julio Colino]

Hello Swarnim,

I have been doing further tests as follows:

- I created a completely new trial project

- I created a new SA on it

- I created a new key for that SA

- I am getting again a key with no expiration

I suggest just as a test trying in a new project in order to check if there is some configuration in your current project that is limiting the expiration.

I would also review if you have any organization policy configured  in your project or parent folder/organization related to keys or services account that may be affecting this behaviour.

Nevertheless, so far I didn't find any configuration that changes this default behaviour.