Member-only story
How to extract details on Google Cloud Service Account keys across all projects in an Org to a CSV file
In this post , we are going to see how we can extract the list of keys generated for all service accounts across all projects in an entire org to a CSV file. For every cloud service provisioned in google cloud a default service account is created automatically for that service. As soon as you provision a project , a compute engine default service account and an app engine default service account is created automatically, each project can have a total of 100 service accounts and with each service account 10 service-account-keys can be created.
These service accounts do not have passwords unlike the user accounts, they are associated with a public/private key , the private key is downloaded to the local system which can be then used to authenticate into google cloud to access the services. The recommended practice for storing the private key is to secure it in a vault and the client who needs access , gets a temporary oauth token from the vault for a specified period of time.
Rotation of google managed keys are taken care by the google cloud system every 2 weeks, but for user managed keys, the cloud admins should take care of the key rotation for security reasons. The last I checked user managed keys have an unlimited expiry date.
