Google Cloud Service Account Keys: Essential Tips for Creating Expiring Keys
In this video, join Anto as he demonstrates how to create short-lived service account keys using standard Google tools and a custom script for a more secure approach to managing service account keys in Google Cloud. This Out of DevOps tutorial covers cloud software engineering, service account key management, and the risks associated with long-lived keys.
Learn how to generate local keys with OpenSSL, specifying an expiry date to ensure they automatically expire, mitigating potential risks. Explore the process of uploading public keys to Google Cloud and creating a JSON file containing the private key, making it compatible with Gcloud commands and the Cloud Console.
However, Anto recognizes the limitations of this approach, such as the inconvenience of using a JSON template and the inability to specify expiry times in minutes. To overcome these challenges, Anto introduces a Golang application that simplifies key generation, allowing users to specify expiry times in minutes and automate the uploading process to Google Cloud.
Discover the two main commands in the Golang application: 'create' and 'generate.' The 'generate' command generates a key pair in PEM format, while the 'create' command behaves similarly to Gcloud's service account keys create command. The link to the repo is available in the video description.
Lastly, Anto emphasizes that it's always better to avoid using service account keys when possible. He recommends using Workload Identity Federation and points to a previous video demonstrating how to use it in combination with GitHub Actions and IaC.
Master the art of service account key management in Google Cloud with this informative and practical tutorial. Learn how to create short-lived keys, mitigate risks, and enhance your cloud software engineering skills.
Service Account Keys generated with Google Cloud Console (web interface) or via the GCloud CLI don't expire. Google in its [Best Practices for Managing Service Account Keys](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys) suggests to create short lived keys.
To create short lived keys we have to generate them manually on our machine (using OpenSSL on the command line) and then upload them to GCP using:
gcloud iam service-accounts keys upload ./public_key.pem --iam-account=sa_name@project_id.iam.gserviceaccount.com
Generating Keys with OpenSSL it's easy (https://cloud.google.com/iam/docs/creating-managing-service-account-keys#uploading), but using the private keys is not very convenient.
In this video I introduce SAKeBomb https://github.com/outofdevops/sakebomb a custom solution I created to simplify the creation of Short-Lived Service Account Keys in Google Cloud Platform (GCP)
0:00 Intro
1:06 How to mitigate the risks of using Service Account Keys
2:02 Create Short Lived Service Account Keys with OpenSSL
3:34 Problems with the OpenSSL approach
4:04 Introducing SAKeBomb for Short Lived Service Account Keys
5:00 Conclusions
Links
Repo: https://github.com/outofdevops/sakebomb
Template for SA Keys in JSON format: https://github.com/outofdevops/sakebomb#how-to-create-json-sa-key-from-pem-file
Видео Google Cloud Service Account Keys: Essential Tips for Creating Expiring Keys канала OutOfDevOps
Learn how to generate local keys with OpenSSL, specifying an expiry date to ensure they automatically expire, mitigating potential risks. Explore the process of uploading public keys to Google Cloud and creating a JSON file containing the private key, making it compatible with Gcloud commands and the Cloud Console.
However, Anto recognizes the limitations of this approach, such as the inconvenience of using a JSON template and the inability to specify expiry times in minutes. To overcome these challenges, Anto introduces a Golang application that simplifies key generation, allowing users to specify expiry times in minutes and automate the uploading process to Google Cloud.
Discover the two main commands in the Golang application: 'create' and 'generate.' The 'generate' command generates a key pair in PEM format, while the 'create' command behaves similarly to Gcloud's service account keys create command. The link to the repo is available in the video description.
Lastly, Anto emphasizes that it's always better to avoid using service account keys when possible. He recommends using Workload Identity Federation and points to a previous video demonstrating how to use it in combination with GitHub Actions and IaC.
Master the art of service account key management in Google Cloud with this informative and practical tutorial. Learn how to create short-lived keys, mitigate risks, and enhance your cloud software engineering skills.
Service Account Keys generated with Google Cloud Console (web interface) or via the GCloud CLI don't expire. Google in its [Best Practices for Managing Service Account Keys](https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys) suggests to create short lived keys.
To create short lived keys we have to generate them manually on our machine (using OpenSSL on the command line) and then upload them to GCP using:
gcloud iam service-accounts keys upload ./public_key.pem --iam-account=sa_name@project_id.iam.gserviceaccount.com
Generating Keys with OpenSSL it's easy (https://cloud.google.com/iam/docs/creating-managing-service-account-keys#uploading), but using the private keys is not very convenient.
In this video I introduce SAKeBomb https://github.com/outofdevops/sakebomb a custom solution I created to simplify the creation of Short-Lived Service Account Keys in Google Cloud Platform (GCP)
0:00 Intro
1:06 How to mitigate the risks of using Service Account Keys
2:02 Create Short Lived Service Account Keys with OpenSSL
3:34 Problems with the OpenSSL approach
4:04 Introducing SAKeBomb for Short Lived Service Account Keys
5:00 Conclusions
Links
Repo: https://github.com/outofdevops/sakebomb
Template for SA Keys in JSON format: https://github.com/outofdevops/sakebomb#how-to-create-json-sa-key-from-pem-file
Видео Google Cloud Service Account Keys: Essential Tips for Creating Expiring Keys канала OutOfDevOps
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Psychological Safety in dev teams
Hardware upgrade!!! 🚀
Unlocking High Performing Software Engineering Teams
Measuring Developers Productivity... McKinsey what's the point?
Container Image Optimisation: Best Practices
Inside Container: Unpacking the Magic Behind Container Images
Can we say that Platform Engineering is DevSec(Rel)Ops?
Secure and fast K8S volumes
Kubernetes in Memory Volumes: How Share Files Between Containers
What are init containers in Kubernetes?
Init containers in Kubernetes: examples and use cases
5 Things needed for Workload Identity in GKE
Workload Identity in GKE to fetch data from Google Cloud Storage.
ChatGPT to translate gcloud commands into Terraform
Does AI help writing Infrastructure as Code?
DevOps Journey: First month 🚀 #shorts
How I write Infrastructure "code" #shorts
Is Infrastructure as Code ➡️ CODE?
Learn DevOps: A 4-Week Blueprint for Beginners
DevOps gives you the right mindset #shorts
From Dev mindset to DevOps mindset #shorts