This page describes how to rotate your service account keys usinggkectlfor
Cloud Audit Logs, Usage Metering, and Stackdriver components on Google Distributed Cloud.
To rotate your service account keys:
Create a directory to store a backup of your current secrets:
mkdir backup
Note the following information for the relevant component:
Cloud Audit Logs
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Admin
kube-apiserver
CLUSTER_NAME
Usage Metering
Cluster
Secret
Namespace
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
usage-metering-bigquery-service-account-key
kube-system
Stackdriver
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
google-cloud-credentials
kube-system
User
stackdriver-service-account-key
knative-serving
Create a backup of each secret using the following command:
kubectl get secretSECRET--namespaceNAMESPACE\
--kubeconfigKUBECONFIG-o json > backup/SECRET-NAMESPACE.json
Replace the following:
NAMESPACE: the namespace where the secret is located. For example,kube-system.
KUBECONFIG: the path to the kubeconfig file for the admin or user cluster.
SECRET: the name of the secret. For example,admin-cluster-creds.
For example, run the following commands for the Cloud Audit Logs component:
kubectl get secret admin-cluster-creds --namespace kube-system \
--kubeconfigKUBECONFIG-o json > backup/admin-cluster-creds-kube-system.json
kubectl get secret user-cluster-creds --namespaceNAMESPACE\
--kubeconfigKUBECONFIG-o json > backup/user-cluster-creds-NAMESPACE.json
kubectl get secret kube-apiserver --namespaceNAMESPACE\
--kubeconfigKUBECONFIG-o json > backup/kube-apiserver-NAMESPACE.json
To create a new service account key file, run the following command:
gcloud iam service-accounts keys createNEW_KEY_FILE--iam-accountIAM_ACCOUNT
Replace the following:
NEW_KEY_FILE: the name for your new service account key file
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis page details the process of rotating service account keys for Cloud Audit Logs, Usage Metering, and Stackdriver components within Google Distributed Cloud environments using \u003ccode\u003egkectl\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe key rotation process involves creating a backup of current secrets, noting specific details for each component and cluster type, using specific commands.\u003c/p\u003e\n"],["\u003cp\u003eNew service account keys are generated with \u003ccode\u003egcloud iam\u003c/code\u003e and the configuration files are updated, replacing the old key path with the new key file's location.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egkectl update credentials\u003c/code\u003e command is used to apply the updated service account keys to the components, ensuring seamless rotation.\u003c/p\u003e\n"],["\u003cp\u003eBackups can be restored with the \u003ccode\u003ekubectl apply -f backup/\u003c/code\u003e command, in the case of failure or error.\u003c/p\u003e\n"]]],[],null,["# Rotating service account keys\n\n\u003cbr /\u003e\n\nThis page describes how to rotate your service account keys using `gkectl` for\nCloud Audit Logs, Usage Metering, and Stackdriver components on Google Distributed Cloud.\n| **Note:** For information on rotating the connect-register service account key file for a cluster, see [Rotate a connect-register service account key for the admin cluster](/anthos/clusters/docs/on-prem/1.10/how-to/updating-general#rotate-admin) or [Rotate a connect-register service account key for a user cluster](/anthos/clusters/docs/on-prem/1.10/how-to/updating-general#rotate-user).\n\nTo rotate your service account keys:\n\n1. Create a directory to store a backup of your current secrets:\n\n ```\n mkdir backup\n ```\n2. Note the following information for the relevant component:\n\n **Cloud Audit Logs**\n\n **Usage Metering**\n\n **Stackdriver**\n\n3. Create a backup of each secret using the following command:\n\n ```\n kubectl get secret SECRET --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/SECRET-NAMESPACE.json\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the namespace where the secret is located. For example, `kube-system`.\n - \u003cvar translate=\"no\"\u003eKUBECONFIG\u003c/var\u003e: the path to the kubeconfig file for the admin or user cluster.\n - \u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e: the name of the secret. For example, `admin-cluster-creds`.\n\n For example, run the following commands for the Cloud Audit Logs component: \n\n ```\n kubectl get secret admin-cluster-creds --namespace kube-system \\\n --kubeconfig KUBECONFIG -o json \u003e backup/admin-cluster-creds-kube-system.json\n\n kubectl get secret user-cluster-creds --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/user-cluster-creds-NAMESPACE.json\n\n kubectl get secret kube-apiserver --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/kube-apiserver-NAMESPACE.json\n ```\n4. To create a new service account key file, run the following command:\n\n ```\n gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNEW_KEY_FILE\u003c/var\u003e: the name for your new service account key file\n - \u003cvar translate=\"no\"\u003eIAM_ACCOUNT\u003c/var\u003e: your service account email address for either [Cloud Audit Logs](/anthos/clusters/docs/on-prem/1.10/how-to/service-accounts#audit_logging_service_account), [Usage Metering](/anthos/clusters/docs/on-prem/1.10/how-to/service-accounts#usage_metering_service_account), or Stackdriver.\n5. In the corresponding configuration files for both the admin cluster and user clusters, find the `cloudauditlogging`, `usagemetering`, or `stackdriver` section.\n\n6. Replace the `serviceAccountKeyPath` field with the \u003cvar translate=\"no\"\u003eNEW_KEY_FILE\u003c/var\u003e you created earlier.\n\n7. Save the changes you made using the following commands:\n\n ```\n gkectl update credentials COMPONENT --admin-cluster --kubeconfig \\\n ADMIN_CLUSTER_KUBECONFIG --config ADMIN_CLUSTER_CONFIG\n\n gkectl update credentials COMPONENT --kubeconfig \\\n ADMIN_CLUSTER_KUBECONFIG --config USER_CLUSTER_CONFIG\n ```\n\n Replace the following;\n - \u003cvar translate=\"no\"\u003eCOMPONENT\u003c/var\u003e: one of `cloudauditlogging`, `usagemetering`, or `stackdriver`.\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_KUBECONFIG\u003c/var\u003e: the path to the kubeconfig file for the admin cluster.\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_CONFIG\u003c/var\u003e: the path to the admin cluster configuration file.\n - \u003cvar translate=\"no\"\u003eUSER_CLUSTER_CONFIG\u003c/var\u003e: the path to the user cluster configuration file.\n\n| **Note:** If you need to restore the backup of the secret you made earlier, run the following command: \n|\n| ```\n| kubectl apply -f backup/\n| ```"]]
