Version 1.16. This version is no longer supported. For information about how to upgrade to version 1.28, seeUpgrade clustersin the latest documentation. For more information about supported and unsupported versions, see theVersioningpage in the latest documentation.
To rotate the service account keys in Google Distributed Cloud, you update the
existing cluster credentials with thebmctlcommand. This service account key
rotation might be as part of your regular processes to update credentials, or in
response to a potential exposure of the keys. When you update cluster
credentials, the new information is passed to admin or hybrid clusters, or
automatically routed to affected user clusters managed by an admin cluster.
Cluster credentials that can be updated
Google Distributed Cloud clusters require multiple credentials when they are created.
You set the credentials in the cluster config when you create an admin, standalone, or hybrid
cluster. User clusters, as noted above, are managed by an admin cluster (or a hybrid cluster acting as admin), and will reuse the same credentials from the admin cluster.
You can update the following credentials, and their corresponding secrets,
in Google Distributed Cloud clusters with thebmctlcommand:
SSH private key: Used for node access.
Container Registry key(anthos-baremetal-gcr): Service account key
used to authenticate with Container Registry for image pulling.
Connect agent service account key(anthos-baremetal-connect): Service account key used by
Connect agent pods.
Connect registry service account key(anthos-baremetal-register): Service account key used to authenticate with
Hub when registering or unregistering a cluster.
Cloud operations service account key(anthos-baremetal-cloud-ops):
Service account key to authenticate with Google Cloud Observability (logging & monitoring)
APIs.
Update credentials withbmctl
When you create clusters, Google Distributed Cloud creates Kubernetes Secrets
based on your credential keys. If you generate new keys, you must update the
corresponding Secrets as described in the following steps. If the name or path
to your keys change, you must also update the corresponding cluster
configuration file.
Prepare the new values for the credentials you want to update:
Generate new SSH private key on the admin workstation and make sure the
cluster node machines have the corresponding public key.
Update the credentials section of your cluster configuration file with paths
to the new keys.
Update the corresponding cluster Secrets with thebmctl update credentialscommand, adding the appropriate flags described below.
For example, herebmctlupdates the credentials for a new SSH private key,
whereADMIN_KUBECONFIGspecifies the path to the kubeconfig of
the admin, hybrid, or standalone cluster,SSH_KEY_PATHspecifies
the path to the new SSH private key, andCLUSTER_NAMEspecifies
the name of the cluster:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eService account keys in Google Distributed Cloud can be rotated using the \u003ccode\u003ebmctl\u003c/code\u003e command, which updates existing cluster credentials.\u003c/p\u003e\n"],["\u003cp\u003eUpdating cluster credentials with \u003ccode\u003ebmctl\u003c/code\u003e propagates the new information to admin, hybrid, or automatically to user clusters.\u003c/p\u003e\n"],["\u003cp\u003eCredentials that can be updated include SSH private keys, Container Registry keys, Connect agent service account keys, Connect registry service account keys, and Cloud operations service account keys.\u003c/p\u003e\n"],["\u003cp\u003eTo update credentials, you must first generate new keys, update the cluster configuration file with their paths, and then use \u003ccode\u003ebmctl update credentials\u003c/code\u003e with the appropriate flags.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ebmctl\u003c/code\u003e command requires the kubeconfig path, cluster name, and paths to the new service account keys via specific flags such as \u003ccode\u003e--ssh-private-key-path\u003c/code\u003e, \u003ccode\u003e--gcr-key-path\u003c/code\u003e, and others.\u003c/p\u003e\n"]]],[],null,["# Rotate service account keys\n\n\u003cbr /\u003e\n\nTo rotate the service account keys in Google Distributed Cloud, you update the\nexisting cluster credentials with the `bmctl` command. This service account key\nrotation might be as part of your regular processes to update credentials, or in\nresponse to a potential exposure of the keys. When you update cluster\ncredentials, the new information is passed to admin or hybrid clusters, or\nautomatically routed to affected user clusters managed by an admin cluster.\n\nCluster credentials that can be updated\n---------------------------------------\n\nGoogle Distributed Cloud clusters require multiple credentials when they are created.\nYou set the credentials in the cluster config when you create an admin, standalone, or hybrid\ncluster. User clusters, as noted above, are managed by an admin cluster (or a hybrid cluster acting as admin), and will reuse the same credentials from the admin cluster.\n\nFor more information about creating clusters and different cluster types,\nsee [Installation overview: choosing a deployment model](/anthos/clusters/docs/bare-metal/1.16/installing/install-prep).\n\nYou can update the following credentials, and their corresponding secrets,\nin Google Distributed Cloud clusters with the `bmctl` command:\n\n- **SSH private key**: Used for node access.\n- **Container Registry key** (`anthos-baremetal-gcr`): Service account key used to authenticate with Container Registry for image pulling.\n- **Connect agent service account key** (`anthos-baremetal-connect`): Service account key used by Connect agent pods.\n- **Connect registry service account key** (`anthos-baremetal-register`): Service account key used to authenticate with Hub when registering or unregistering a cluster.\n- **Cloud operations service account key** (`anthos-baremetal-cloud-ops`): Service account key to authenticate with Google Cloud Observability (logging \\& monitoring) APIs.\n\nUpdate credentials with `bmctl`\n-------------------------------\n\nWhen you create clusters, Google Distributed Cloud creates Kubernetes Secrets\nbased on your credential keys. If you generate new keys, you must update the\ncorresponding Secrets as described in the following steps. If the name or path\nto your keys change, you must also update the corresponding cluster\nconfiguration file.\n\n1. Prepare the new values for the credentials you want to update:\n\n - You can\n [generate new Google service account keys](/iam/docs/keys-create-delete#creating)\n through the `gcloud` command or through the Google Cloud console.\n\n - Generate new SSH private key on the admin workstation and make sure the\n cluster node machines have the corresponding public key.\n\n2. Update the credentials section of your cluster configuration file with paths\n to the new keys.\n\n3. Update the corresponding cluster Secrets with the `bmctl update credentials`\n command, adding the appropriate flags described below.\n\n For example, here `bmctl` updates the credentials for a new SSH private key,\n where \u003cvar translate=\"no\"\u003eADMIN_KUBECONFIG\u003c/var\u003e specifies the path to the kubeconfig of\n the admin, hybrid, or standalone cluster, \u003cvar translate=\"no\"\u003eSSH_KEY_PATH\u003c/var\u003e specifies\n the path to the new SSH private key, and \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e specifies\n the name of the cluster: \n\n ```\n bmctl update credentials --kubeconfig ADMIN_KUBECONFIG --ssh-private-key-path\n SSH_KEY_PATH --cluster CLUSTER_NAME\n ```\n\nYou can specify the following flags with `bmctl` to update credentials:"]]
