What is the recommended key rotation period for GCP service accounts?

Google recommends a 90-day rotation period for user-managed service account keys. You can enforce this organization-wide using the iam.serviceAccountKeyExpiryHours organization policy constraint, which automatically disables keys after the specified duration. However, the strongest recommendation is to eliminate user-managed keys entirely by using Workload Identity Federation for external workloads and attached service accounts for workloads running on GCP.

How can I tell if a service account key has been compromised?

Check Cloud Audit Logs for the service account's activity — look for API calls from unexpected IP addresses, regions, or at unusual times. GCP's Security Command Center can detect anomalous service account behavior. If you suspect compromise, disable the key immediately via gcloud iam service-accounts keys disable, create a new key for legitimate workloads, then delete the compromised key. Also review what resources the service account has access to and audit those resources for unauthorized changes.

GCP SA Key Age Checker

IAM & SecurityGCP

Check service account key age and rotation status against security best practices.

Key Details

Key Creation Date

Rotation Policy (days)

Key Type

Service Account Email (optional)

Raw JSON Output

Output will appear here...

About This Tool

GCP service account keys are long-lived credentials that do not expire automatically and are a common source of security incidents when lost, leaked, or forgotten. Google recommends rotating keys every 90 days and migrating to keyless authentication (Workload Identity Federation) whenever possible. This tool checks the age of your service account keys, flags keys that exceed your rotation threshold, identifies keys that have never been rotated, and provides actionable recommendations for improving your key management posture — all entirely in your browser without transmitting any key material.

When to Use This Tool

•Auditing service account key ages across your organization to identify keys overdue for rotation
•Checking key rotation compliance before GCP security assessments or SOC 2 audits
•Identifying service accounts with multiple active keys, which often indicates incomplete rotation (old key not deleted)
•Evaluating whether specific workloads can migrate from user-managed keys to Workload Identity Federation or attached service accounts

Frequently Asked Questions

What is the recommended key rotation period for GCP service accounts?: Google recommends a 90-day rotation period for user-managed service account keys. You can enforce this organization-wide using the iam.serviceAccountKeyExpiryHours organization policy constraint, which automatically disables keys after the specified duration. However, the strongest recommendation is to eliminate user-managed keys entirely by using Workload Identity Federation for external workloads and attached service accounts for workloads running on GCP.
How can I tell if a service account key has been compromised?: Check Cloud Audit Logs for the service account's activity — look for API calls from unexpected IP addresses, regions, or at unusual times. GCP's Security Command Center can detect anomalous service account behavior. If you suspect compromise, disable the key immediately via gcloud iam service-accounts keys disable, create a new key for legitimate workloads, then delete the compromised key. Also review what resources the service account has access to and audit those resources for unauthorized changes.

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.