RotateServiceAccount creates a new key for a Google Cloud service account and updates the required secret data. It's triggered by a Pub/Sub message sent by a secret stored in Secret Manager. It runs as a cloud run container.
- Secret Manager sends a Pub/Sub message to
secret-manager-notificationsPub/Sub topic. - RotateServiceAccount checks if the value of the eventType attribute is set to
SECRET_ROTATE; if not, it stops its execution. - RotateServiceAccount checks if the value of the type label is set to
service-account; if not, it stops its execution. - RotateServiceAccount reads the name of the service account from the latest version of a secret.
- RotateServiceAccount generates a new key for the service account.
- RotateServiceAccount creates a new secret version in Secret Manager, containing the newly created service account key.
RotateServiceAccount is deployed to Cloud Run applying Terraform config stored
in the ./terraform directory. terraform apply is executed automatically on every PR changing Terraform .tf files belonging to the application.
To setup an automatic rotation for a Secret Manager secret, follow these steps:
- Create a new secret in Secret Manager with the existing service account data.
- Add the
type: service-accountlabel to the secret. - Set
secret-manager-notificationsas the secret Pub/Sub topic. - Set up a rotation period for the secret.