IAM-403 cloud auth_error ai_generated partial

Error: service account key has expired or rotation failed

ID: cloud/gcp-service-account-key-rotation-failed

Also available as: JSON · Markdown · 中文
85%Fix Rate
85%Confidence
1Evidence
2024-03-15First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
gcloud 450.0.0 active
GCP IAM API v1 active

Root Cause

GCP service account key rotation policy failed due to missing permissions or stale key metadata in IAM.

generic

中文

GCP服务账号密钥轮换策略因权限不足或IAM中的密钥元数据过时而失败。

Official Documentation

https://cloud.google.com/iam/docs/creating-managing-service-account-keys#rotating

Workarounds

  1. 85% success Use gcloud to manually rotate the key: `gcloud iam service-accounts keys rotate --service-account=SA_EMAIL --old-key-from-file=old_key.json --new-key-from-file=new_key.json` 
    Use gcloud to manually rotate the key: `gcloud iam service-accounts keys rotate --service-account=SA_EMAIL --old-key-from-file=old_key.json --new-key-from-file=new_key.json`
  2. 90% success Grant the `iam.serviceAccountKeys.create` and `iam.serviceAccountKeys.delete` roles to the service account, then trigger rotation via Cloud Scheduler 
    Grant the `iam.serviceAccountKeys.create` and `iam.serviceAccountKeys.delete` roles to the service account, then trigger rotation via Cloud Scheduler
  3. 75% success Temporarily disable automated rotation and use a static key with a long expiry, then re-enable rotation after debugging 
    Temporarily disable automated rotation and use a static key with a long expiry, then re-enable rotation after debugging

中文步骤

  1. Use gcloud to manually rotate the key: `gcloud iam service-accounts keys rotate --service-account=SA_EMAIL --old-key-from-file=old_key.json --new-key-from-file=new_key.json`
  2. Grant the `iam.serviceAccountKeys.create` and `iam.serviceAccountKeys.delete` roles to the service account, then trigger rotation via Cloud Scheduler
  3. Temporarily disable automated rotation and use a static key with a long expiry, then re-enable rotation after debugging

Dead Ends

Common approaches that don't work:

  1. 70% fail

    Deleting without updating the service account's IAM policy can break existing integrations; rotation policy still references old key.

  2. 80% fail

    Disabling a service account does not rotate keys; it only suspends access until re-enabled, leaving expired keys intact.

  3. 60% fail

    Extending the rotation period delays the problem but does not fix the underlying failure to rotate; keys still expire eventually.