# Error: service account key has expired or rotation failed - **ID:** `cloud/gcp-service-account-key-rotation-failed` - **Domain:** cloud - **Category:** auth_error - **Error Code:** `IAM-403` - **Verification:** ai_generated - **Fix Rate:** 85% ## Root Cause GCP service account key rotation policy failed due to missing permissions or stale key metadata in IAM. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | gcloud 450.0.0 | active | — | — | | GCP IAM API v1 | active | — | — | ## Workarounds 1. **Use gcloud to manually rotate the key: `gcloud iam service-accounts keys rotate --service-account=SA_EMAIL --old-key-from-file=old_key.json --new-key-from-file=new_key.json`** (85% success) ``` Use gcloud to manually rotate the key: `gcloud iam service-accounts keys rotate --service-account=SA_EMAIL --old-key-from-file=old_key.json --new-key-from-file=new_key.json` ``` 2. **Grant the `iam.serviceAccountKeys.create` and `iam.serviceAccountKeys.delete` roles to the service account, then trigger rotation via Cloud Scheduler** (90% success) ``` Grant the `iam.serviceAccountKeys.create` and `iam.serviceAccountKeys.delete` roles to the service account, then trigger rotation via Cloud Scheduler ``` 3. **Temporarily disable automated rotation and use a static key with a long expiry, then re-enable rotation after debugging** (75% success) ``` Temporarily disable automated rotation and use a static key with a long expiry, then re-enable rotation after debugging ``` ## Dead Ends - **** — Deleting without updating the service account's IAM policy can break existing integrations; rotation policy still references old key. (70% fail) - **** — Disabling a service account does not rotate keys; it only suspends access until re-enabled, leaving expired keys intact. (80% fail) - **** — Extending the rotation period delays the problem but does not fix the underlying failure to rotate; keys still expire eventually. (60% fail)