IAM-403
cloud
auth_error
ai_generated
partial
错误:服务账号密钥已过期或轮换失败
Error: service account key has expired or rotation failed
ID: cloud/gcp-service-account-key-rotation-failed
85%修复率
85%置信度
1证据数
2024-03-15首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| gcloud 450.0.0 | active | — | — | — |
| GCP IAM API v1 | active | — | — | — |
根因分析
GCP服务账号密钥轮换策略因权限不足或IAM中的密钥元数据过时而失败。
English
GCP service account key rotation policy failed due to missing permissions or stale key metadata in IAM.
官方文档
https://cloud.google.com/iam/docs/creating-managing-service-account-keys#rotating解决方案
-
Use gcloud to manually rotate the key: `gcloud iam service-accounts keys rotate --service-account=SA_EMAIL --old-key-from-file=old_key.json --new-key-from-file=new_key.json`
-
Grant the `iam.serviceAccountKeys.create` and `iam.serviceAccountKeys.delete` roles to the service account, then trigger rotation via Cloud Scheduler
-
Temporarily disable automated rotation and use a static key with a long expiry, then re-enable rotation after debugging
无效尝试
常见但无效的做法:
-
70% 失败
Deleting without updating the service account's IAM policy can break existing integrations; rotation policy still references old key.
-
80% 失败
Disabling a service account does not rotate keys; it only suspends access until re-enabled, leaving expired keys intact.
-
60% 失败
Extending the rotation period delays the problem but does not fix the underlying failure to rotate; keys still expire eventually.