# 错误：服务账号密钥已过期或轮换失败

- **ID:** `cloud/gcp-service-account-key-rotation-failed`
- **领域:** cloud
- **类别:** auth_error
- **错误码:** `IAM-403`
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

GCP服务账号密钥轮换策略因权限不足或IAM中的密钥元数据过时而失败。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| gcloud 450.0.0 | active | — | — |
| GCP IAM API v1 | active | — | — |

## 解决方案

1. ```
   Use gcloud to manually rotate the key: `gcloud iam service-accounts keys rotate --service-account=SA_EMAIL --old-key-from-file=old_key.json --new-key-from-file=new_key.json`
   ```
2. ```
   Grant the `iam.serviceAccountKeys.create` and `iam.serviceAccountKeys.delete` roles to the service account, then trigger rotation via Cloud Scheduler
   ```
3. ```
   Temporarily disable automated rotation and use a static key with a long expiry, then re-enable rotation after debugging
   ```

## 无效尝试

- **** — Deleting without updating the service account's IAM policy can break existing integrations; rotation policy still references old key. (70% 失败率)
- **** — Disabling a service account does not rotate keys; it only suspends access until re-enabled, leaving expired keys intact. (80% 失败率)
- **** — Extending the rotation period delays the problem but does not fix the underlying failure to rotate; keys still expire eventually. (60% 失败率)