Rotate service account keys

To rotate the service account keys in GKE on Bare Metal, you update the existing cluster credentials with the bmctl command. This service account key rotation might be as part of your regular processes to update credentials, or in response to a potential exposure of the keys. When you update cluster credentials, the new information is passed to admin or hybrid clusters, or automatically routed to affected user clusters managed by an admin cluster.

Cluster credentials that can be updated

GKE on Bare Metal clusters require multiple credentials when they are created. You set the credentials in the cluster config when you create an admin, standalone, or hybrid cluster. User clusters, as noted previously, are managed by an admin cluster (or a hybrid cluster acting as admin), and will reuse the same credentials from the admin cluster.

For more information about creating clusters and different cluster types, see Installation overview: choosing a deployment model.

You can update the following credentials, and their corresponding secrets, in GKE on Bare Metal clusters with the bmctl command:

  • SSH private key: Used for node access.
  • Container Registry key (anthos-baremetal-gcr): Service account key used to authenticate with Container Registry for image pulling.
  • Connect agent service account key (anthos-baremetal-connect): Service account key used by Connect agent pods.
  • Connect registry service account key (anthos-baremetal-register): Service account key used to authenticate with Hub when registering or unregistering a cluster.
  • Cloud operations service account key (anthos-baremetal-cloud-ops): Service account key to authenticate with Google Cloud Observability (logging & monitoring) APIs.

Update credentials with bmctl

When you create clusters, GKE on Bare Metal creates Kubernetes Secrets based on your credential keys. If you generate new keys, you must update the corresponding Secrets as described in the following steps. If the name or path to your keys change, you must also update the corresponding cluster configuration file.

  1. Prepare the new values for the credentials you want to update:

    • You can generate new Google service account keys through the Google Cloud CLI or through the Google Cloud console.

    • Generate new SSH private key on the admin workstation and make sure the cluster node machines have the corresponding public key.

  2. Update the credentials section of your cluster configuration file with paths to the new keys.

  3. Update the corresponding cluster Secrets with the bmctl update credentials command, adding the appropriate flags.

    The following example updates the credentials for a new SSH private key:

    bmctl update credentials --kubeconfig ADMIN_KUBECONFIG \
    --cluster CLUSTER_NAME \
    --ssh-private-key-path SSH_KEY_PATH

    Replace the following:

    • ADMIN_KUBECONFIG: the path of the kubeconfig file of the admin or self-managing cluster.

    • CLUSTER_NAME: the name of the cluster that you're updating the SSH key for.

    • SSH_KEY_PATH: the path of the SSH key file. By default, bmctl checks the SSH and service account key files specified in the cluster configuration file. If bmctl finds an expired key file, the command fails. If you have the new valid key file in a different location than what's specified in the configuration file, include the --ignore-validation-errors flag to avoid this failure.

    For a complete list of the flags that you can use with the bmctl update credentials command, see update credentials in the bmctl command reference.