Create a directory to store a backup of your current secrets:
mkdir backup
Note the following information for the relevant service account:
Component access (Preview)
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Admin
private-registry-creds
kube-system
User
private-registry-creds
kube-system
If you are not using a
private registry,
the private-registry-creds Secret holds the key for your component access
service account.
If you are using a private registry, the
private-registry-creds Secret holds the credentials for your private
registry, not the component access service account key.
Connect-register
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Logging-monitoring
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
google-cloud-credentials
kube-system
User
stackdriver-service-account-key
knative-serving
Audit logging
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Admin
kube-apiserver
CLUSTER_NAME
Usage Metering
Cluster
Secret
Namespace
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
usage-metering-bigquery-service-account-key
kube-system
Stackdriver
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
google-cloud-credentials
kube-system
User
stackdriver-service-account-key
knative-serving
Create a backup of each secret using the following command:
To create a new service account key file, run the following command:
gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT
Replace the following:
NEW_KEY_FILE: the name for your new service account key file
IAM_ACCOUNT: the email address of the service account
In the admin cluster configuration file, find the
componentAccessServiceAccountKeyPath field, the gkeConnect section, the
stackdriver section, and the cloudAuditLogging section. In those places,
replace the paths to the service account key files.
In the user cluster configuration file, find the
componentAccessServiceAccountKeyPath field, the gkeConnect section, the
stackdriver section, the cloudAudigLogging section, and the
usageMetering section. In those places, replace the paths to the service
account key files.
Save the changes you made using the following commands:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide provides instructions on how to rotate keys for various service accounts, including Component access, Connect-register, Logging-monitoring, Audit logging, and Usage metering.\u003c/p\u003e\n"],["\u003cp\u003eTo begin, you should create a \u003ccode\u003ebackup\u003c/code\u003e directory and use \u003ccode\u003ekubectl\u003c/code\u003e to back up the current secrets associated with each relevant service account.\u003c/p\u003e\n"],["\u003cp\u003eA new service account key file can be generated using the \u003ccode\u003egcloud iam service-accounts keys create\u003c/code\u003e command, with the details to be updated in the admin and user cluster configuration files.\u003c/p\u003e\n"],["\u003cp\u003eThe updated credentials must be implemented by running \u003ccode\u003egkectl update credentials\u003c/code\u003e with the appropriate component, cluster kubeconfig, and configuration file paths.\u003c/p\u003e\n"],["\u003cp\u003eIf there is a need to restore previously saved keys, you can apply the backed-up secrets by using the command \u003ccode\u003ekubectl apply -f backup/\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Rotating service account keys\n\n\u003cbr /\u003e\n\nThis page describes how to rotate keys for the following service accounts:\n\n- [Component access](/anthos/clusters/docs/on-prem/1.12/how-to/service-accounts#component_access_service_account) (if **not** using private registry)\n- [Connect-register](/anthos/clusters/docs/on-prem/1.12/how-to/service-accounts#connect_register_service_account)\n- [Logging-monitoring](/anthos/clusters/docs/on-prem/1.12/how-to/service-accounts#logging_monitoring_service_account)\n- [Audit logging](/anthos/clusters/docs/on-prem/1.12/how-to/service-accounts#audit_logging_service_account)\n- [Usage metering](/anthos/clusters/docs/on-prem/1.12/how-to/service-accounts#usage_metering_service_account)\n\nTo rotate your service account keys:\n\n1. Create a directory to store a backup of your current secrets:\n\n ```\n mkdir backup\n ```\n2. Note the following information for the relevant service account:\n\n **Component access (Preview)**\n\n - If you are not using a [private registry](/anthos/clusters/docs/on-prem/1.12/how-to/admin-cluster-configuration-file#privateregistry-section), the `private-registry-creds` Secret holds the key for your component access service account.\n - If you are using a private registry, the `private-registry-creds` Secret holds the credentials for your private registry, **not** the component access service account key.\n\n **Connect-register**\n\n **Logging-monitoring**\n\n **Audit logging**\n\n **Usage Metering**\n\n **Stackdriver**\n\n3. Create a backup of each secret using the following command:\n\n ```\n kubectl get secret SECRET --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/SECRET-NAMESPACE.json\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the namespace where the secret is located. For example, `kube-system`.\n - \u003cvar translate=\"no\"\u003eKUBECONFIG\u003c/var\u003e: the path to the kubeconfig file for the admin or user cluster.\n - \u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e: the name of the secret. For example, `admin-cluster-creds`.\n\n For example, run the following commands for the audit logging service\n account: \n\n ```\n kubectl get secret admin-cluster-creds --namespace kube-system \\\n --kubeconfig KUBECONFIG -o json \u003e backup/admin-cluster-creds-kube-system.json\n\n kubectl get secret user-cluster-creds --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/user-cluster-creds-NAMESPACE.json\n\n kubectl get secret kube-apiserver --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/kube-apiserver-NAMESPACE.json\n ```\n4. To create a new service account key file, run the following command:\n\n ```\n gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNEW_KEY_FILE\u003c/var\u003e: the name for your new service account key file\n - \u003cvar translate=\"no\"\u003eIAM_ACCOUNT\u003c/var\u003e: the email address of the service account\n5. In the admin cluster configuration file, find the\n `componentAccessServiceAccountKeyPath` field, the `gkeConnect` section, the\n `stackdriver` section, and the `cloudAuditLogging` section. In those places,\n replace the paths to the service account key files.\n\n6. In the user cluster configuration file, find the\n `componentAccessServiceAccountKeyPath` field, the `gkeConnect` section, the\n `stackdriver` section, the `cloudAudigLogging` section, and the\n `usageMetering` section. In those places, replace the paths to the service\n account key files.\n\n7. Save the changes you made using the following commands:\n\n ```\n gkectl update credentials COMPONENT \\\n --kubeconfig ADMIN_CLUSTER_KUBECONFIG \\\n --config ADMIN_CLUSTER_CONFIG \\\n --admin-cluster\n\n gkectl update credentials COMPONENT \\\n --kubeconfig ADMIN_CLUSTER_KUBECONFIG \\\n --config USER_CLUSTER_CONFIG\n ```\n\n Replace the following;\n - \u003cvar translate=\"no\"\u003eCOMPONENT\u003c/var\u003e: one of `componentaccess`, `register`,\n `cloudauditlogging`, `usagemetering`, or `stackdriver`.\n\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_KUBECONFIG\u003c/var\u003e: the path to the\n kubeconfig file for the admin cluster.\n\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_CONFIG\u003c/var\u003e: the path to the admin\n cluster configuration file.\n\n - \u003cvar translate=\"no\"\u003eUSER_CLUSTER_CONFIG\u003c/var\u003e: the path to the user\n cluster configuration file.\n\nRestoring backups\n-----------------\n\nIf you need to restore the backups of the secrets you made earlier, run the\nfollowing command:\n\n```\nkubectl apply -f backup/\n```"]]
