This page describes how to rotate keys for the following service accounts:
Component access (In 1.14.0 - 1.14.4, you can't rotate the component access key if you are using a private registry. This limitation was removed in 1.14.5 and later.)
Create a directory to store a backup of your current secrets:
mkdir backup
Note the following information for the relevant service account:
Component access
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Admin
private-registry-creds
kube-system
User
private-registry-creds
kube-system
If you are not using a
private registry,
the private-registry-creds Secret holds the key for your component access
service account.
If you are using a private registry, the
private-registry-creds Secret holds the credentials for your private
registry, not the component access service account key.
Connect-register
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Logging-monitoring
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
google-cloud-credentials
kube-system
User
stackdriver-service-account-key
knative-serving
Audit logging
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Admin
kube-apiserver
CLUSTER_NAME
Usage Metering
Cluster
Secret
Namespace
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
usage-metering-bigquery-service-account-key
kube-system
Stackdriver
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
google-cloud-credentials
kube-system
User
stackdriver-service-account-key
knative-serving
Create a backup of each secret using the following command:
To create a new service account key file, run the following command:
gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT
Replace the following:
NEW_KEY_FILE: the name for your new service account key file
IAM_ACCOUNT: the email address of the service account
In the admin cluster configuration file, find the
componentAccessServiceAccountKeyPath field, the gkeConnect section, the
stackdriver section, and the cloudAuditLogging section. In those places,
replace the paths to the service account key files.
In the user cluster configuration file, find the
componentAccessServiceAccountKeyPath field, the gkeConnect section, the
stackdriver section, the cloudAudigLogging section, and the
usageMetering section. In those places, replace the paths to the service
account key files.
Save the changes you made using the following commands:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document details the process for rotating keys for several service accounts, including Component access, Connect-register, Logging-monitoring, Audit logging, and Usage metering.\u003c/p\u003e\n"],["\u003cp\u003eRotating service account keys involves creating a backup directory, backing up existing secrets, generating new key files, and updating the respective cluster configuration files.\u003c/p\u003e\n"],["\u003cp\u003eEach service account has specific Secrets and Namespaces associated with it, as outlined in the provided tables, which are crucial for backing up the correct data.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egkectl update credentials\u003c/code\u003e command is used to apply the updated service account keys to both the admin and user clusters, affecting components like component access, register, cloud audit logging, usage metering, and stackdriver.\u003c/p\u003e\n"],["\u003cp\u003eIn the case of a necessary rollback, the command \u003ccode\u003ekubectl apply -f backup/\u003c/code\u003e can be utilized to restore the previously backed-up secrets.\u003c/p\u003e\n"]]],[],null,["# Rotating service account keys\n\n\u003cbr /\u003e\n\nThis page describes how to rotate keys for the following service accounts:\n\n- [Component access](/anthos/clusters/docs/on-prem/1.14/how-to/service-accounts#component_access_service_account) (In 1.14.0 - 1.14.4, you can't rotate the component access key if you are using a private registry. This limitation was removed in 1.14.5 and later.)\n- [Connect-register](/anthos/clusters/docs/on-prem/1.14/how-to/service-accounts#connect_register_service_account)\n- [Logging-monitoring](/anthos/clusters/docs/on-prem/1.14/how-to/service-accounts#logging_monitoring_service_account)\n- [Audit logging](/anthos/clusters/docs/on-prem/1.14/how-to/service-accounts#audit_logging_service_account)\n- [Usage metering](/anthos/clusters/docs/on-prem/1.14/how-to/service-accounts#usage_metering_service_account)\n\nTo rotate your service account keys:\n\n1. Create a directory to store a backup of your current secrets:\n\n ```\n mkdir backup\n ```\n2. Note the following information for the relevant service account:\n\n **Component access**\n\n - If you are not using a [private registry](/anthos/clusters/docs/on-prem/1.14/how-to/admin-cluster-configuration-file#privateregistry-section), the `private-registry-creds` Secret holds the key for your component access service account.\n - If you are using a private registry, the `private-registry-creds` Secret holds the credentials for your private registry, **not** the component access service account key.\n\n **Connect-register**\n\n **Logging-monitoring**\n\n **Audit logging**\n\n **Usage Metering**\n\n **Stackdriver**\n\n3. Create a backup of each secret using the following command:\n\n ```\n kubectl get secret SECRET --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/SECRET-NAMESPACE.json\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the namespace where the secret is located. For example, `kube-system`.\n - \u003cvar translate=\"no\"\u003eKUBECONFIG\u003c/var\u003e: the path to the kubeconfig file for the admin or user cluster.\n - \u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e: the name of the secret. For example, `admin-cluster-creds`.\n\n For example, run the following commands for the audit logging service\n account: \n\n ```\n kubectl get secret admin-cluster-creds --namespace kube-system \\\n --kubeconfig KUBECONFIG -o json \u003e backup/admin-cluster-creds-kube-system.json\n\n kubectl get secret user-cluster-creds --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/user-cluster-creds-NAMESPACE.json\n\n kubectl get secret kube-apiserver --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/kube-apiserver-NAMESPACE.json\n ```\n4. To create a new service account key file, run the following command:\n\n ```\n gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNEW_KEY_FILE\u003c/var\u003e: the name for your new service account key file\n - \u003cvar translate=\"no\"\u003eIAM_ACCOUNT\u003c/var\u003e: the email address of the service account\n5. In the admin cluster configuration file, find the\n `componentAccessServiceAccountKeyPath` field, the `gkeConnect` section, the\n `stackdriver` section, and the `cloudAuditLogging` section. In those places,\n replace the paths to the service account key files.\n\n6. In the user cluster configuration file, find the\n `componentAccessServiceAccountKeyPath` field, the `gkeConnect` section, the\n `stackdriver` section, the `cloudAudigLogging` section, and the\n `usageMetering` section. In those places, replace the paths to the service\n account key files.\n\n7. Save the changes you made using the following commands:\n\n ```\n gkectl update credentials COMPONENT \\\n --kubeconfig ADMIN_CLUSTER_KUBECONFIG \\\n --config ADMIN_CLUSTER_CONFIG \\\n --admin-cluster\n\n gkectl update credentials COMPONENT \\\n --kubeconfig ADMIN_CLUSTER_KUBECONFIG \\\n --config USER_CLUSTER_CONFIG\n ```\n\n Replace the following;\n - \u003cvar translate=\"no\"\u003eCOMPONENT\u003c/var\u003e: one of `componentaccess`, `register`,\n `cloudauditlogging`, `usagemetering`, or `stackdriver`.\n\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_KUBECONFIG\u003c/var\u003e: the path to the\n kubeconfig file for the admin cluster.\n\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_CONFIG\u003c/var\u003e: the path to the admin\n cluster configuration file.\n\n - \u003cvar translate=\"no\"\u003eUSER_CLUSTER_CONFIG\u003c/var\u003e: the path to the user\n cluster configuration file.\n\nRestoring backups\n-----------------\n\nIf you need to restore the backups of the secrets you made earlier, run the\nfollowing command:\n\n```\nkubectl apply -f backup/\n```"]]
