Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to rotate your service account keys using gkectl for
Cloud Audit Logs, Usage Metering, and Stackdriver components on Google Distributed Cloud.
To rotate your service account keys:
Create a directory to store a backup of your current secrets:
mkdir backup
Note the following information for the relevant component:
Cloud Audit Logs
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
Admin
kube-apiserver
CLUSTER_NAME
Usage Metering
Cluster
Secret
Namespace
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
usage-metering-bigquery-service-account-key
kube-system
Stackdriver
Cluster
Secret
Namespace
Admin
admin-cluster-creds
kube-system
Admin
user-cluster-creds
CLUSTER_NAME-gke-onprem-mgmt
User
google-cloud-credentials
kube-system
User
stackdriver-service-account-key
knative-serving
Create a backup of each secret using the following command:
In the corresponding configuration files for both the admin cluster and user clusters, find the cloudauditlogging, usagemetering, or stackdriver section.
Replace the serviceAccountKeyPath field with the NEW_KEY_FILE you created earlier.
Save the changes you made using the following commands:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-09 UTC."],[[["\u003cp\u003eThis page guides users through the process of rotating service account keys for Cloud Audit Logs, Usage Metering, and Stackdriver components on Google Distributed Cloud using \u003ccode\u003egkectl\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eTo begin, users should create a backup directory and then back up each relevant secret using \u003ccode\u003ekubectl\u003c/code\u003e, noting the associated cluster, secret name, and namespace.\u003c/p\u003e\n"],["\u003cp\u003eNew service account key files must be created using the \u003ccode\u003egcloud\u003c/code\u003e command, specifying the new key file name and the corresponding IAM service account.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eserviceAccountKeyPath\u003c/code\u003e in the configuration files must be updated to point to the newly created key file for the corresponding components.\u003c/p\u003e\n"],["\u003cp\u003eUsers can apply the updated credentials for the chosen component using the \u003ccode\u003egkectl update credentials\u003c/code\u003e command, specifying the configuration and kubeconfig files for either the admin or user clusters.\u003c/p\u003e\n"]]],[],null,["# Rotating service account keys\n\nThis page describes how to rotate your service account keys using `gkectl` for\nCloud Audit Logs, Usage Metering, and Stackdriver components on Google Distributed Cloud.\n| **Note:** For information on rotating the connect-register service account key file for a cluster, see [Rotate a connect-register service account key for the admin cluster](/anthos/clusters/docs/on-prem/1.8/how-to/updating-general#rotate-admin) or [Rotate a connect-register service account key for a user cluster](/anthos/clusters/docs/on-prem/1.8/how-to/updating-general#rotate-user).\n\nTo rotate your service account keys:\n\n1. Create a directory to store a backup of your current secrets:\n\n ```\n mkdir backup\n ```\n2. Note the following information for the relevant component:\n\n **Cloud Audit Logs**\n\n **Usage Metering**\n\n **Stackdriver**\n\n3. Create a backup of each secret using the following command:\n\n ```\n kubectl get secret SECRET --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/SECRET-NAMESPACE.json\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e: the namespace where the secret is located. For example, `kube-system`.\n - \u003cvar translate=\"no\"\u003eKUBECONFIG\u003c/var\u003e: the path to the kubeconfig file for the admin or user cluster.\n - \u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e: the name of the secret. For example, `admin-cluster-creds`.\n\n For example, run the following commands for the Cloud Audit Logs component: \n\n ```\n kubectl get secret admin-cluster-creds --namespace kube-system \\\n --kubeconfig KUBECONFIG -o json \u003e backup/admin-cluster-creds-kube-system.json\n\n kubectl get secret user-cluster-creds --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/user-cluster-creds-NAMESPACE.json\n\n kubectl get secret kube-apiserver --namespace NAMESPACE \\\n --kubeconfig KUBECONFIG -o json \u003e backup/kube-apiserver-NAMESPACE.json\n ```\n4. To create a new service account key file, run the following command:\n\n ```\n gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eNEW_KEY_FILE\u003c/var\u003e: the name for your new service account key file\n - \u003cvar translate=\"no\"\u003eIAM_ACCOUNT\u003c/var\u003e: your service account email address for either [Cloud Audit Logs](/anthos/clusters/docs/on-prem/1.8/how-to/service-accounts#audit_logging_service_account), [Usage Metering](/anthos/clusters/docs/on-prem/1.8/how-to/service-accounts#usage_metering_service_account), or Stackdriver.\n5. In the corresponding configuration files for both the admin cluster and user clusters, find the `cloudauditlogging`, `usagemetering`, or `stackdriver` section.\n\n6. Replace the `serviceAccountKeyPath` field with the \u003cvar translate=\"no\"\u003eNEW_KEY_FILE\u003c/var\u003e you created earlier.\n\n7. Save the changes you made using the following commands:\n\n ```\n gkectl update credentials COMPONENT --admin-cluster --kubeconfig \\\n ADMIN_CLUSTER_KUBECONFIG --config ADMIN_CLUSTER_CONFIG\n\n gkectl update credentials COMPONENT --kubeconfig \\\n KUBECONFIG --config USER_CLUSTER_CONFIG\n ```\n\n Replace the following;\n - \u003cvar translate=\"no\"\u003eCOMPONENT\u003c/var\u003e: one of `cloudauditlogging`, `usagemetering`, or `stackdriver`.\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_KUBECONFIG\u003c/var\u003e: the path to the kubeconfig file for the admin cluster.\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_CONFIG\u003c/var\u003e: the path to the admin cluster configuration file.\n - \u003cvar translate=\"no\"\u003eUSER_CLUSTER_CONFIG\u003c/var\u003e: the path to the user cluster configuration file.\n\n| **Note:** If you need to restore the backup of the secret you made earlier, run the following command: \n|\n| ```\n| kubectl apply -f backup/\n| ```"]]
