Version 1.8. This version is no longer supported. For more information see the version support policy.

Rotating service account keys

This page describes how to rotate your service account keys using gkectl for Cloud Audit Logs, Usage Metering, and Stackdriver components on GKE on VMware.

To rotate your service account keys:

Create a directory to store a backup of your current secrets:
```
mkdir backup
```

Note the following information for the relevant component:

Cloud Audit Logs

Cluster	Secret	Namespace
Admin	admin-cluster-creds	kube-system
Admin	user-cluster-creds	`CLUSTER_NAME`-gke-onprem-mgmt
Admin	kube-apiserver	`CLUSTER_NAME`

Usage Metering

Cluster	Secret	Namespace
Admin	user-cluster-creds	`CLUSTER_NAME`-gke-onprem-mgmt
User	usage-metering-bigquery-service-account-key	kube-system

Stackdriver

Cluster	Secret	Namespace
Admin	admin-cluster-creds	kube-system
Admin	user-cluster-creds	`CLUSTER_NAME`-gke-onprem-mgmt
User	google-cloud-credentials	kube-system
User	stackdriver-service-account-key	knative-serving

Create a backup of each secret using the following command:

kubectl get secret SECRET --namespace NAMESPACE \
    --kubeconfig KUBECONFIG -o json > backup/SECRET-NAMESPACE.json

Replace the following:

NAMESPACE: the namespace where the secret is located. For example, kube-system.
KUBECONFIG: the path to the kubeconfig file for the admin or user cluster.
SECRET: the name of the secret. For example, admin-cluster-creds.

For example, run the following commands for the Cloud Audit Logs component:

kubectl get secret admin-cluster-creds --namespace kube-system \
        --kubeconfig KUBECONFIG -o json > backup/admin-cluster-creds-kube-system.json

kubectl get secret user-cluster-creds --namespace NAMESPACE \
        --kubeconfig KUBECONFIG -o json > backup/user-cluster-creds-NAMESPACE.json

kubectl get secret kube-apiserver --namespace NAMESPACE \
        --kubeconfig KUBECONFIG -o json > backup/kube-apiserver-NAMESPACE.json

To create a new service account key file, run the following command:
```
gcloud iam service-accounts keys create NEW_KEY_FILE --iam-account IAM_ACCOUNT
```
Replace the following:
- NEW_KEY_FILE: the name for your new service account key file
- IAM_ACCOUNT: your service account email address for either Cloud Audit Logs, Usage Metering, or Stackdriver.
In the corresponding configuration files for both the admin cluster and user clusters, find the cloudauditlogging, usagemetering, or stackdriver section.
Replace the serviceAccountKeyPath field with the NEW_KEY_FILE you created earlier.
Save the changes you made using the following commands:
```
gkectl update credentials COMPONENT --admin-cluster --kubeconfig \
  ADMIN_CLUSTER_KUBECONFIG --config ADMIN_CLUSTER_CONFIG

gkectl update credentials COMPONENT --kubeconfig \
   KUBECONFIG --config USER_CLUSTER_CONFIG
```
Replace the following;
- COMPONENT: one of cloudauditlogging, usagemetering, or stackdriver.
- ADMIN_CLUSTER_KUBECONFIG: the path to the kubeconfig file for the admin cluster.
- ADMIN_CLUSTER_CONFIG: the path to the admin cluster configuration file.
- USER_CLUSTER_CONFIG: the path to the user cluster configuration file.