Table: gcp_service_account_key - Query Google Cloud Platform Service Account Keys using SQL
A Service Account Key in Google Cloud Platform is a cryptographic key associated with a service account that can be used to authenticate as the service account. Service Account Keys are used to sign tokens for service accounts. They are essential for server-to-server interactions that are not tied to a user identity.
Table Usage Guide
The gcp_service_account_key table provides insights into Service Account Keys within Google Cloud Platform. As a security engineer, explore key-specific details through this table, including the associated service account, key algorithm, and key origin. Utilize it to understand the distribution of keys, their validity, and their associated service accounts for better management and security.
Examples
List of service accounts using user managed keys
Identify the service accounts that utilize user-managed keys. This is useful to gain insights into potential security risks, as these keys are not automatically rotated and require manual management.
select service_account_name as service_account, title, key_typefrom gcp_service_account_keywhere key_type = 'USER_MANAGED';select service_account_name as service_account, title, key_typefrom gcp_service_account_keywhere key_type = 'USER_MANAGED';Validity time for the service account keys
Assess the elements within your Google Cloud Platform by identifying the validity period of your service account keys. This allows you to manage access and security by knowing when these keys are active.
select title, service_account_name as service_account, valid_after_time, valid_before_timefrom gcp_service_account_key;select title, service_account_name as service_account, valid_after_time, valid_before_timefrom gcp_service_account_key;Get public key data for a service account key
Explore the public key data associated with a specific service account key, allowing you to gain insights into the key type, origin, and format. This can be useful for verifying the key's authenticity and ensuring its proper configuration.
select name, key_type, key_origin, public_key_data_raw, public_key_data_pemfrom gcp_service_account_keywhere service_account_name = 'test@myproject.iam.gserviceaccount.com';select name, key_type, key_origin, public_key_data_raw, public_key_data_pemfrom gcp_service_account_keywhere service_account_name = 'test@myproject.iam.gserviceaccount.com';Query examples
Control examples
- All Controls > IAM > Ensure that there are only GCP-managed service account keys for each service account
- All Controls > IAM > Ensure user-managed/external keys for service accounts are rotated every 90 days or less
- Check if service account keys are older than 100 days
- CIS v1.2.0 > 1 Identity and Access Management > 1.4 Ensure that there are only GCP-managed service account keys for each service account
- CIS v1.2.0 > 1 Identity and Access Management > 1.7 Ensure user-managed/external keys for service accounts are rotated every 90 days or less
- CIS v1.3.0 > 1 Identity and Access Management > 1.4 Ensure that there are only GCP-managed service account keys for each service account
- CIS v1.3.0 > 1 Identity and Access Management > 1.7 Ensure user-managed/external keys for service accounts are rotated every 90 days or less
- CIS v2.0.0 > 1 Identity and Access Management > 1.4 Ensure that there are only GCP-managed service account keys for each service account
- CIS v2.0.0 > 1 Identity and Access Management > 1.7 Ensure user-managed/external keys for service accounts are rotated every 90 days or less
- CIS v3.0.0 > 1 Identity and Access Management > 1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
- CIS v3.0.0 > 1 Identity and Access Management > 1.7 Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
Schema for gcp_service_account_key
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| key_algorithm | text | Specifies the algorithm (and possibly key size) for the key. | |
| key_origin | text | Specifies the origin of the key. | |
| key_type | text | The type of the service account key. | |
| location | text | The GCP multi-region, region, or zone in which the resource is located. | |
| name | text | = | The friendly name that identifies the service account key. |
| project | text | =, !=, ~~, ~~*, !~~, !~~* | The GCP Project in which the resource is located. |
| public_key_data_pem | text | Specifies the public key data in PEM format. | |
| public_key_data_raw | text | Specifies the public key data in raw format. | |
| service_account_name | text | = | Service account in which the key is located. |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| title | text | Title of the resource. | |
| valid_after_time | timestamp with time zone | Specifies the timestamp, after which the key can be used. | |
| valid_before_time | timestamp with time zone | Specifies the timestamp, after which the key gets invalid. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_service_account_key