Cloud Function creates a new key for a GCP service account and updates the required secret data. The function is triggered by a Pub/Sub message sent by a secret stored in Secret Manager.
- Secret in Secret Manager sends a Pub/Sub message to
secret-manager-notificationsPub/Sub topic. - Cloud Function starts.
- Cloud Function checks if the value of the eventType attribute is set to
SECRET_ROTATE; if not, it stops its execution. - Cloud Function checks if the value of the type label is set to
service-account; if not, it stops its execution. - Cloud Function reads the name of the service account from the latest version of a secret.
- Cloud Function generates a new key for the service account.
- Cloud Function creates a new secret version in Secret Manger, containing the newly created service account key.
To deploy Cloud Function follow these steps:
- Run
go mod vendorinside thedevelopment/gcp/cloud-functions/rotateserviceaccount/directory. - Create the
secret-manager-notificationsPub/Sub topic, if it does not exist. - Create the
service-${PROJECT_NUMBER}@gcp-sa-secretmanager.iam.gserviceaccount.comservice account with theroles/pubsub.publisherrole, if it does not exist. - Use the following command from this directory to deploy Cloud Function:
gcloud functions deploy rotate-secrets-service-account \
--region europe-west3 \
--trigger-topic secret-manager-notifications \
--runtime go116 \
--source ./ \
--timeout 10 \
--max-instances 10 \
--memory 128 \
--entry-point RotateServiceAccountTo setup an automatic rotation for a Secret Manager secret follow these steps:
- Create a new secret in Secret Manager with the existing service account data.
- Add
type: service-accountlabel to the secret. - Set
secret-manager-notificationsas a secret Pub/Sub topic. - Set up rotation period for the secret.