GCP User Managed Service Accounts Have User Managed Service Account Keys

This policy identifies user managed service accounts that use user managed service account keys instead of Google-managed. For user-managed keys, the User has to take ownership of key management activities. Even after owner precaution, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in downloads directory or accidentally leaving them on support blogs/channels. So It is recommended to limit the use of User-managed service account keys and instead use Google-managed keys which can not be downloaded.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

GCP User managed service accounts have user managed service account keys.
JSON Query:
$.resource[*].google_service_account_key[*].*[*].service_account_id contains google_service_account or $.resource[*].google_service_account_key[*].*[*].service_account_id any end with iam.gserviceaccount.com
Recommended solution to ensure that User managed service accounts does not have user managed service account keys.
Ensure that GCP User managed service accounts does not have user managed service account keys. Please make sure that in the template, "service_account_id" does not have "account_id" as its value or should not have value ending in "iam.gserviceaccount.com".
For example:
"google_storage_bucket": [ { "<storage_bucket_name>": [ { "name": "a-bucket", "versioning": [ { "enabled": true } ] } ] } ]

Run Rule Recommendation

If the use of user managed keys is a requirement, limit the use by applying the constraints/iam.disableServiceAccountKeyCreation Organization Policy Constraint to projects, folders, or the entire organization. Enable user-managed keys in well-controlled locations after applying the constraint.
Delete the user managed keys that are not protected or not in use. Deleting user managed service account keys can affect the applications that use the key.
To delete user managed service account keys:.
  1. Login to GCP Portal.
  2. Go to APIs & Services (Left Panel).
  3. Select Credentials.
  4. In the Service Account Keys section, for every reported user managed service account key, review and click Delete bin icon to delete service account keys.


There are 5 standards that are applicable to this policy:
  • CIS v1.0.0 (GCP)
  • MITRE ATT&CK [Beta]
  • ISO 27001:2013
  • CCPA 2018

Recommended For You