The Cloud Run service deletes old keys for a Google Cloud service account and updates the required secret data for all service account secrets stored in the Secret Manager. The service is triggered by a Cloud Scheduler job.
- Cloud Scheduler calls the service-account-keys-cleaner service.
- For each secret stored in Secret Manager, the service executes the following steps:
- Checks if the value of the type label is set to
service-account. If not, it stops running. - Checks if the value of the skip-cleanup label is set to
true. If it is, the service stops running. - Reads the name of the service account from the latest version of a secret.
- Checks if the latest secret version is older than the time in hours set in the age GET parameter. If not, it stops running.
- Removes old versions of keys for the service account.
- Removes old versions of a secret stored in Secret Manager.
- Checks if the value of the type label is set to
ServiceAccountKeysCleaner is deployed to Cloud Run applying Terraform config stored
in ./terraform directory. terraform apply runs automatically on every PR changing
Terraform .tf files belonging to the application.
- Create the
service-${PROJECT_NUMBER}@gcp-sa-secretmanager.iam.gserviceaccount.comservice account with theroles/pubsub.publisherrole if it does not exist. - Merge your changes to test-infra main branch to trigger Terraform execution.
The Cloud Function accepts the following GET parameters:
| Name | Required | Description |
|---|---|---|
| project | Yes | The name of the Google Cloud project with Secret Manager. |
| age | No | The age in hours that the latest version of a secret has to exist before old versions can be deleted. It defaults to 5. |
| dry_run | No | The value controlling the dry run mode. It defaults to false. |