Understanding Service Account Key and IAM Permission Updates

Google Cloud Compute Infrastructure
, ,
1

Hello team,

We are using a service account and key for integration (let’s set aside the security concerns for now).

I’d like to clarify a behavior I’ve observed:

  1. When creating a Service Account (SA), we assign IAM permissions to it. These permissions are bound to the account itself.
  2. After assigning permissions, we generate a Service Account Key for authentication.
  3. Now, when authenticating with this key, the permissions should reflect those assigned to the service account.

However, I’ve noticed that if we update the IAM permissions of the service account, the key does not seem to inherit the new permissions automatically. Instead, it appears that regenerating the key is required to reflect the updated permissions.

Is this expected behavior? Shouldn’t the key dynamically inherit the latest permissions assigned to the service account? Any insights would be appreciated.

Thanks
Vinoth_GCP

1 Like
2

Hello @DarwinVinoth ,Welcome on Google Cloud Community.

This behavior works as expected to work. Basically SA key is a flat file. So, this file contains permissions which where assigned during key creation( and keep them in a encoded way). You may ask for a reason of such behavior. Well, security matters. Imagine the situation, where you’ve created a SA along with a key and RO permissions. You’ve downloaded the key AND during human mistake, wrongly uploaded this key to public repository on Github. I’ve cloned this repository, downloaded key and used it against you. What if after uploading the key you’ve decided to raise your privileges (in example to Org Admin)? If SA key automatically obtained such permissions, you Org in this case will have a lot of troubles. So based on that, you should either implement key rotation policy OR which is even better, stop using SA Keys and start using Workload Identity Federation :slightly_smiling_face:

If this helped, mark it as a “Accepted Solution” :slightly_smiling_face:


cheers,
Damian Sztankowski
LinkedIn medium.com Cloudskillsboost Sessionize Youtube

1 Like
3

This is not the case for the Service Account Key, correct? When you examine the Service Account Key file, it only contains the private key used for authentication.

How does this impact permissions? The key itself does not define permissions—they are determined by the roles assigned to the corresponding service account within the IAM policy.

Thanks
Vinoth_GCP