Triage and Remediation
Remediation
Using Console
Using Console
To remediate the “Disable Service Account Key Upload” misconfiguration in GCP using the GCP console, follow the below steps:
- Login to your GCP console and navigate to the IAM & Admin section.
- Click on the “Service Accounts” tab.
- Select the service account for which you want to disable the key upload.
- Click on the “Edit” button located at the top of the page.
- Scroll down to the “Service Account Permissions” section and uncheck the “Create and manage keys” option.
- Click on the “Save” button to save the changes.
- Verify that the “Create and manage keys” option is unchecked for the service account.
Using CLI
Using CLI
To remediate the “Disable Service Account Key Upload” misconfiguration in GCP using GCP CLI, you can follow the below steps:
- Open the Cloud Shell in your GCP Console.
-
Run the following command to disable the Service Account Key Upload:
Replace [SERVICE_ACCOUNT_EMAIL] with the email address of the service account for which you want to disable the key upload.
-
Verify that the key upload is disabled by running the following command:
This command should return the service account details, including the “Disabled” field set to “true”.
- Repeat the above steps for all the service accounts in your GCP project.
Using Python
Using Python
To disable service account key upload in GCP using Python, you can follow these steps:This should return
- Import the necessary libraries:
- Set up authentication by creating a service account and downloading its JSON key file. Then, create a credentials object using the key file:
- Create a GCP service object for the IAM API:
- Use the
projects.serviceAccounts.updatemethod to update the service account configuration:
- Verify that the configuration has been updated by checking the
disableKeyUploadfield of the service account:
True, indicating that service account key upload has been disabled.