Last active
February 13, 2022 02:50
-
-
Save ibrezm1/4104be87a61c139c2f9632d0fdd6cf7e to your computer and use it in GitHub Desktop.
Rotatekeys for GCP google cloud powershell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Enable IAM API https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-gcloud | |
| # following script will rotate all json keys present in the current folder | |
| # Need the permission to roate keys to the current service accout key admin | |
| # Set-ExecutionPolicy -ExecutionPolicy Unrestricted | |
| # Add CLOUDSDK_PYTHON variable e.g. D:\Programfiles\gcloud\google-cloud-sdk\platform\bundledpython\python.exe | |
| # Import-Module GoogleCloud | |
| # gcloud iam service-accounts keys create newfile.json --iam-account [email protected] | |
| #gcloud iam service-accounts keys list --iam-account [email protected] --project x-x-xxxx --filter="name~xxxxxxxxxxxxx" --format=json | |
| #Remember filters are applied on json format variable names | |
| # https://stackoverflow.com/questions/13318382/how-do-i-dynamically-add-elements-to-arrays-in-powershell?noredirect=1&lq=1 | |
| # https://stackoverflow.com/questions/51723982/creating-a-dynamic-hashtable-in-powershell | |
| # https://docs.microsoft.com/en-us/powershell/scripting/learn/deep-dives/everything-about-hashtable?view=powershell-7.2 | |
| # https://stackoverflow.com/questions/23755048/powershell-add-lines-to-a-custom-objects | |
| $keylist= @() | |
| $error.Clear() | |
| Set-Location -Path $PSScriptRoot | |
| $criticaldate = (Get-Date).AddMonths(-1) | |
| #$date_str = '{0:yyyy-MM-dd}' -f $date | |
| Get-ChildItem ".\" -recurse -Filter *.json | | |
| Foreach-Object { | |
| $keydetails = @{} | |
| $filename = $_.FullName | |
| $fileparent = $_.Directory.FullName | |
| $name = $_.BaseName + $_.Extension | |
| $key = (Get-Content $_.FullName )|ConvertFrom-Json | |
| $saemail = $key.client_email | |
| $sakey = $key.private_key_id | |
| $projectid = $key.project_id | |
| $keydetails.add( 'filename', $filename ) | |
| Write-Host "Reading File " $name | |
| gcloud auth activate-service-account --project $projectid --key-file $filename | |
| if( -not $? ) | |
| { | |
| #$msg = $Error[0].Exception.Message | |
| Write-Host "Encountered error. Error Message is $error. Please check." #>> $LogFile | |
| $keydetails.add( 'invoice', $null ) | |
| $keylist+=$keydetails | |
| continue | |
| } | |
| $versions = gcloud iam service-accounts keys list --project $projectid ` | |
| --iam-account=$saemail --filter="name~$sakey" ` | |
| --format=json | ConvertFrom-Json | |
| if ($versions.Count -eq 1 ) { | |
| $keydate_str = $versions.validAfterTime.substring(0,10) | |
| $keydate = [datetime]::parseexact($keydate_str, 'yyyy-MM-dd', $null) | |
| $keydetails.add( 'keydate', $keydate_str ) | |
| $keylist+=$keydetails | |
| if ($keydate -le $criticaldate) { | |
| $newkeyname = $fileparent + "\newfile.json" | |
| gcloud iam service-accounts keys create $newkeyname --iam-account $saemail | |
| gcloud iam service-accounts keys delete $sakey --iam-account $saemail --quiet | |
| if (Get-Content $newkeyname ){ | |
| Write-Host "Replacing Keys !!" | |
| Remove-Item $filename | |
| Rename-Item -path $newkeyname $filename | |
| }else{ | |
| Remove-Item .\newfile.json | |
| } | |
| } | |
| } | |
| gcloud auth revoke $saemail | |
| } | |
| $keylist | % { new-object PSObject -Property $_} | Sort-Object -Property keydate -Descending | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment