.png?fit=max&auto=format&n=tsMQJyneJ1xquFUo&q=85&s=4d401cc03b547d99b6f75a6bd170c334){kind=spacer}
Checks that user-managed GCP service account keys are rotated within 90 days.Documentation Index
Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
Use this file to discover all available pages before exploring further.
Why This Matters
Stale or overly permissive credentials are a primary attack vector. Unused access keys, unrotated credentials, and root account usage all expand your blast radius. Credential hygiene is a core control in SOC 2 (CC6.1) and CIS Benchmarks.What DSALTA Checks
DSALTA connects to your Google Cloud Platform (GCP) environment using read-only API access and evaluates this configuration on every sync cycle. The test result appears in your Data Library → Tests dashboard:- Passing — The configuration meets requirements. No action needed.
- Failing — The configuration does not meet requirements. Follow the remediation steps below.
- Not configured — The integration is connected but the required service or feature has not been set up yet.
How to Fix
If this test is failing, follow these steps to remediate:- Sign in to the Google Cloud Console and navigate to IAM & Admin → Service accounts.
- Select the service account and go to the Keys tab.
- Check the Created date for each key — identify keys older than 90 days.
- For each expired key: click Add key → Create new key (JSON format).
- Update all applications using the old key to use the new key.
- Once confirmed, delete the old key.
- Set a recurring calendar reminder to rotate keys every 90 days.
- Better: migrate to Workload Identity Federation to eliminate key management entirely.
- Once all keys are within 90 days, DSALTA will update the test status to Passing.
Frequently Asked Questions
How often does this test run?
How often does this test run?
This test runs automatically every 24 hours when the Google Cloud Platform (GCP) integration is connected. You can trigger a manual sync at any time from the integration settings page.
What happens if this test fails?
What happens if this test fails?
A failing test generates an alert in your DSALTA dashboard. The assigned responsible role receives a notification. Remediate the issue before it affects your compliance posture.
Can I exclude this test?
Can I exclude this test?
Yes. If this test does not apply to your environment, you can mark it as Not Applicable with a justification. This exclusion is documented for auditors.
Does DSALTA modify my Google Cloud Platform (GCP) configuration?
Does DSALTA modify my Google Cloud Platform (GCP) configuration?
No. DSALTA uses read-only API access and never modifies, creates, or deletes resources in your environment. Remediation actions must be performed by your team directly in Google Cloud Platform (GCP).