tomchop
commented
3 years ago Closing here as #281 has been merged.
Tip: if you add "closes #278" or "fixes #278" somewhere in the PR title or description, it will automatically close the mentioned issues.
Feature - Upon discovery of a compromise, a operator should be able to quickly remove service accounts attached to instances to prevent any API activity from a malicious actor with access.
Note, already issued service account tokens cannot be revoked[1] but have a default lifespan of 1 hour[2].
[1] https://cloud.google.com/sdk/gcloud/reference/auth/revoke - When given a service account, this command does not revoke the service account token on the server because service account tokens are not revocable. [2] https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials - By default, the maximum token lifetime is 1 hour (3,600 seconds).