This page shows you how to use Activity Analyzer to see when your service accounts and keys were last used to call a Google API. These usages are called authentication activities.
Recent authentication activity can help you the identify service accounts and service account keys that you no longer use. We recommend disabling or deleting these unused service accounts and keys because they create an unnecessary security risk.
Before you begin
- Understand authentication activities.
-
Enable the Policy Analyzer API.
Required roles
To get the permissions that you need to list the most recent authentication activities for your
service accounts and service account keys,
ask your administrator to grant you the
Activity Analysis Viewer (roles/policyanalyzer.activityAnalysisViewer
) IAM role on the project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the permissions required to list the most recent authentication activities for your service accounts and service account keys. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to list the most recent authentication activities for your service accounts and service account keys:
-
policyanalyzer.serviceAccountKeyLastAuthenticationActivities.query
-
policyanalyzer.serviceAccountLastAuthenticationActivities.query
You might also be able to get these permissions with custom roles or other predefined roles.
View recent usage for all service accounts or keys
To list the dates of the most recent authentication activities for all of your service accounts or service account keys, use the Google Cloud CLI or REST API.
gcloud
To list the most recent authentication activities for your service accounts or
keys, use the gcloud policy-intelligence query-activity
command:
gcloud policy-intelligence query-activity --activity-type=ACTIVITY_TYPE \ --project=PROJECT_ID --limit=LIMIT
Replace the following values:
ACTIVITY_TYPE
: The activity type that you want to list. To list the most recent usage times for your service accounts, useserviceAccountLastAuthentication
. To list most recent usage times for your service account keys, useserviceAccountKeyLastAuthentication
.PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.LIMIT
: Optional. The maximum number of results to be returned. The default value is1000
.
The response is similar to the following, which lists recent usage times for a project's service accounts:
---
activity:
lastAuthenticatedTime: '2021-04-27T07:00:00Z'
serviceAccount:
fullResourceName: //iam.googleapis.com/projects/my-project/serviceAccounts/service-account-1@my-project.iam.gserviceaccount.com
projectNumber: '123456789012'
serviceAccountId: '123456789012345678901'
activityType: serviceAccountLastAuthentication
fullResourceName: //iam.googleapis.com/projects/my-project/serviceAccounts/service-account-1@my-project.iam.gserviceaccount.com
observationPeriod:
endTime: '2021-07-06T07:00:00Z'
startTime: '2020-03-12T07:00:00Z'
---
activity:
lastAuthenticatedTime: '2021-02-09T08:00:00Z'
serviceAccount:
fullResourceName: //iam.googleapis.com/projects/my-project/serviceAccounts/service-account-2@my-project.iam.gserviceaccount.com
projectNumber: '123456789012'
serviceAccountId: '234567890123456789012'
activityType: serviceAccountLastAuthentication
fullResourceName: //iam.googleapis.com/projects/my-project/serviceAccounts/service-account-2@my-project.iam.gserviceaccount.com
observationPeriod:
endTime: '2021-07-06T07:00:00Z'
startTime: '2020-09-01T07:00:00Z'
To learn how to understand these results, see Understand activities on this page.
REST
To list the most recent authentication activities for your service accounts or keys, use the Policy Analyzer API's
activities.query
method.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.ACTIVITY_TYPE
: The activity type that you want to list. To list the most recent usages for all of your service accounts, useserviceAccountLastAuthentication
. To list most recent usages for all of your service account keys, useserviceAccountKeyLastAuthentication
.-
PAGE_SIZE
: Optional. The maximum number of results to return from this request. If not specified, the server will determine the number of results to return. If the number of activities is greater than the page size, the response contains a pagination token that you can use to retrieve the next page of results. -
PAGE_TOKEN
: Optional. The pagination token returned in an earlier response from this method. If specified, the list of activities will start where the previous request ended.
HTTP method and URL:
GET https://policyanalyzer.googleapis.com/v1/projects/PROJECT_ID/locations/global/activityTypes/ACTIVITY_TYPE/activities:query?pageSize=PAGE_SIZE&pageToken=PAGE_TOKEN
To send your request, expand one of these options:
The response is similar to the following, which lists recent usage times for a project's service accounts:
{ "activities": [ { "fullResourceName": "//iam.googleapis.com/projects/my-project/serviceAccounts/[email protected]", "activityType": "serviceAccountLastAuthentication", "observationPeriod": { "startTime": "2020-04-20T07:00:00Z", "endTime": "2021-05-17T07:00:00Z" }, "activity": { "lastAuthenticatedTime": "2021-04-28T07:00:00Z", "serviceAccount": { "projectNumber": "123456789012", "fullResourceName": "//iam.googleapis.com/projects/my-project/serviceAccounts/[email protected]", "serviceAccountId": "123456789012345678901" } } }, { "fullResourceName": "//iam.googleapis.com/projects/my-project/serviceAccounts/[email protected]", "activityType": "serviceAccountLastAuthentication", "observationPeriod": { "startTime": "2020-04-20T07:00:00Z", "endTime": "2021-05-17T07:00:00Z" }, "activity": { "lastAuthenticatedTime": "2021-04-29T07:00:00Z", "serviceAccount": { "projectNumber": "123456789012", "fullResourceName": "//iam.googleapis.com/projects/my-project/serviceAccounts/[email protected]", "serviceAccountId": "234567890123456789012" } } } ], "nextPageToken": "AVgRrQV4b5nISN6cGJvTPFJ2v_" }
To learn how to understand these results, see Understand activities on this page.
View recent usage for specific service accounts
To find the last date that specific service accounts were used, use the Google Cloud console, gcloud CLI, or REST API.
Console
In the Google Cloud console, go to the Policy Analyzer page.
Under Analyze recent activity, find the pane labeled When was the last time this service account was used? and click Create query in that pane.
In the Select query scope box, enter the name of the project whose service accounts you want to analyze.
In the Add service accounts section, click the Service account box. A list of all service accounts in your project appears. The list also includes the project that each service account is associated with and the email address for each service account.
Select the service account that you want to view recent usage for.
Optional: To view recent usage for more than one service account, click Add account and select another service account. You can analyze up to 10 service accounts at a time.
In the Query for access activities panel, click Run query.
The results page shows the most recent usage for the service accounts. To learn how to understand these results, see Understand activities on this page.
gcloud
To get the most recent authentication activity for specific service accounts,
use the gcloud policy-intelligence query-activity
command with a filter:
gcloud policy-intelligence query-activity --activity-type=serviceAccountLastAuthentication \ --project=PROJECT_ID \ --query-filter='FILTER'
Replace the following values:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.FILTER
: A filter specifying the full resource names of the service accounts whose usage you want to see. The full resource name of a service account includes the project ID and the email address of the service account.To filter for a single service account, use a filter with the following format:
activities.full_resource_name="//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL"
To filter for multiple service accounts, use
OR
to specify multiple acceptable full resource names:activities.full_resource_name="//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_1_EMAIL" OR activities.full_resource_name="//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_2_EMAIL"
You can filter for up to 10 service accounts.
The response describes the most recent usage for the service accounts:
---
activity:
lastAuthenticatedTime: '2021-04-27T07:00:00Z'
serviceAccount:
fullResourceName: //iam.googleapis.com/projects/my-project/serviceAccounts/service-account-1@my-project.iam.gserviceaccount.com
projectNumber: '123456789012'
serviceAccountId: '123456789012345678901'
activityType: serviceAccountLastAuthentication
fullResourceName: //iam.googleapis.com/projects/my-project/serviceAccounts/service-account-1@my-project.iam.gserviceaccount.com
observationPeriod:
endTime: '2021-07-06T07:00:00Z'
startTime: '2020-03-12T07:00:00Z'
To learn how to understand these results, see Understand activities on this page.
REST
To get the most recent authentication activity for specific service accounts, use the Policy Analyzer API's
activities.query
method.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.FILTER
: A filter specifying the full resource names of the service accounts whose usage you want to see.To filter for a single service account, use a filter with the following format:
activities.full_resource_name%3D%22%2F%2Fiam.googleapis.com%2Fprojects%2FPROJECT_ID%2FserviceAccounts%2FSERVICE_ACCOUNT_EMAIL%22
To filter for multiple service accounts, use
%20OR%20
to specify multiple acceptable full resource names:activities.full_resource_name%3D%22%2F%2Fiam.googleapis.com%2Fprojects%2FPROJECT_ID%2FserviceAccounts%2FSERVICE_ACCOUNT_1_EMAIL%22%20OR%20activities.full_resource_name%3D%22%2F%2Fiam.googleapis.com%2Fprojects%2FPROJECT_ID%2FserviceAccounts%2FSERVICE_ACCOUNT_2_EMAIL%22
HTTP method and URL:
GET https://policyanalyzer.googleapis.com/v1/projects/PROJECT_ID/locations/global/activityTypes/serviceAccountLastAuthentication/activities:query?filter=FILTER
To send your request, expand one of these options:
The response describes the most recent usage for the service accounts:
{ "activities": [ { "fullResourceName": "//iam.googleapis.com/projects/my-project/serviceAccounts/[email protected]", "activityType": "serviceAccountLastAuthentication", "observationPeriod": { "startTime": "2020-04-20T07:00:00Z", "endTime": "2021-05-17T07:00:00Z" }, "activity": { "lastAuthenticatedTime": "2021-04-28T07:00:00Z", "serviceAccount": { "projectNumber": "123456789012", "fullResourceName": "//iam.googleapis.com/projects/my-project/serviceAccounts/[email protected]", "serviceAccountId": "123456789012345678901" } } } ] }
View recent usage for specific service account keys
To find the last date that specific service account keys were used, identify the service account key that you want to view recent usage for, then create a query using that ID.
If you have a JSON key file, you can find a service account key's unique ID in
the file's private_key_id
field.
If you don't have a JSON key file, you can find a service account key's unique ID by following these steps:
Console
In the Google Cloud console, go to the Policy Analyzer page.
Under Analyze recent activity, find the pane labeled When was the last time this service account key was used? and click Create query in that pane.
In the Select query scope box, enter the name of the project whose service account keys you want to analyze.
In the Add service account key section, click the Service account key box. A list of all service account keys in your project appears. The list also includes the project and service account that each key is associated with.
Select the key that you want to view recent usage for.
Optional: To view recent usage for more than one key, click Add key and select another key. You can analyze up to 10 keys at a time.
In the Query for access activities panel, click Run query.
The results page shows the most recent usage for the service account keys. To learn how to understand these results, see Understand activities on this page.
gcloud
First, identify the service account key that you want to view recent usage for:
List the service account keys.
Before using any of the command data below, make the following replacements:
-
SERVICE_ACCOUNT_EMAIL
: The email address of the service account that the key is associated with.
Execute the gcloud iam service-accounts keys list command:
Linux, macOS, or Cloud Shell
gcloud iam service-accounts keys list --iam-account=SERVICE_ACCOUNT_EMAIL
Windows (PowerShell)
gcloud iam service-accounts keys list --iam-account=SERVICE_ACCOUNT_EMAIL
Windows (cmd.exe)
gcloud iam service-accounts keys list --iam-account=SERVICE_ACCOUNT_EMAIL
The output shows a list of all of the user-created keys associated with the service account, including each key's unique ID, creation time, and expiration time.
-
Use the data in the output to identify the key you want to track and copy its unique ID.
After you find the unique IDs for the service account keys, use the IDs to filter the results from Activity Analyzer:
To get the most recent authentication activity for specific service account
keys, use the gcloud policy-intelligence query-activity
command with a filter.
Before using any of the command data below, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.-
FILTER
: A filter specifying the full resource names of the service account keys whose usage you want to see. The full resource name of a service account key includes the project ID, the email address of the service account associated with the key, and the key ID.To filter for a single service account key, use a filter with the following format:
activities.full_resource_name="//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL/keys/KEY_ID"
To filter for multiple service account keys, use
OR
to specify multiple acceptable full resource names:activities.full_resource_name="//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_1_EMAIL/keys/KEY_ID_1" OR activities.full_resource_name="//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_2_EMAIL/keys/KEY_ID_2"
You can filter for up to 10 service account keys.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud policy-intelligence query-activity --activity-type=serviceAccountKeyLastAuthentication \ --project=PROJECT_ID \ --query-filter='FILTER'
Windows (PowerShell)
gcloud policy-intelligence query-activity --activity-type=serviceAccountKeyLastAuthentication ` --project=PROJECT_ID ` --query-filter='FILTER'
Windows (cmd.exe)
gcloud policy-intelligence query-activity --activity-type=serviceAccountKeyLastAuthentication ^ --project=PROJECT_ID ^ --query-filter='FILTER'
You should receive a response similar to the following:
activity: lastAuthenticatedTime: '2021-06-11T07:00:00Z' serviceAccountKey: fullResourceName: //iam.googleapis.com/projects/my-project/serviceAccounts/[email protected]/keys/1c65fca351d6925e629059743428b7af243a728c projectNumber: '232342569935' serviceAccountId: '103185812403937829397' activityType: serviceAccountKeyLastAuthentication fullResourceName: //iam.googleapis.com/projects/my-project/serviceAccounts/[email protected]/keys/1c65fca351d6925e629059743428b7af243a728c observationPeriod: endTime: '2021-07-06T07:00:00Z' startTime: '2020-09-10T07:00:00Z'
This response describes the most recent usage for the service account keys. To learn how to understand these results, see Understand activities on this page.
REST
First, identify the service account key that you want to view recent usage for:
List the service account keys:
To list all of the service account keys for a service account, use the IAM API's
projects.serviceAccounts.keys.list
method.Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_NAME
: The name of the service account whose keys you want to list.KEY_TYPES
: Optional. A comma-separated list of key types that you want to include in the response. The key type indicates whether a key is user-managed (USER_MANAGED
) or system-managed (SYSTEM_MANAGED
). If left blank, all keys are returned.
HTTP method and URL:
GET https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys?keyTypes=KEY_TYPES
To send your request, expand one of these options:
The response describes the most recent usage for the service account keys:
{ "keys": [ { "name": "projects/my-project/serviceAccounts/[email protected]/keys/90c48f61c65cd56224a12ab18e6ee9ca9c3aee7c", "validAfterTime": "2020-03-04T17:39:47Z", "validBeforeTime": "9999-12-31T23:59:59Z", "keyAlgorithm": "KEY_ALG_RSA_2048", "keyOrigin": "GOOGLE_PROVIDED", "keyType": "USER_MANAGED" }, { "name": "projects/my-project/serviceAccounts/[email protected]/keys/e5e3800831ac1adc8a5849da7d827b4724b1fce8", "validAfterTime": "2020-03-31T23:50:09Z", "validBeforeTime": "9999-12-31T23:59:59Z", "keyAlgorithm": "KEY_ALG_RSA_2048", "keyOrigin": "GOOGLE_PROVIDED", "keyType": "USER_MANAGED" }, { "name": "projects/my-project/serviceAccounts/[email protected]/keys/b97699f042b8eee6a846f4f96259fbcd13e2682e", "validAfterTime": "2020-05-17T18:58:13Z", "validBeforeTime": "9999-12-31T23:59:59Z", "keyAlgorithm": "KEY_ALG_RSA_2048", "keyOrigin": "GOOGLE_PROVIDED", "keyType": "USER_MANAGED", "disabled": true } ] }
Use the metadata in the response to identify the key you want to track. Then, copy the key's unique ID from the end of the
name
field.The
name
field has the following format:"name": "projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL/keys/KEY_ID"
The key's unique ID is everything after
keys/
.For example, the unique ID in the following key name is
0f561cc41650ff521899de2fd653bd3de08e2da4
:"name": "projects/my-project/serviceAccounts/[email protected]/keys/0f561cc41650ff521899de2fd653bd3de08e2da4"
After you find the unique IDs for the service account keys, use the IDs to filter the results from Activity Analyzer:
To get the most recent authentication activity for specific service account keys, use the Policy Analyzer API's
activities.query
method.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.-
FILTER
: A filter specifying the full resource names of the service account keys whose usage you want to see. The full resource name of a service account key includes the project ID, the email address of the service account associated with the key, and the key ID.To filter for a single service account key, use a filter with the following format:
activities.full_resource_name%3D%22%2F%2Fiam.googleapis.com%2Fprojects%2FPROJECT_ID%2FserviceAccounts%2FSERVICE_ACCOUNT_EMAIL%2Fkeys%2FKEY_ID%22
To filter for multiple service account keys, use
%20OR%20
to specify multiple acceptable full resource names:activities.full_resource_name%3D%22%2F%2Fiam.googleapis.com%2Fprojects%2FPROJECT_ID%2FserviceAccounts%2FSERVICE_ACCOUNT_1_EMAIL%2Fkeys%2FKEY_ID_1%22%20OR%20activities.full_resource_name%3D%22%2F%2Fiam.googleapis.com%2Fprojects%2FPROJECT_ID%2FserviceAccounts%2FSERVICE_ACCOUNT_2_EMAIL%2Fkeys%2FKEY_ID_2%22
You can filter for up to 10 service account keys.
HTTP method and URL:
GET https://policyanalyzer.googleapis.com/v1/projects/PROJECT_ID/locations/global/activityTypes/serviceAccountKeyLastAuthentication/activities:query?filter=FILTER
To send your request, expand one of these options:
The response describes the most recent usage for the service account keys:
{ "activities": [ { "activity": { "lastAuthenticatedTime": "2021-06-11T07:00:00Z", "serviceAccountKey": { "fullResourceName": "//iam.googleapis.com/projects/my-project/serviceAccounts/[email protected]/keys/1c65fca351d6925e629059743428b7af243a728c", "projectNumber": "123456789012", "serviceAccountId": "123456789012345678901" } }, "activityType": "serviceAccountKeyLastAuthentication", "fullResourceName": "//iam.googleapis.com/projects/my-project/serviceAccounts/[email protected]/keys/1c65fca351d6925e629059743428b7af243a728c", "observationPeriod": { "endTime": "2021-07-06T07:00:00Z", "startTime": "2020-04-20T07:00:00Z" } } ] }
To learn how to understand these results, see Understand activities on this page.
Understand activities
Console
The query results page lists the query parameters and the results of the query.
For a service account query, the results table lists each service account from the query and when it last authenticated:
For a service account key query, the results table lists each service account key from the query, the service account it's associated with, and when it last authenticated.
The results might not include very recent authentication events. Check the tooltip to see the exact date range used during the analysis. The results don't include authentication events that occurred outside of this range.
The results table for both queries also lists the IAM roles that the service account has on the project, along with any security insights. These insights highlight patterns in how your service accounts access resources. For example, some insights highlight excess permissions, or permissions that a principal doesn't need. Other insights highlight service accounts with lateral movement permissions, or permissions that let the service account impersonate a service account in another project.
Some insights also come with role recommendations that suggest changes you can make to reduce excess permissions. To learn how to manage recommendations and insights, see Review and apply recommendations.
gcloud
Activity Analyzer reports results as a list of activities. Activities have the following fields:
fullResourceName
: The full resource name of the service account or service account key whose activity is being reported. This format is described in the following sections, and in Full resource names.activityType
: The type of activity that is being reported. For recent service account authentication activity, the value isserviceAccountLastAuthentication
. For recent service account key authentication activity, the value isserviceAccountKeyLastAuthentication
.observationPeriod
: Start and end times indicating the span of time for which the service account or key was observed for activity. The time in these timestamps is alwaysT07:00:00Z
.activity
: The details of the activity. The contents of this field vary based on the activity type. See the following sections for details.
Details for service account activities
The activity
field for serviceAccountLastAuthentication
activities contains
the following fields:
serviceAccount
: Details about the service account whose activity is being reported, including the following:fullResourceName
: The full resource name of the service account, in the format//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL
.projectNumber
: The numeric ID of the project that owns the service account.serviceAccountId
: The numeric ID of the service account.
lastAuthenticatedTime
: A timestamp representing the date at which the most recent authentication event occurred. The time in this timestamp is alwaysT07:00:00Z
, regardless of the exact time of the authentication event.The results might not include very recent authentication events. Check the
observationPeriod
to see the exact date range used during the analysis. The results don't include authentication events that occurred outside of this range.This field is not included for service accounts that have never been used.
Details for service account key activities
The activity
field for serviceAccountKeyLastAuthentication
activities
contains the following fields:
serviceAccountKey
: Details about the service account key whose activity is being reported, including the following:fullResourceName
: The full resource name of the service account key, in the format//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL/keys/KEY_ID
.projectNumber
: The numeric ID of the project that owns the service account that the key is associated with.serviceAccountId
: The numeric ID of the service account that the key is associated with.
lastAuthenticatedTime
: A timestamp representing the date at which the most recent authentication event occurred. The time in this timestamp is alwaysT07:00:00Z
, regardless of the exact time of the authentication event.The results might not include very recent authentication events. Check the
observationPeriod
to see the exact date range used during the analysis. The results don't include authentication events that occurred outside of this range.This field is not included for service account keys that have never been used.
REST
Activity Analyzer reports results as a list of activities. Activities have the following fields:
fullResourceName
: The full resource name of the service account or service account key whose activity is being reported. This format is described in the following sections, and in Full resource names.activityType
: The type of activity that is being reported. For recent service account authentication activity, the value isserviceAccountLastAuthentication
. For recent service account key authentication activity, the value isserviceAccountKeyLastAuthentication
.observationPeriod
: Start and end times indicating the span of time for which the service account or key was observed for activity. The time in these timestamps is alwaysT07:00:00Z
.activity
: The details of the activity. The contents of this field vary based on the activity type. See the following sections for details.
Details for service account activities
The activity
field for serviceAccountLastAuthentication
activities contains
the following fields:
serviceAccount
: Details about the service account whose activity is being reported, including the following:fullResourceName
: The full resource name of the service account, in the format//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL
.projectNumber
: The numeric ID of the project that owns the service account.serviceAccountId
: The numeric ID of the service account.
lastAuthenticatedTime
: A timestamp representing the date at which the most recent authentication event occurred. The time in this timestamp is alwaysT07:00:00Z
, regardless of the exact time of the authentication event.The results might not include very recent authentication events. Check the
observationPeriod
to see the exact date range used during the analysis. The results don't include authentication events that occurred outside of this range.This field is not included for service accounts that have never been used.
Details for service account key activities
The activity
field for serviceAccountKeyLastAuthentication
activities
contains the following fields:
serviceAccountKey
: Details about the service account key whose activity is being reported, including the following:fullResourceName
: The full resource name of the service account key, in the format//iam.googleapis.com/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL/keys/KEY_ID
.projectNumber
: The numeric ID of the project that owns the service account that the key is associated with.serviceAccountId
: The numeric ID of the service account that the key is associated with.
lastAuthenticatedTime
: A timestamp representing the date at which the most recent authentication event occurred. The time in this timestamp is alwaysT07:00:00Z
, regardless of the exact time of the authentication event.The results might not include very recent authentication events. Check the
observationPeriod
to see the exact date range used during the analysis. The results don't include authentication events that occurred outside of this range.This field is not included for service account keys that have never been used.
What's next
- Review the other available tools to understand service account usage.
- Learn how to disable service accounts or delete service accounts.
- Learn how to delete service account keys.