Service Account settings
Adding the expiration duration to the service account enhances the security level of the service account. The existing Service Accounts are set as Never Expires. By default, the key never expires when creating a service account unless you configure an expiration duration. You can change the default setting by setting an expiry duration for all newly created service accounts; see Setting expiration duration. This limits the validity of the service account, which needs to be changed again after the expiration duration. After the expiration date, the secret key cannot be used for authentication but will stay associated with the service account until you delete it. If you disable or delete a service account, any workload that uses the service account will immediately lose access to the resources.
As a best practice, change your secret keys regularly. You can create a new secret key by doing the following:
Create a new service account or Clone the service account.
Disable the old service account.
Confirm that the old key is no longer in use.
Delete the old service account.
Setting expiration duration
Setting an expiration duration enables you to enforce additional security. The more often you change the service account keys, the less likely it is to be leaked. Hence, periodically invalidating your service account keys and creating new keys adds to security.
The Service Account Expiration defaults to Off (disabled). The service account key never expires when creating a service account without setting an expiration period. You can turn On (enable) the expiration and set the duration in days or years. All service accounts created after you turn On have an expiration period. For example, if you set the expiration duration as 365 days, any service account created after setting the duration has an expiration period of 365 days.
Based on the specified days, the service account expires at the end of the expiration date at 23:59:59 PM, regardless of the time the service account is created. For example, Setting the expiration duration to 30 days on the 1st of the month at 10:15:00 AM, the service account expires on day 30 at 23:59:59 PM.
On the left-hand menu, select Settings.
Enable the Service Account Expiration toggle.
Enter the number of Day(s) or Years to set the expiration duration, and select Save.
After the configuration is complete, all new service accounts created will have an expiration duration. Once it expires, you cannot perform any actions; however, you can only delete the service account.
You can configure the expiration duration as 90 days and create a service account. The Secret Key Expiration Duration in the create service account dialogue is set to 90 days. This value is displayed on pages where you create a service account, edit a service account, and list the service account. All service accounts created after configuring expiration duration will be, by default, set to 90 days.
After 90 days, the service account status will appear as Expired.