Why does gcloud auth login work but gcloud auth activate-service-account does not?

Question

Request team to clarify from security point of view. We were checking whether a service account key (stored locally at gcloud-service-account.json) is exploitable or not. If the login works and activate-service-account throws an error as shown, is it safe to say that the service account key (gcloud-service-account.json) can no longer be used by anyone? Thanks.

Login works:

./gcloud auth login --cred-file=gcloud-service-account.json
Authenticated with service account credentials for: [account1@project1.iam.gserviceaccount.com]. Your current project is [None].

But, activate-service-account does not:

./gcloud auth activate-service-account --key-file=./gcloud-service-account.json
ERROR: (gcloud.auth.activate-service-account) There was a problem refreshing auth tokens for accountaccount1@project1.iam.gserviceaccount.com: ('invalid_grant: Invalid JWT Signature.', {'error': 'invalid_grant', 'error_description': 'Invalid JWT Signature.'})

Similar Invalid JWT Signature error is thrown when commands, such as ./gcloud projects list and ./gcloud storage buckets list, are executed in terminal.

Answer 1

Yes, it is safe to say that the service account key (gcloud-service-account.json) can no longer be used by anyone. The “invalid_grant: Invalid JWT Signature” error basically means that the service account key has expired or deleted.

To fix this, kindly follow this documentation: How to Fix | Adding New Service Account