Background: I deployed a 2nd generation Node.js function in GCP specifying the service account in the HttpsOptions object, without specifying anything else.
Is there a way to check which service account key has been used for a requests made by this function?
I can see that a number of keys have been generated and disabled since the deployment of the function and, in some occasions, keys are active at the same time.
It isn't currently possible to display the full service account key for each Cloud Function request There is also a feature request to determine exactly when a Service Account key was used, along with the date and time of usage. However, you can do the following:
You can use Cloud Monitoring metrics to monitor service account or service account key usage.
Service accounts and service account keys appear in these metrics if they are used to call any Google API, including APIs that are not part of Google Cloud. The metrics include both successful and failed API calls.
Service account keys also appear in these metrics if a system lists the keys while attempting to authenticate a request, even if the system doesn't use the key to authenticate the request. This behavior is most common when using signed URLs for Cloud Storage or when authenticating to third-party applications. As a result it is possible to see usage metrics for keys that have not been used for authentication.
Also use Policy Analyzer to View recent usage for service accounts and keys
Use Activity Analyzer to see when your service accounts and keys were last used to call a Google API. These usages are called authentication activities.
Recent authentication activity can help you the identify service accounts and service account keys that you no longer use. We recommend disabling or deleting these unused service accounts and keys because they create an unnecessary security risk.
Note : This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see the launch stage descriptions.