To eliminate risks associated with JSON service account keys while minimizing operational overhead, what action should be taken?

The best approach to eliminate risks associated with JSON service account keys while minimizing operational overhead is to apply the constraints/iam.disableServiceAccountKeyUpload constraint to the organization. This constraint ensures that service account keys cannot be uploaded at all, which effectively removes the possibility of creating additional risks associated with key management, such as accidental exposure or misuse. By disabling the ability to upload keys, the organization can enforce a more secure environment that relies on alternative authentication methods, like Workload Identity or OAuth 2.0, which do not involve managing long-lived keys.

This strategy addresses the root of the issue by preventing JSON service account keys from being created or uploaded in the first place, thereby streamlining security protocols and reducing the operational burden involved in managing those keys, such as rotating them and responding to incidents of exposure.

When focusing on the other options, while they aim to provide security and manageability concerning service account keys, they might not effectively eliminate the risks in the same definitive manner as enforcing the upload constraint. For instance, disabling key creation or modifying roles can still lead to complications if users can manage or access existing keys. By applying a blanket constraint to prevent uploads, the organization ensures that there will be no new keys created, simplifying compliance and security measures