diff --git a/main.tf b/main.tf
index a7027a0..6acc2cb 100644
--- a/main.tf
+++ b/main.tf
@@ -103,4 +103,15 @@ resource "google_organization_iam_member" "organization_viewer" {
 resource "google_service_account_key" "keys" {
   for_each           = var.generate_keys ? local.names : toset([])
   service_account_id = google_service_account.service_accounts[each.value].email
+  keepers = {
+    rotation_time = var.key_rotation_days == null ? null : time_rotating.key_rotation["key_rotation_days"].rotation_rfc3339
+  }
+
+}
+
+resource "time_rotating" "key_rotation" {
+  for_each = var.key_rotation_days == null ? {} : {
+    "key_rotation_days" = var.key_rotation_days
+  }
+  rotation_days = var.key_rotation_days
 }
diff --git a/variables.tf b/variables.tf
index 65fd2c7..248523e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -90,3 +90,9 @@ variable "disabled" {
   description = "A map of service account names to a boolean value indicating whether the service account should be disabled. Service accounts not in this map will be enabled by default."
   default     = {}
 }
+
+variable "key_rotation_days" {
+  type        = number
+  description = "Number of days after which the service account key is rotated"
+  default     = null
+}
diff --git a/versions.tf b/versions.tf
index 8f904e4..5bfd6d7 100644
--- a/versions.tf
+++ b/versions.tf
@@ -22,6 +22,10 @@ terraform {
       source  = "hashicorp/google"
       version = ">= 3.53, < 8"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = "~> 0.12"
+    }
   }
 
   provider_meta "google" {