Implement a Kubernetes CronJob to periodically rotate service account keys and prevent the association of service accounts with resources across all projects, except for 'pj-sa'.

Enforce an organizational policy that sets a 24-hour limit on the lifespan of service account keys and prevents the creation of service account keys, with an exception for 'pj-sa'.

Set up a recurring Cloud Run task to automatically rotate service account keys at specified intervals for 'pj-sa' and establish an organizational policy to prohibit general service account key creation, making an exception for 'pj-sa'.

Apply an organizational policy constraint that restricts the duration of service account keys to 24 hours and blocks the linkage of service accounts to resources across all projects, except for 'pj-sa'.