Method: projects.serviceAccounts.generateAccessToken

Generates an OAuth 2.0 access token for a service account.

HTTP request

POST https://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:generateAccessToken

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
name

string

The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

Authorization requires the following Google IAM permission on the specified resource name:

  • iam.serviceAccounts.getAccessToken

Request body

The request body contains data with the following structure:

JSON representation
{
  "delegates": [
    string
  ],
  "scope": [
    string
  ],
  "lifetime": string
}
Fields
delegates[]

string

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

scope[]

string

Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.

lifetime

string (Duration format)

The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.

A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Response body

If successful, the response body contains data with the following structure:

JSON representation
{
  "accessToken": string,
  "expireTime": string
}
Fields
accessToken

string

The OAuth 2.0 access token.

expireTime

string (Timestamp format)

token expiration time. The expiration time is always set.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Try it!

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Identity and Access Management