This page explains how to create and manage service account keys using the
Google Cloud Platform Console, the gcloud command-line tool,
the Cloud Identity and Access Management API, or one
of the Google Cloud Client Libraries.
Prerequisites for this guide
- Understand service accounts
- Install the
gcloudtool
Required permissions
To allow a user to manage service account keys, grant the Service Account Key
Admin role (roles/iam.serviceAccountKeyAdmin). Cloud IAM
primitive roles also contain permissions to manage service account keys, but we
recommend granting this role instead to prevent unnecessary access to other
GCP resources.
See the Service Account Roles topic for more information about roles related to service accounts.
Creating service account keys
To use a service account outside of the Google Cloud Platform (on other platforms or on premise), you must establish the identity of the service account. Public/private key pairs will let you do that.
You can create a service account key
using the GCP Console, the gcloud tool, the
serviceAccounts.keys.create()
method, or one of the client libraries.
In the examples below, SA-NAME is the name of your
service account, and PROJECT-ID is the ID of your
Google Cloud Platform project. You can retrieve the
SA-NAME@PROJECT-ID.iam.gserviceaccount.com
string from the Service Accounts
page in the Google Cloud Platform Console.
Console
-
Open the IAM & Admin page in the GCP Console.
-
Select your project and click Continue.
-
In the left nav, click Service accounts.
-
Look for the service account for which you wish to create a key, click the More button in that row, and then click Create key.
-
Select a Key type and click Create.
GCLOUD COMMAND
Command:
gcloud iam service-accounts keys create ~/key.json \
--iam-account SA-NAME@PROJECT-ID.iam.gserviceaccount.com
Output:
created key [e44da1202f82f8f4bdd9d92bc412d1d8a837fa83] of type [json] as [/usr/home/username/key.json] for [SA-NAME@PROJECT-ID.iam.gserviceaccount.com]
REST API
Request:
POST https://iam.googleapis.com/v1/projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com/keys
Response:
{
"name":"projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com/keys/90c48f61c65cd56224a12ab18e6ee9ca9c3aee7c",
"privateKeyType": "TYPE_GOOGLE_CREDENTIALS_FILE",
"privateKeyData":"MIIJqAIB . . .",
"validBeforeTime": "2028-05-08T21:00:00Z",
"validAfterTime": "2016-01-25T18:38:09.000Z",
"keyAlgorithm": "KEY_ALG_RSA_2048"
}
C#
For more on installing and creating a Cloud IAM client, refer to Cloud IAM Client Libraries.
Note that the privateKeyData returned is a base64-encoded string
representation of the JSON or P12 key/credentials.
When you create a key, your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of the private key. You are responsible for storing the private key securely. Take note of its location and ensure the key is accessible to your application; it needs the key to make authenticated API calls.
Google ensures that all public keys for all service accounts are publicly accessible by anyone and available to verify signatures that are created with the private key. The public key is publicly accessible at the following URLs:
- x.509 certificate: https://www.googleapis.com/service_accounts/v1/metadata/x509/SA-NAME@PROJECT-ID.iam.gserviceaccount.com
- JSON web key (JWK): https://www.googleapis.com/service_accounts/v1/jwk/SA-NAME@PROJECT-ID.iam.gserviceaccount.com
- Raw endpoint: https://www.googleapis.com/service_accounts/v1/metadata/raw/SA-NAME@PROJECT-ID.iam.gserviceaccount.com
Listing service account keys
You can list the service account keys for a service account using the
GCP Console, the gcloud tool, the
serviceAccount.keys.list()
method, or one of the client libraries.
The serviceAccount.keys.list() method is commonly used to audit service
accounts and keys, or to build custom tooling for managing service accounts.
To find out which project your key belongs to, you can download the key as a JSON file and look at that file.
You may see keys listed that you did not create. These are GCP-managed keys used by GCP services such as App Engine and Compute Engine. For more information on the difference between user and GCP-managed keys, see Understanding service accounts.
Console
-
Open the IAM & Admin page in the GCP Console.
-
Select your project and click Continue.
-
In the left nav, click Service accounts. All service accounts and their corresponding keys are listed.
GCLOUD COMMAND
Command:
gcloud iam service-accounts keys list \
--iam-account SA-NAME@PROJECT-ID.iam.gserviceaccount.com
Output:
| KEY_ID | CREATED_AT | EXPIRES_AT |
| 8e6e3936d7024646f8ceb39792006c07f4a9760c | 2016-01-26T21:01:42.000Z | 2026-01-23T21:01:42.000Z |
| 937c98f870f5c8db970af527aa3c12fd88b1c20a | 2016-01-26T20:55:40.000Z | 2026-01-23T20:55:40.000Z |
REST API
Request:
POST https://iam.googleapis.com/v1/projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com/keys
Response:
{
"keys": [
{
"name": "projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com/keys/90c48f61c65cd56224a12ab18e6ee9ca9c3aee7c",
"validAfterTime": "2016-01-25T18:38:09.000Z",
"validBeforeTime": "2026-01-22T18:38:09.000Z",
"keyAlgorithm": "KEY_ALG_RSA_2048"
},
{
"name": "projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com/keys/e5e3800831ac1adc8a5849da7d827b4724b1fce8",
"validAfterTime": "2016-01-25T13:43:27.000Z",
"validBeforeTime": "2016-01-26T13:43:27.000Z",
"keyAlgorithm": "KEY_ALG_RSA_2048"
},
{
"name": "projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com/keys/b97699f042b8eee6a846f4f96259fbcd13e2682e",
"validAfterTime": "2016-01-26T13:28:27.000Z",
"validBeforeTime": "2016-01-27T13:28:27.000Z",
"keyAlgorithm": "KEY_ALG_RSA_2048"
}]
}
C#
For more on installing and creating a Cloud IAM client, refer to Cloud IAM Client Libraries.
Deleting service account keys
You can delete a service account key using the GCP Console, the
gcloud tool, the
serviceAccount.keys.delete()
method, or one of the client libraries.
If you delete a key, your application will no longer be able to access Cloud
Platform resources using that key. A security best practice is to rotate your
service account keys regularly. You can rotate a key by creating a new key,
switching applications to use the new key and then deleting old key. Use the
serviceAccount.keys.create() method and serviceAccount.keys.delete() method
together to automate the rotation.
Console
-
Open the IAM & Admin page in the GCP Console.
-
Select your project and click Continue.
-
In the left nav, click Service accounts. All service accounts and their corresponding keys are listed.
-
Click the desired service account's email to view its keys.
-
From the list of keys, click Delete for each key you'd like to delete.
GCLOUD COMMAND
Command:
gcloud iam service-accounts keys delete KEY-ID \
--iam-account SA-NAME@PROJECT-ID.iam.gserviceaccount.com
Output:
deleted key [8e6e3936d7024646f8ceb39792006c07f4a9760c] for service account [SA-NAME@PROJECT-ID.iam.gserviceaccount.com]
REST API
Request:
DELETE https://iam.googleapis.com/v1/projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com/keys/KEY-ID
C#
For more on installing and creating a Cloud IAM client, refer to Cloud IAM Client Libraries.
