Creating and Managing Service Account Keys

This page explains how to create and manage service accounts keys using the Google Cloud Identity and Access Management API, the Google Cloud Platform Console, and the gcloud command-line tool.

Prerequisites for this guide

Creating service account keys

To use a service account outside of the Google Cloud Platform (on other platforms or on premise), you must establish the identity of the service account. Public/private key pairs will let you do that.

You can create a service account key using the serviceAccounts.keys.create() method, the GCP Console, and the gcloud tool.

When you create a key, your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing this key securely. Google maintains the public key, and will publish it publicly for verifying objects signed by the private key.

Take note of your service account's email address and store the service accounts private key file in a location accessible to your application. Your application needs them to make authenticated API calls.

Note that the privateKeyData returned is a base64-encoded string representation of the JSON or P12 key/credentials.

gcloud


To create a service account key, run the following command:

gcloud iam service-accounts keys create \
    ~/key.json \
    --iam-account my-sa-123@my-project-123.iam.gserviceaccount.com

The output of this command will be similar to the following:

created key [e44da1202f82f8f4bdd9d92bc412d1d8a837fa83] of type [json] as
[/usr/local/google/home/alice/key.json] for
[my-sa-123@my-project-123.iam.gserviceaccount.com]

API


Request:

POST https://iam.googleapis.com/v1/{projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com/keys}

Response:

{
    "name":"projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com/keys/90c48f61c65cd56224a12ab18e6ee9ca9c3aee7c",
    "privateKeyType": "GOOGLE_AUTH_FILE",
    "privateKeyData":"MIIJqAIB . . .",
    "validAfterTime": "2016-01-25T18:38:09.000Z"
}

CONSOLE


  1. Open the IAM & Admin page in the GCP Console.

    Open the IAM & Admin page

  2. Select your project and click Continue.

  3. In the left nav, click Service accounts.

  4. Look for the service account for which you wish to create a key, click on the vertical ellipses button in that row, and click Create key.

  5. Select a Key type and click Create.

Listing service account keys

You can list the service account keys for a service account using the serviceAccount.keys.list() method, the GCP Console, and the gcloud tool.

The serviceAccount.keys.list() method is commonly used to audit service accounts and keys, or to build custom tooling for managing service accounts.

To find out which project your key belongs to, you can download the key as a JSON file and look at that file.

gcloud


To list service account keys, run the following command:

gcloud iam service-accounts keys list \
    --iam-account my-sa-123@my-project-123.iam.gserviceaccount.com

The output of this command will be similar to the following:

KEY_ID CREATED_AT EXPIRES_AT
8e6e3936d7024646f8ceb39792006c07f4a9760c 2016-01-26T21:01:42.000Z 2026-01-23T21:01:42.000Z
937c98f870f5c8db970af527aa3c12fd88b1c20a 2016-01-26T20:55:40.000Z 2026-01-23T20:55:40.000Z

API


Request:

POST https://iam.googleapis.com/v1/projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com/keys

Response:

{
    "keys": [
    {
        "name": "projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com/keys/90c48f61c65cd56224a12ab18e6ee9ca9c3aee7c",
        "validAfterTime": "2016-01-25T18:38:09.000Z",
        "validBeforeTime": "2026-01-22T18:38:09.000Z"
    },
    {
        "name": "projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com/keys/e5e3800831ac1adc8a5849da7d827b4724b1fce8",
        "validAfterTime": "2016-01-25T13:43:27.000Z",
        "validBeforeTime": "2016-01-26T13:43:27.000Z"
    },
    {
        "name": "projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com/keys/b97699f042b8eee6a846f4f96259fbcd13e2682e",
        "validAfterTime": "2016-01-26T13:28:27.000Z",
        "validBeforeTime": "2016-01-27T13:28:27.000Z"
    }
    ]
}

CONSOLE


  1. Open the IAM & Admin page in the GCP Console.

    Open the IAM & Admin page

  2. Select your project and click Continue.

  3. In the left nav, click Service accounts. All service accounts and their corresponding keys are listed.

Deleting service account keys

You can delete a service account key using the serviceAccount.keys.delete() method, the GCP Console, and the gcloud tool.

If you delete a key, your application will no longer be able to access Cloud Platform resources using that key. A security best practice is to rotate your service account keys regularly. You can rotate a key by creating a new key, switching applications to use the new key and then deleting old key. Use the serviceAccount.keys.create() method and serviceAccount.keys.delete() method together to automate the rotation.

gcloud


To delete service account keys, run the following command:

gcloud iam service-accounts keys delete \
    8e6e3936d7024646f8ceb39792006c07f4a9760c \
    --iam-account my-sa-123@my-project-123.iam.gserviceaccount.com

The output of this command will be similar to the following:

deleted key [8e6e3936d7024646f8ceb39792006c07f4a9760c] for service account [my-sa-123@my-project-123.iam.gserviceaccount.com]

API


Request:

DELETE https://iam.googleapis.com/v1/{name=projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com/keys/e5e3800831ac1adc8a5849da7d827b4724b1fce8}

CONSOLE


  1. Open the IAM & Admin page in the GCP Console.

    Open the IAM & Admin page

  2. Select your project and click Continue.

  3. In the left nav, click Service accounts. All service accounts and their corresponding keys are listed.

  4. Hover your mouse over the service account key you wish to delete. Click the delete icon to delete that key.

Send feedback about...

Cloud Identity and Access Management Documentation