This page explains how to disable and enable service account keys using the Google Cloud console, the Google Cloud CLI, the Identity and Access Management API, or one of the Google Cloud Client Libraries.
Before you begin
Enable the IAM API.
Understand service account credentials.
Required roles
To get the permissions that you need to disable and enable service account keys,
ask your administrator to grant you the
Service Account Key Admin (roles/iam.serviceAccountKeyAdmin
) IAM role on the project, or the service account whose keys you want
to manage.
For more information about granting roles, see Manage access.
You might also be able to get the required permissions through custom roles or other predefined roles.
For more information, see Service Accounts roles.
IAM basic roles also contain permissions to manage service account keys. You should not grant basic roles in a production environment, but you can grant them in a development or test environment.
Disable a service account key
Disabling a service account key prevents you from using the key to authenticate with Google APIs. You can enable a disabled key at any time.
Before you delete a service account key, we recommend that you disable the key, then wait until you are sure that the key is no longer needed. You can then delete the key.
You can view disabled keys in the Google Cloud console, but you cannot use the Google Cloud console to disable a key. Use the gcloud CLI or the REST API instead.
gcloud
Execute the gcloud iam service-accounts keys disable
command to disable a service account key.
Replace the following values:
KEY_ID
: The ID of the key to disable. To find the key's ID, list all keys for the service account, identify the key that you want to disable, and then copy its ID.SA_NAME
: The name of the service account that the key belongs to.PROJECT_ID
: Your Google Cloud project ID.
gcloud iam service-accounts keys disable KEY_ID \ --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com \ --project=PROJECT_ID
Output:
Disabled key [KEY_ID] for service account [SA_NAME@PROJECT_ID.iam.gserviceaccount.com]
REST
The
projects.serviceAccounts.keys.disable
method disables a service account key.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_NAME
: The name of the service account whose key you want to disable.KEY_ID
: The ID of the key that you want to disable. To find the key's ID, list all keys for the service account, identify the key that you want to disable, and then copy its ID from the end of thename
field. The key's ID is everything afterkeys/
.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID:disable
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ }
Enable a service account key
After you disable a service account key, you can enable the key at any time, then use the key to authenticate with Google APIs.
You cannot use the Google Cloud console to enable service account keys. Use the gcloud CLI or the REST API instead.
gcloud
Execute the gcloud iam service-accounts keys enable
command to enable a service account key.
Replace the following values:
KEY_ID
: The ID of the key to enable. To find the key's ID, list all keys for the service account, identify the key that you want to enable, and then copy its ID.SA_NAME
: The name of the service account that the key belongs to.PROJECT_ID
: Your Google Cloud project ID.
gcloud iam service-accounts keys enable KEY_ID \ --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com\ --project=PROJECT_ID
Output:
Enabled key [KEY_ID] for service account [SA_NAME@PROJECT_ID.iam.gserviceaccount.com]
REST
The
projects.serviceAccounts.keys.enable
method enables a service account key.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_NAME
: The name of the service account whose key you want to enable.-
KEY_ID
: The ID of the key that you want to enable. To find the key's ID, list all keys for the service account, identify the key that you want to enable, and then copy its ID from the end of thename
field. The key's ID is everything afterkeys/
.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID:enable
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ }
What's next
- Learn how to delete service account keys.
- Learn how to list and get service account keys.
- Learn how to use service account keys to authenticate as a service account.
- Understand the best practices for managing service account keys.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for free