Method: projects.serviceAccounts.generateIdToken

HTTP request
Path parameters
Request body
- JSON representation
Response body
- JSON representation
Authorization scopes
Try it!

Generates an OpenID Connect ID token for a service account.

HTTP request

POST https://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:generateIdToken

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters

Parameters
`name`	`string` Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. Authorization requires the following IAM permission on the specified resource `name`: `iam.serviceAccounts.getOpenIdToken`

name

string

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

Authorization requires the following IAM permission on the specified resource name:

iam.serviceAccounts.getOpenIdToken

Request body

The request body contains data with the following structure:

JSON representation
{ "delegates": [ string ], "audience": string, "includeEmail": boolean }

Fields

Fields
`delegates[]`	`string` The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.
`audience`	`string` Required. The audience for the token, such as the API or account that this token grants access to.
`includeEmail`	`boolean` Include the service account email in the token. If set to `true`, the token will contain `email` and `email_verified` claims.

delegates[]

string

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

audience

string

Required. The audience for the token, such as the API or account that this token grants access to.

includeEmail

boolean

Include the service account email in the token. If set to true, the token will contain email and email_verified claims.

Response body

If successful, the response body contains data with the following structure:

JSON representation
{ "token": string }

Fields

Fields
`token`	`string` The OpenId Connect ID token.

token

string

The OpenId Connect ID token.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/iam
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.