Method: projects.serviceAccounts.keys.create

Creates a ServiceAccountKey.

HTTP request

POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*}/keys

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
name

string

Required. The resource name of the service account.

Use one of the following formats:

  • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

  • projects/-/serviceAccounts/{EMAIL_ADDRESS}
  • projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.create

Request body

The request body contains data with the following structure:

JSON representation
{
  "privateKeyType": enum (ServiceAccountPrivateKeyType),
  "keyAlgorithm": enum (ServiceAccountKeyAlgorithm)
}
Fields
privateKeyType

enum (ServiceAccountPrivateKeyType)

The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.

keyAlgorithm

enum (ServiceAccountKeyAlgorithm)

Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

Response body

If successful, the response body contains a newly created instance of ServiceAccountKey.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Examples

Uses the .NET client library.

// BEFORE RUNNING:
// ---------------
// 1. If not already done, enable the Identity and Access Management (IAM) API
//    and check the quota for your project at
//    https://console.developers.google.com/apis/api/iam
// 2. This sample uses Application Default Credentials for authentication.
//    If not already done, install the gcloud CLI from
//    https://cloud.google.com/sdk and run
//    `gcloud beta auth application-default login`.
//    For more information, see
//    https://developers.google.com/identity/protocols/application-default-credentials
// 3. Install the C# client library by adding a dependency on the relevant NuGet
//    package. Libraries published by Google are owned by google-apis-packages:
//    https://www.nuget.org/profiles/google-apis-packages

using Google.Apis.Auth.OAuth2;
using Google.Apis.Services;
using Google.Apis.Iam.v1;
using Newtonsoft.Json;
using System;
using System.Threading.Tasks;

using Data = Google.Apis.Iam.v1.Data;

namespace IamSample
{
   
public class IamExample
   
{
       
public static void Main(string[] args)
       
{
           
IamService iamService = new IamService(new BaseClientService.Initializer
           
{
               
HttpClientInitializer = GetCredential(),
               
ApplicationName = "Google-iamSample/0.1",
           
});

           
// The resource name of the service account in the following format:
           
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
           
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
           
// the account. The `ACCOUNT` value can be the `email` address or the
           
// `unique_id` of the service account.
           
string name = "projects/my-project/serviceAccounts/my-service-account";  // TODO: Update placeholder value.

           
// TODO: Assign values to desired properties of `requestBody`:
           
Data.CreateServiceAccountKeyRequest requestBody = new Data.CreateServiceAccountKeyRequest();

           
ProjectsResource.ServiceAccountsResource.KeysResource.CreateRequest request = iamService.Projects.ServiceAccounts.Keys.Create(requestBody, name);

           
// To execute asynchronously in an async method, replace `request.Execute()` as shown:
           
Data.ServiceAccountKey response = request.Execute();
           
// Data.ServiceAccountKey response = await request.ExecuteAsync();

           
// TODO: Change code below to process the `response` object:
           
Console.WriteLine(JsonConvert.SerializeObject(response));
       
}

       
public static GoogleCredential GetCredential()
       
{
           
GoogleCredential credential = Task.Run(() => GoogleCredential.GetApplicationDefaultAsync()).Result;
           
if (credential.IsCreateScopedRequired)
           
{
                credential
= credential.CreateScoped("https://www.googleapis.com/auth/cloud-platform");
           
}
           
return credential;
       
}
   
}
}

Uses the Go client library.

package main

// BEFORE RUNNING:
// ---------------
// 1. If not already done, enable the Identity and Access Management (IAM) API
//    and check the quota for your project at
//    https://console.developers.google.com/apis/api/iam
// 2. This sample uses Application Default Credentials for authentication.
//    If not already done, install the gcloud CLI from
//    https://cloud.google.com/sdk/ and run
//    `gcloud beta auth application-default login`.
//    For more information, see
//    https://developers.google.com/identity/protocols/application-default-credentials
// 3. Install and update the Go dependencies by running `go get -u` in the
//    project directory.

import (
       
"fmt"
       
"log"

       
"golang.org/x/net/context"
       
"golang.org/x/oauth2/google"
       
"google.golang.org/api/iam/v1"
)

func main
() {
        ctx
:= context.Background()

        iamService
, err := iam.NewService(ctx)
       
if err != nil {
                log
.Fatal(err)
       
}

       
// The resource name of the service account in the following format:
       
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
       
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
       
// the account. The `ACCOUNT` value can be the `email` address or the
       
// `unique_id` of the service account.
        name
:= "projects/my-project/serviceAccounts/my-service-account" // TODO: Update placeholder value.

        rb
:= &iam.CreateServiceAccountKeyRequest{
               
// TODO: Add desired fields of the request body.
       
}

        resp
, err := iamService.Projects.ServiceAccounts.Keys.Create(name, rb).Context(ctx).Do()
       
if err != nil {
                log
.Fatal(err)
       
}

       
// TODO: Change code below to process the `resp` object:
        fmt
.Printf("%#v\n", resp)
}

Uses the Java client library.

/*
 * BEFORE RUNNING:
 * ---------------
 * 1. If not already done, enable the Identity and Access Management (IAM) API
 *    and check the quota for your project at
 *    https://console.developers.google.com/apis/api/iam
 * 2. This sample uses Application Default Credentials for authentication.
 *    If not already done, install the gcloud CLI from
 *    https://cloud.google.com/sdk and run
 *    `gcloud beta auth application-default login`.
 *    For more information, see
 *    https://developers.google.com/identity/protocols/application-default-credentials
 * 3. Install the Java client library on Maven or Gradle. Check installation
 *    instructions at https://github.com/google/google-api-java-client.
 *    On other build systems, you can add the jar files to your project from
 *    https://developers.google.com/resources/api-libraries/download/iam/v1/java
 */

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.iam.v1.Iam;
import com.google.api.services.iam.v1.model.CreateServiceAccountKeyRequest;
import com.google.api.services.iam.v1.model.ServiceAccountKey;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Arrays;

public class IamExample {
 
public static void main(String args[]) throws IOException, GeneralSecurityException {
   
// The resource name of the service account in the following format:
   
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
   
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
   
// the account. The `ACCOUNT` value can be the `email` address or the
   
// `unique_id` of the service account.
   
String name =
       
"projects/my-project/serviceAccounts/my-service-account"; // TODO: Update placeholder value.

   
// TODO: Assign values to desired fields of `requestBody`:
   
CreateServiceAccountKeyRequest requestBody = new CreateServiceAccountKeyRequest();

   
Iam iamService = createIamService();
   
Iam.Projects.ServiceAccounts.Keys.Create request =
        iamService
.projects().serviceAccounts().keys().create(name, requestBody);

   
ServiceAccountKey response = request.execute();

   
// TODO: Change code below to process the `response` object:
   
System.out.println(response);
 
}

 
public static Iam createIamService() throws IOException, GeneralSecurityException {
   
HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
   
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();

   
GoogleCredential credential = GoogleCredential.getApplicationDefault();
   
if (credential.createScopedRequired()) {
      credential
=
          credential
.createScoped(Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
   
}

   
return new Iam.Builder(httpTransport, jsonFactory, credential)
       
.setApplicationName("Google-iamSample/0.1")
       
.build();
 
}
}

Uses the Node.js client library.

// BEFORE RUNNING:
// ---------------
// 1. If not already done, enable the Identity and Access Management (IAM) API
//    and check the quota for your project at
//    https://console.developers.google.com/apis/api/iam
// 2. This sample uses Application Default Credentials for authentication.
//    If not already done, install the gcloud CLI from
//    https://cloud.google.com/sdk and run
//    `gcloud beta auth application-default login`.
//    For more information, see
//    https://developers.google.com/identity/protocols/application-default-credentials
// 3. Install the Node.js client library by running
//    `npm install googleapis --save`

const {google} = require('googleapis');
const iam = google.iam('v1');

async
function main () {
 
const authClient = await authorize();
 
const request = {
   
// Required. The resource name of the service account in the following format:
   
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
   
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
   
// the account. The `ACCOUNT` value can be the `email` address or the
   
// `unique_id` of the service account.
    name
: 'projects/my-project/serviceAccounts/my-service-account',  // TODO: Update placeholder value.

    resource
: {
     
// TODO: Add desired properties to the request body.
   
},

    auth
: authClient,
 
};

 
try {
   
const response = (await iam.projects.serviceAccounts.keys.create(request)).data;
   
// TODO: Change code below to process the `response` object:
    console
.log(JSON.stringify(response, null, 2));
 
} catch (err) {
    console
.error(err);
 
}
}
main
();

async
function authorize() {
 
const auth = new google.auth.GoogleAuth({
    scopes
: ['https://www.googleapis.com/auth/cloud-platform']
 
});
 
return await auth.getClient();
}

Uses the PHP client library.

<?php
/*
 * BEFORE RUNNING:
 * ---------------
 * 1. If not already done, enable the Identity and Access Management (IAM) API
 *    and check the quota for your project at
 *    https://console.developers.google.com/apis/api/iam
 * 2. This sample uses Application Default Credentials for authentication.
 *    If not already done, install the gcloud CLI from
 *    https://cloud.google.com/sdk and run
 *    `gcloud beta auth application-default login`.
 *    For more information, see
 *    https://developers.google.com/identity/protocols/application-default-credentials
 * 3. Install the PHP client library with Composer. Check installation
 *    instructions at https://github.com/google/google-api-php-client.
 */


// Autoload Composer.
require_once __DIR__
. '/vendor/autoload.php';

$client
= new Google_Client();
$client
->setApplicationName('Google-iamSample/0.1');
$client
->useApplicationDefaultCredentials();
$client
->addScope('https://www.googleapis.com/auth/cloud-platform');

$service
= new Google_Service_Iam($client);

// The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
$name
= 'projects/my-project/serviceAccounts/my-service-account';  // TODO: Update placeholder value.

// TODO: Assign values to desired properties of `requestBody`:
$requestBody
= new Google_Service_Iam_CreateServiceAccountKeyRequest();

$response
= $service->projects_serviceAccounts_keys->create($name, $requestBody);

// TODO: Change code below to process the `response` object:
echo
'<pre>', var_export($response, true), '</pre>', "\n";
?>

Uses the Python client library.

"""
BEFORE RUNNING:
---------------
1. If not already done, enable the Identity and Access Management (IAM) API
   and check the quota for your project at
   https://console.developers.google.com/apis/api/iam
2. This sample uses Application Default Credentials for authentication.
   If not already done, install the gcloud CLI from
   https://cloud.google.com/sdk and run
   `gcloud beta auth application-default login`.
   For more information, see
   https://developers.google.com/identity/protocols/application-default-credentials
3. Install the Python client library for Google APIs by running
   `pip install --upgrade google-api-python-client`
4. Install the OAuth 2.0 client for Google APIs by running
   `pip install --upgrade oauth2client`
"""

from pprint import pprint

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials
= GoogleCredentials.get_application_default()

service
= discovery.build('iam', 'v1', credentials=credentials)

# The resource name of the service account in the following format:
# `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
# Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
# the account. The `ACCOUNT` value can be the `email` address or the
# `unique_id` of the service account.
name
= 'projects/my-project/serviceAccounts/my-service-account'  # TODO: Update placeholder value.

create_service_account_key_request_body
= {
   
# TODO: Add desired entries to the request body.
}

request
= service.projects().serviceAccounts().keys().create(name=name, body=create_service_account_key_request_body)
response
= request.execute()

# TODO: Change code below to process the `response` dict:
pprint
(response)

Uses the Ruby client library.

# BEFORE RUNNING:
# ---------------
# 1. If not already done, enable the Identity and Access Management (IAM) API
#    and check the quota for your project at
#    https://console.developers.google.com/apis/api/iam
# 2. This sample uses Application Default Credentials for authentication.
#    If not already done, install the gcloud CLI from
#    https://cloud.google.com/sdk and run
#    `gcloud beta auth application-default login`.
#    For more information, see
#    https://developers.google.com/identity/protocols/application-default-credentials
# 3. Install the Ruby client library and Application Default Credentials
#    library by running `gem install google-api-client` and
#    `gem install googleauth`

require 'googleauth'
require 'google/apis/iam_v1'

service
= Google::Apis::IamV1::IamService.new

service
.authorization = \
   
Google::Auth.get_application_default(['https://www.googleapis.com/auth/cloud-platform'])

# The resource name of the service account in the following format:
# `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
# Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
# the account. The `ACCOUNT` value can be the `email` address or the
# `unique_id` of the service account.
name
= 'projects/my-project/serviceAccounts/my-service-account'  # TODO: Update placeholder value.

# TODO: Assign values to desired members of `request_body`:
request_body
= Google::Apis::IamV1::CreateServiceAccountKeyRequest.new

response
= service.create_service_account_key(name, request_body)

# TODO: Change code below to process the `response` object:
puts response
.to_json