Method: projects.serviceAccounts.keys.create

HTTP request
Path parameters
Request body
- JSON representation
Response body
Authorization scopes
Examples
Try it!

Creates a ServiceAccountKey.

HTTP request

POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*}/keys

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters

Parameters
`name`	`string` Required. The resource name of the service account. Use one of the following formats: `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}` `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: `projects/-/serviceAccounts/{EMAIL_ADDRESS}` `projects/-/serviceAccounts/{UNIQUE_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account `projects/-/serviceAccounts/fake@example.com`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. Authorization requires the following IAM permission on the specified resource `name`: `iam.serviceAccountKeys.create`

name

string

Required. The resource name of the service account.

Use one of the following formats:

projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

projects/-/serviceAccounts/{EMAIL_ADDRESS}
projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

iam.serviceAccountKeys.create

Request body

The request body contains data with the following structure:

JSON representation
{ "privateKeyType": enum (`ServiceAccountPrivateKeyType`), "keyAlgorithm": enum (`ServiceAccountKeyAlgorithm`) }

Fields

Fields
`privateKeyType`	`enum (ServiceAccountPrivateKeyType)` The output format of the private key. The default value is `TYPE_GOOGLE_CREDENTIALS_FILE`, which is the Google Credentials File format.
`keyAlgorithm`	`enum (ServiceAccountKeyAlgorithm)` Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

privateKeyType

enum (ServiceAccountPrivateKeyType)

The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.

keyAlgorithm

enum (ServiceAccountKeyAlgorithm)

Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

Response body

If successful, the response body contains a newly created instance of ServiceAccountKey.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/iam
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.