Method: projects.serviceAccounts.keys.disable

HTTP request
Path parameters
Request body
- JSON representation
Response body
Authorization scopes
Examples
Try it!

Disable a ServiceAccountKey. A disabled service account key can be re-enabled with keys.enable.

HTTP request

POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*/keys/*}:disable

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters

Parameters
`name`	`string` Required. The resource name of the service account key. Use one of the following formats: `projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` `projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` As an alternative, you can use the `-` wildcard character instead of the project ID: `projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}` `projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}` When possible, avoid using the `-` wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key `projects/-/serviceAccounts/fake@example.com/keys/fake-key`, which does not exist, the response contains an HTTP `403 Forbidden` error instead of a `404 Not Found` error. Authorization requires the following IAM permission on the specified resource `name`: `iam.serviceAccountKeys.disable`

name

string

Required. The resource name of the service account key.

Use one of the following formats:

projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/fake@example.com/keys/fake-key, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

iam.serviceAccountKeys.disable

Request body

The request body contains data with the following structure:

JSON representation
{ "serviceAccountKeyDisableReason": enum (`ServiceAccountKeyDisableReason`), "extendedStatusMessage": string }

Fields

Fields
`serviceAccountKeyDisableReason`	`enum (ServiceAccountKeyDisableReason)` Optional. Describes the reason this key is being disabled. If unspecified, the default value of SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be used.
`extendedStatusMessage`	`string` Optional. Usable by internal google services only. An extendedStatusMessage can be used to include additional information about the key, such as its private key data being exposed on a public repository like GitHub.

serviceAccountKeyDisableReason

enum (ServiceAccountKeyDisableReason)

Optional. Describes the reason this key is being disabled. If unspecified, the default value of SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be used.

extendedStatusMessage

string

Optional. Usable by internal google services only. An extendedStatusMessage can be used to include additional information about the key, such as its private key data being exposed on a public repository like GitHub.

Response body

If successful, the response body is empty.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/iam
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.