Method: projects.serviceAccounts.keys.upload

Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount.

After you upload the public key, you can use the private key from the key pair as a service account key.

HTTP request

POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*}/keys:upload

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
name

string

The resource name of the service account key.

Use one of the following formats:

  • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

  • projects/-/serviceAccounts/{EMAIL_ADDRESS}
  • projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.create

Request body

The request body contains data with the following structure:

JSON representation
{
  "publicKeyData": string
}
Fields
publicKeyData

string (bytes format)

The public key to associate with the service account. Must be an RSA public key that is wrapped in an X.509 v3 certificate. Include the first line, -----BEGIN CERTIFICATE-----, and the last line, -----END CERTIFICATE-----.

A base64-encoded string.

Response body

If successful, the response body contains an instance of ServiceAccountKey.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Examples

Node.js

Uses the Node.js client library.

// BEFORE RUNNING:
// ---------------
// 1. If not already done, enable the Identity and Access Management (IAM) API
//    and check the quota for your project at
//    https://console.developers.google.com/apis/api/iam
// 2. This sample uses Application Default Credentials for authentication.
//    If not already done, install the gcloud CLI from
//    https://cloud.google.com/sdk and run
//    `gcloud beta auth application-default login`.
//    For more information, see
//    https://developers.google.com/identity/protocols/application-default-credentials
// 3. Install the Node.js client library by running
//    `npm install googleapis --save`

const {google} = require('googleapis');
const iam = google.iam('v1');

async
function main () {
 
const authClient = await authorize();
 
const request = {
   
// The resource name of the service account in the following format:
   
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
   
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
   
// the account. The `ACCOUNT` value can be the `email` address or the
   
// `unique_id` of the service account.
    name
: 'projects/my-project/serviceAccounts/my-service-account',  // TODO: Update placeholder value.

    resource
: {
     
// TODO: Add desired properties to the request body.
   
},

    auth
: authClient,
 
};

 
try {
   
const response = (await iam.projects.serviceAccounts.keys.upload(request)).data;
   
// TODO: Change code below to process the `response` object:
    console
.log(JSON.stringify(response, null, 2));
 
} catch (err) {
    console
.error(err);
 
}
}
main
();

async
function authorize() {
 
const auth = new google.auth.GoogleAuth({
    scopes
: ['https://www.googleapis.com/auth/cloud-platform']
 
});
 
return await auth.getClient();
}