Method: projects.serviceAccounts.keys.upload

Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount.

After you upload the public key, you can use the private key from the key pair as a service account key.

HTTP request


The URL uses gRPC Transcoding syntax.

Path parameters



The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the uniqueId of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.create

Request body

The request body contains data with the following structure:

JSON representation
  "publicKeyData": string

string (bytes format)

The public key to associate with the service account. Must be an RSA public key that is wrapped in an X.509 v3 certificate. Include the first line, -----BEGIN CERTIFICATE-----, and the last line, -----END CERTIFICATE-----.

A base64-encoded string.

Response body

If successful, the response body contains an instance of ServiceAccountKey.

Authorization Scopes

Requires one of the following OAuth scopes:


For more information, see the Authentication Overview.