Method: projects.serviceAccounts.signJwt

Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions.

Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.

HTTP request

POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:signJwt

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
name
(deprecated)

string

Required. Deprecated. Migrate to Service Account Credentials API.

The resource name of the service account.

Use one of the following formats:

  • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

  • projects/-/serviceAccounts/{EMAIL_ADDRESS}
  • projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.signJwt

Request body

The request body contains data with the following structure:

JSON representation
{
  "payload": string
}
Fields
payload
(deprecated)

string

Required. Deprecated. Migrate to Service Account Credentials API.

The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: {"sub": "user@example.com", "iat": 313435}

If the JWT Claims Set contains an expiration time (exp) claim, it must be an integer timestamp that is not in the past and no more than 12 hours in the future.

If the JWT Claims Set does not contain an expiration time (exp) claim, this claim is added automatically, with a timestamp that is 1 hour in the future.

Response body

Deprecated. Migrate to Service Account Credentials API.

The service account sign JWT response.

If successful, the response body contains data with the following structure:

JSON representation
{
  "keyId": string,
  "signedJwt": string
}
Fields
keyId
(deprecated)

string

Deprecated. Migrate to Service Account Credentials API.

The id of the key used to sign the JWT.

signedJwt
(deprecated)

string

Deprecated. Migrate to Service Account Credentials API.

The signed JWT.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Examples

Uses the .NET client library.

// BEFORE RUNNING:
// ---------------
// 1. If not already done, enable the Identity and Access Management (IAM) API
//    and check the quota for your project at
//    https://console.developers.google.com/apis/api/iam
// 2. This sample uses Application Default Credentials for authentication.
//    If not already done, install the gcloud CLI from
//    https://cloud.google.com/sdk and run
//    `gcloud beta auth application-default login`.
//    For more information, see
//    https://developers.google.com/identity/protocols/application-default-credentials
// 3. Install the C# client library by adding a dependency on the relevant NuGet
//    package. Libraries published by Google are owned by google-apis-packages:
//    https://www.nuget.org/profiles/google-apis-packages

using Google.Apis.Auth.OAuth2;
using Google.Apis.Services;
using Google.Apis.Iam.v1;
using Newtonsoft.Json;
using System;
using System.Threading.Tasks;

using Data = Google.Apis.Iam.v1.Data;

namespace IamSample
{
   
public class IamExample
   
{
       
public static void Main(string[] args)
       
{
           
IamService iamService = new IamService(new BaseClientService.Initializer
           
{
               
HttpClientInitializer = GetCredential(),
               
ApplicationName = "Google-iamSample/0.1",
           
});

           
// The resource name of the service account in the following format:
           
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
           
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
           
// the account. The `ACCOUNT` value can be the `email` address or the
           
// `unique_id` of the service account.
           
string name = "projects/my-project/serviceAccounts/my-service-account";  // TODO: Update placeholder value.

           
// TODO: Assign values to desired properties of `requestBody`:
           
Data.SignJwtRequest requestBody = new Data.SignJwtRequest();

           
ProjectsResource.ServiceAccountsResource.SignJwtRequest request = iamService.Projects.ServiceAccounts.SignJwt(requestBody, name);

           
// To execute asynchronously in an async method, replace `request.Execute()` as shown:
           
Data.SignJwtResponse response = request.Execute();
           
// Data.SignJwtResponse response = await request.ExecuteAsync();

           
// TODO: Change code below to process the `response` object:
           
Console.WriteLine(JsonConvert.SerializeObject(response));
       
}

       
public static GoogleCredential GetCredential()
       
{
           
GoogleCredential credential = Task.Run(() => GoogleCredential.GetApplicationDefaultAsync()).Result;
           
if (credential.IsCreateScopedRequired)
           
{
                credential
= credential.CreateScoped("https://www.googleapis.com/auth/cloud-platform");
           
}
           
return credential;
       
}
   
}
}

Uses the Go client library.

package main

// BEFORE RUNNING:
// ---------------
// 1. If not already done, enable the Identity and Access Management (IAM) API
//    and check the quota for your project at
//    https://console.developers.google.com/apis/api/iam
// 2. This sample uses Application Default Credentials for authentication.
//    If not already done, install the gcloud CLI from
//    https://cloud.google.com/sdk/ and run
//    `gcloud beta auth application-default login`.
//    For more information, see
//    https://developers.google.com/identity/protocols/application-default-credentials
// 3. Install and update the Go dependencies by running `go get -u` in the
//    project directory.

import (
       
"fmt"
       
"log"

       
"golang.org/x/net/context"
       
"golang.org/x/oauth2/google"
       
"google.golang.org/api/iam/v1"
)

func main
() {
        ctx
:= context.Background()

        iamService
, err := iam.NewService(ctx)
       
if err != nil {
                log
.Fatal(err)
       
}

       
// The resource name of the service account in the following format:
       
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
       
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
       
// the account. The `ACCOUNT` value can be the `email` address or the
       
// `unique_id` of the service account.
        name
:= "projects/my-project/serviceAccounts/my-service-account" // TODO: Update placeholder value.

        rb
:= &iam.SignJwtRequest{
               
// TODO: Add desired fields of the request body.
       
}

        resp
, err := iamService.Projects.ServiceAccounts.SignJwt(name, rb).Context(ctx).Do()
       
if err != nil {
                log
.Fatal(err)
       
}

       
// TODO: Change code below to process the `resp` object:
        fmt
.Printf("%#v\n", resp)
}

Uses the Java client library.

/*
 * BEFORE RUNNING:
 * ---------------
 * 1. If not already done, enable the Identity and Access Management (IAM) API
 *    and check the quota for your project at
 *    https://console.developers.google.com/apis/api/iam
 * 2. This sample uses Application Default Credentials for authentication.
 *    If not already done, install the gcloud CLI from
 *    https://cloud.google.com/sdk and run
 *    `gcloud beta auth application-default login`.
 *    For more information, see
 *    https://developers.google.com/identity/protocols/application-default-credentials
 * 3. Install the Java client library on Maven or Gradle. Check installation
 *    instructions at https://github.com/google/google-api-java-client.
 *    On other build systems, you can add the jar files to your project from
 *    https://developers.google.com/resources/api-libraries/download/iam/v1/java
 */

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.iam.v1.Iam;
import com.google.api.services.iam.v1.model.SignJwtRequest;
import com.google.api.services.iam.v1.model.SignJwtResponse;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Arrays;

public class IamExample {
 
public static void main(String args[]) throws IOException, GeneralSecurityException {
   
// The resource name of the service account in the following format:
   
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
   
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
   
// the account. The `ACCOUNT` value can be the `email` address or the
   
// `unique_id` of the service account.
   
String name =
       
"projects/my-project/serviceAccounts/my-service-account"; // TODO: Update placeholder value.

   
// TODO: Assign values to desired fields of `requestBody`:
   
SignJwtRequest requestBody = new SignJwtRequest();

   
Iam iamService = createIamService();
   
Iam.Projects.ServiceAccounts.SignJwt request =
        iamService
.projects().serviceAccounts().signJwt(name, requestBody);

   
SignJwtResponse response = request.execute();

   
// TODO: Change code below to process the `response` object:
   
System.out.println(response);
 
}

 
public static Iam createIamService() throws IOException, GeneralSecurityException {
   
HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
   
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();

   
GoogleCredential credential = GoogleCredential.getApplicationDefault();
   
if (credential.createScopedRequired()) {
      credential
=
          credential
.createScoped(Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
   
}

   
return new Iam.Builder(httpTransport, jsonFactory, credential)
       
.setApplicationName("Google-iamSample/0.1")
       
.build();
 
}
}

Uses the Node.js client library.

// BEFORE RUNNING:
// ---------------
// 1. If not already done, enable the Identity and Access Management (IAM) API
//    and check the quota for your project at
//    https://console.developers.google.com/apis/api/iam
// 2. This sample uses Application Default Credentials for authentication.
//    If not already done, install the gcloud CLI from
//    https://cloud.google.com/sdk and run
//    `gcloud beta auth application-default login`.
//    For more information, see
//    https://developers.google.com/identity/protocols/application-default-credentials
// 3. Install the Node.js client library by running
//    `npm install googleapis --save`

const {google} = require('googleapis');
const iam = google.iam('v1');

async
function main () {
 
const authClient = await authorize();
 
const request = {
   
// Required. The resource name of the service account in the following format:
   
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
   
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
   
// the account. The `ACCOUNT` value can be the `email` address or the
   
// `unique_id` of the service account.
    name
: 'projects/my-project/serviceAccounts/my-service-account',  // TODO: Update placeholder value.

    resource
: {
     
// TODO: Add desired properties to the request body.
   
},

    auth
: authClient,
 
};

 
try {
   
const response = (await iam.projects.serviceAccounts.signJwt(request)).data;
   
// TODO: Change code below to process the `response` object:
    console
.log(JSON.stringify(response, null, 2));
 
} catch (err) {
    console
.error(err);
 
}
}
main
();

async
function authorize() {
 
const auth = new google.auth.GoogleAuth({
    scopes
: ['https://www.googleapis.com/auth/cloud-platform']
 
});
 
return await auth.getClient();
}

Uses the PHP client library.

<?php
/*
 * BEFORE RUNNING:
 * ---------------
 * 1. If not already done, enable the Identity and Access Management (IAM) API
 *    and check the quota for your project at
 *    https://console.developers.google.com/apis/api/iam
 * 2. This sample uses Application Default Credentials for authentication.
 *    If not already done, install the gcloud CLI from
 *    https://cloud.google.com/sdk and run
 *    `gcloud beta auth application-default login`.
 *    For more information, see
 *    https://developers.google.com/identity/protocols/application-default-credentials
 * 3. Install the PHP client library with Composer. Check installation
 *    instructions at https://github.com/google/google-api-php-client.
 */


// Autoload Composer.
require_once __DIR__
. '/vendor/autoload.php';

$client
= new Google_Client();
$client
->setApplicationName('Google-iamSample/0.1');
$client
->useApplicationDefaultCredentials();
$client
->addScope('https://www.googleapis.com/auth/cloud-platform');

$service
= new Google_Service_Iam($client);

// The resource name of the service account in the following format:
// `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
// Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
// the account. The `ACCOUNT` value can be the `email` address or the
// `unique_id` of the service account.
$name
= 'projects/my-project/serviceAccounts/my-service-account';  // TODO: Update placeholder value.

// TODO: Assign values to desired properties of `requestBody`:
$requestBody
= new Google_Service_Iam_SignJwtRequest();

$response
= $service->projects_serviceAccounts->signJwt($name, $requestBody);

// TODO: Change code below to process the `response` object:
echo
'<pre>', var_export($response, true), '</pre>', "\n";
?>

Uses the Python client library.

"""
BEFORE RUNNING:
---------------
1. If not already done, enable the Identity and Access Management (IAM) API
   and check the quota for your project at
   https://console.developers.google.com/apis/api/iam
2. This sample uses Application Default Credentials for authentication.
   If not already done, install the gcloud CLI from
   https://cloud.google.com/sdk and run
   `gcloud beta auth application-default login`.
   For more information, see
   https://developers.google.com/identity/protocols/application-default-credentials
3. Install the Python client library for Google APIs by running
   `pip install --upgrade google-api-python-client`
4. Install the OAuth 2.0 client for Google APIs by running
   `pip install --upgrade oauth2client`
"""

from pprint import pprint

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials
= GoogleCredentials.get_application_default()

service
= discovery.build('iam', 'v1', credentials=credentials)

# The resource name of the service account in the following format:
# `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
# Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
# the account. The `ACCOUNT` value can be the `email` address or the
# `unique_id` of the service account.
name
= 'projects/my-project/serviceAccounts/my-service-account'  # TODO: Update placeholder value.

sign_jwt_request_body
= {
   
# TODO: Add desired entries to the request body.
}

request
= service.projects().serviceAccounts().signJwt(name=name, body=sign_jwt_request_body)
response
= request.execute()

# TODO: Change code below to process the `response` dict:
pprint
(response)

Uses the Ruby client library.

# BEFORE RUNNING:
# ---------------
# 1. If not already done, enable the Identity and Access Management (IAM) API
#    and check the quota for your project at
#    https://console.developers.google.com/apis/api/iam
# 2. This sample uses Application Default Credentials for authentication.
#    If not already done, install the gcloud CLI from
#    https://cloud.google.com/sdk and run
#    `gcloud beta auth application-default login`.
#    For more information, see
#    https://developers.google.com/identity/protocols/application-default-credentials
# 3. Install the Ruby client library and Application Default Credentials
#    library by running `gem install google-api-client` and
#    `gem install googleauth`

require 'googleauth'
require 'google/apis/iam_v1'

service
= Google::Apis::IamV1::IamService.new

service
.authorization = \
   
Google::Auth.get_application_default(['https://www.googleapis.com/auth/cloud-platform'])

# The resource name of the service account in the following format:
# `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`.
# Using `-` as a wildcard for the `PROJECT_ID` will infer the project from
# the account. The `ACCOUNT` value can be the `email` address or the
# `unique_id` of the service account.
name
= 'projects/my-project/serviceAccounts/my-service-account'  # TODO: Update placeholder value.

# TODO: Assign values to desired members of `request_body`:
request_body
= Google::Apis::IamV1::SignJwtRequest.new

response
= service.sign_service_account_jwt(name, request_body)

# TODO: Change code below to process the `response` object:
puts response
.to_json