REST Resource: projects.serviceAccounts.keys

Resource: ServiceAccountKey
- JSON representation
ServiceAccountPrivateKeyType
ServiceAccountKeyAlgorithm
Methods

Resource: ServiceAccountKey

Represents a service account key.

A service account has two sets of key-pairs: user-managed, and system-managed.

User-managed key-pairs can be created and deleted by users. Users are responsible for rotating these keys periodically to ensure security of their service accounts. Users retain the private key of these key-pairs, and Google retains ONLY the public key.

System-managed key-pairs are managed automatically by Google, and rotated daily without user intervention. The private key never leaves Google's servers to maximize security.

Public keys for all service accounts are also published at the OAuth2 Service Account API.

JSON representation

JSON representation
{ "name": string, "privateKeyType": enum(`ServiceAccountPrivateKeyType`), "keyAlgorithm": enum(`ServiceAccountKeyAlgorithm`), "privateKeyData": string, "publicKeyData": string, "validAfterTime": string, "validBeforeTime": string, }

{
  "name": string,
  "privateKeyType": enum(ServiceAccountPrivateKeyType),
  "keyAlgorithm": enum(ServiceAccountKeyAlgorithm),
  "privateKeyData": string,
  "publicKeyData": string,
  "validAfterTime": string,
  "validBeforeTime": string,
}

Fields
`name`	`string` The resource name of the service account key in the following format `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}`.
`privateKeyType`	`enum(ServiceAccountPrivateKeyType)` The output format for the private key. Only provided in `keys.create` responses, not in `keys.get` or `ListServiceAccountKey` responses. Google never exposes system-managed private keys, and never retains user-managed private keys.
`keyAlgorithm`	`enum(ServiceAccountKeyAlgorithm)` Specifies the algorithm (and possibly key size) for the key.
`privateKeyData`	`string (bytes format)` The private key data. Only provided in `keys.create` responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account. A base64-encoded string.
`publicKeyData`	`string (bytes format)` The public key data. Only provided in `keys.get` responses. A base64-encoded string.
`validAfterTime`	`string (Timestamp format)` The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: `"2014-10-02T15:01:23.045123456Z"`.
`validBeforeTime`	`string (Timestamp format)` The key can be used before this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: `"2014-10-02T15:01:23.045123456Z"`.

ServiceAccountPrivateKeyType

Supported private key output formats.

Enums
`TYPE_UNSPECIFIED`	Unspecified. Equivalent to `TYPE_GOOGLE_CREDENTIALS_FILE`.
`TYPE_PKCS12_FILE`	PKCS12 format. The password for the PKCS12 file is `notasecret`. For more information, see https://tools.ietf.org/html/rfc7292.
`TYPE_GOOGLE_CREDENTIALS_FILE`	Google Credentials File format.

ServiceAccountKeyAlgorithm

Supported key algorithms.

Enums
`KEY_ALG_UNSPECIFIED`	An unspecified key algorithm.
`KEY_ALG_RSA_1024`	1k RSA Key.
`KEY_ALG_RSA_2048`	2k RSA Key.

Methods
`create`	Creates a `ServiceAccountKey` and returns it.
`delete`	Deletes a `ServiceAccountKey`.
`get`	Gets the `ServiceAccountKey` by key id.
`list`	Lists `ServiceAccountKeys`.

Resource: ServiceAccountKey

ServiceAccountPrivateKeyType

ServiceAccountKeyAlgorithm

Methods

`create`

`delete`

`get`

`list`

Send feedback about...