Method: projects.serviceAccounts.keys.create

Creates a ServiceAccountKey.

HTTP request

POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*}/keys

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
name

string

Required. The resource name of the service account.

Use one of the following formats:

  • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

  • projects/-/serviceAccounts/{EMAIL_ADDRESS}
  • projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.create

Request body

The request body contains data with the following structure:

JSON representation
{
  "privateKeyType": enum (ServiceAccountPrivateKeyType),
  "keyAlgorithm": enum (ServiceAccountKeyAlgorithm)
}
Fields
privateKeyType

enum (ServiceAccountPrivateKeyType)

The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.

keyAlgorithm

enum (ServiceAccountKeyAlgorithm)

Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

Response body

If successful, the response body contains a newly created instance of ServiceAccountKey.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.