Creates a ServiceAccountKey
.
HTTP request
POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*}/keys
The URL uses gRPC Transcoding syntax.
Path parameters
name
string
Required. The resource name of the service account.
Use one of the following formats:
-
projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} -
projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}
As an alternative, you can use the -
wildcard character instead of the project ID:
-
projects/-/serviceAccounts/{EMAIL_ADDRESS} -
projects/-/serviceAccounts/{UNIQUE_ID}
When possible, avoid using the -
wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com
, which does not exist, the response contains an HTTP 403 Forbidden
error instead of a 404 Not
Found
error.
Authorization requires the following IAM
permission on the specified resource name
:
-
iam.serviceAccountKeys.create
Request body
The request body contains data with the following structure:
| JSON representation |
|---|
{ "privateKeyType" : enum ( |
| Fields | |
|---|---|
privateKeyType
|
The output format of the private key. The default value is |
keyAlgorithm
|
Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future. |
Response body
If successful, the response body contains a newly created instance of ServiceAccountKey
.
Authorization scopes
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/iam -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
