Uploads the public key portion of a key pair that you manage, and associates the public key with a ServiceAccount
.
After you upload the public key, you can use the private key from the key pair as a service account key.
HTTP request
POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*}/keys:upload
The URL uses gRPC Transcoding syntax.
Path parameters
name
string
The resource name of the service account key.
Use one of the following formats:
-
projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} -
projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}
As an alternative, you can use the -
wildcard character instead of the project ID:
-
projects/-/serviceAccounts/{EMAIL_ADDRESS} -
projects/-/serviceAccounts/{UNIQUE_ID}
When possible, avoid using the -
wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com
, which does not exist, the response contains an HTTP 403 Forbidden
error instead of a 404 Not
Found
error.
Authorization requires the following IAM
permission on the specified resource name
:
-
iam.serviceAccountKeys.create
Request body
The request body contains data with the following structure:
| JSON representation |
|---|
{ "publicKeyData" : string } |
| Fields | |
|---|---|
publicKeyData
|
The public key to associate with the service account. Must be an RSA public key that is wrapped in an X.509 v3 certificate. Include the first line, A base64-encoded string. |
Response body
If successful, the response body contains an instance of ServiceAccountKey
.
Authorization scopes
Requires one of the following OAuth scopes:
-
https://www.googleapis.com/auth/iam -
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview .
