This page explains how to create and delete service account keys using the Google Cloud console, the Google Cloud CLI, the Identity and Access Management API, or one of the Google Cloud Client Libraries.
Before you begin
Enable the IAM API.
Understand service account credentials.
Required roles
To get the permissions that you need to create and delete service account keys,
ask your administrator to grant you the
Service Account Key Admin (roles/iam.serviceAccountKeyAdmin
) IAM role on the project, or the service account whose keys you want
to manage.
For more information about granting roles, see Manage access.
You might also be able to get the required permissions through custom roles or other predefined roles.
For more information, see Service Accounts roles.
IAM basic roles also contain permissions to manage service account keys. You should not grant basic roles in a production environment, but you can grant them in a development or test environment.
Create a service account key
To use a service account from outside of Google Cloud, such as on other platforms or on-premises, you must first establish the identity of the service account. Public/private key pairs provide a secure way of accomplishing this goal. When you create a service account key, the public portion is stored on Google Cloud, while the private portion is available only to you. For more information about public/private key pairs, see Service account keys.
You can create a service account key
using the Google Cloud console, the gcloud CLI, the
serviceAccounts.keys.create()
method, or one of the client libraries.
A service account can have up to 10 keys.
By default, service account keys never expire. You can use an organization policy constraint to specify the length of time for which a service account key is valid. For details, see Expiry times for user-managed keys.
In the examples below, SA_NAME
is the name of your
service account, and PROJECT_ID
is the ID of your
Google Cloud project. You can retrieve the
SA_NAME@PROJECT_ID.iam.gserviceaccount.com
string from the Service Accounts
page in the Google Cloud console.
Console
- In the Google Cloud console, go to the Service accounts page.
The remaining steps will appear automatically in the Google Cloud console.
- Select a project.
- Click the email address of the service account that you want to create a key for.
- Click the
Keys tab. - Click the Add key drop-down menu, then select Create new key.
- Select JSON as the Key type and click Create.
Clicking Create downloads a service account key file. After you download the key file, you cannot download it again.
The downloaded key has the following format, where
PRIVATE_KEY
is the private portion of the public/private
key pair:
{
"type": "service_account",
"project_id": "PROJECT_ID",
"private_key_id": "KEY_ID",
"private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
"client_email": "SERVICE_ACCOUNT_EMAIL",
"client_id": "CLIENT_ID",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}
Make sure to store the key file securely, because it can be used to authenticate as your service account. You can move and rename this file however you would like.
You can use service account key files to authenticate an application as a service account.
gcloud
Execute the gcloud iam service-accounts keys create
command to create service account keys.
Replace the following values:
KEY_FILE
: The path to a new output file for the private key—for example,~/sa-private-key.json
.SA_NAME
: The name of the service account to create a key for.PROJECT_ID
: Your Google Cloud project ID.
gcloud iam service-accounts keys create KEY_FILE \ --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com
Output:
created key [e44da1202f82f8f4bdd9d92bc412d1d8a837fa83] of type [json] as [/usr/home/username/KEY_FILE] for [SA_NAME@PROJECT_ID.iam.gserviceaccount.com]
The service account key file is now downloaded to your machine. After you download the key file, you cannot download it again.
The downloaded key has the following format, where
PRIVATE_KEY
is the private portion of the public/private
key pair:
{ "type": "service_account", "project_id": "PROJECT_ID", "private_key_id": "KEY_ID", "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n", "client_email": "SERVICE_ACCOUNT_EMAIL", "client_id": "CLIENT_ID", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL" }
Make sure to store the key file securely, because it can be used to authenticate as your service account. You can move and rename this file however you would like.
You can use service account key files to authenticate an application as a service account.
REST
The
projects.serviceAccounts.keys.create
method creates a key for a service account.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_NAME
: The name of the service account that you want to create a key for.KEY_ALGORITHM
: Optional. The key algorithm to use for the key. The default, which is subject to change, is a 2,048-bit RSA key. For a list of all possible values, see theServiceAccountKeyAlgorithm
reference.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys
Request JSON body:
{ "keyAlgorithm": "KEY_ALGORITHM" }
To send your request, expand one of these options:
The response contains a key for your service account. The returned key has the following format,
where ENCODED_PRIVATE_KEY
is the private portion of the public/private key
pair, encoded in base64.
{ "name": "projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL/keys/KEY_ID", "privateKeyType": "TYPE_GOOGLE_CREDENTIALS_FILE", "privateKeyData": "ENCODED_PRIVATE_KEY", "validAfterTime": "DATE", "validBeforeTime": "DATE", "keyAlgorithm": "KEY_ALG_RSA_2048" }
To create a key file that you can use to authenticate as the service account, decode the private key data and save it in a file:
Linux
Run the following command:
echo 'ENCODED_PRIVATE_KEY' | base64 --decode > PATH
Replace PATH
with the path of the file that you want
to save the key to. Use the .json
file extension.
macOS
Run the following command:
echo 'ENCODED_PRIVATE_KEY' | base64 --decode > PATH
Replace PATH
with the path of the file that you want
to save the key to. Use the .json
file extension.
PowerShell
Save the encoded private key data (
ENCODED_PRIVATE_KEY
) in a file.Use
certutil
to decode the file:certutil -decode ENCODED_FILE DECODED_FILE
Replace the following values:
ENCODED_FILE
: the path to the file containing the encoded private key data.DECODED_FILE
: the path of the file that you want to save the key to. Use the.json
file extension.
Make sure to store the key data securely, because it can be used to authenticate as your service account.
You can use service account key files to authenticate an application as a service account.
C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Delete a service account key
Deleting a service account key permanently prevents you from using the key to authenticate with Google APIs.
You cannot undelete a deleted key. Before you delete a key, we recommend that you disable the key, then wait until you are sure that the key is no longer needed. You can then delete the key.
As a best practice, rotate your service account keys regularly. To learn more about rotating service account keys, see Service account key rotation.
Console
- In the Google Cloud console, go to the Service accounts page.
The remaining steps will appear automatically in the Google Cloud console.
- Select a project.
- On the Service accounts page, click the email address of the service account whose key you want to delete.
- Click the Keys tab.
- From the list of keys, click Delete for each key you'd like to delete.
gcloud
Execute the gcloud iam service-accounts keys delete
command to delete service account keys.
Replace the following values:
KEY_ID
: The ID of the key to delete. To find the key's ID, list all keys for the service account, identify the key that you want to delete, and then copy its ID.SA_NAME
: The name of the service account that the key belongs to.PROJECT_ID
: Your Google Cloud project ID.
gcloud iam service-accounts keys delete KEY_ID \ --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com
Output:
Deleted key [KEY_ID] for service account [SA_NAME@PROJECT_ID.iam.gserviceaccount.com]
REST
The
projects.serviceAccounts.keys.delete
method deletes a service account key.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_NAME
: The name of the service account whose key you want to delete.KEY_ID
: The ID of the key that you want to delete. To find the key's ID, list all keys for the service account, identify the key that you want to delete, and then copy its ID from the end of thename
field. The key's ID is everything afterkeys/
.
HTTP method and URL:
DELETE https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ }
C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
What's next
- Learn how to list and get service account keys.
- Learn how to upload your own public service account keys.
- Find out how you can use service account keys to authenticate as a service account.
- Understand the best practices for managing service account keys.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for free