Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
Authorization requires the following IAM permission on the specified resource name:
iam.serviceAccounts.getAccessToken
Request body
The request body contains data with the following structure:
The sequence of service accounts in a delegation chain. This field is required for delegated requests. For direct requests, which are more common, do not specify this field.
Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.
The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
The desired lifetime duration of the access token in seconds.
By default, the maximum allowed value is 1 hour. To set a lifetime of up to 12 hours, you can add the service account as an allowed value in an Organization Policy that enforces the constraints/iam.allowServiceAccountCredentialLifetimeExtension constraint. See detailed instructions at https://cloud.google.com/iam/help/credentials/lifetime
If a value is not specified, the token's lifetime will be set to a default value of 1 hour.
A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
Response body
If successful, the response body contains data with the following structure:
Token expiration time. The expiration time is always set.
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-21 UTC."],[[["\u003cp\u003eThis document describes how to generate an OAuth 2.0 access token for a service account using a \u003ccode\u003ePOST\u003c/code\u003e request to the specified endpoint, \u003ccode\u003ehttps://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:generateAccessToken\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe request requires the service account's resource name as a path parameter and specific IAM permissions, such as \u003ccode\u003eiam.serviceAccounts.getAccessToken\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe request body requires specifying an array of scopes, delegates if needed, and an optional lifetime for the access token, all with a well-defined structure.\u003c/p\u003e\n"],["\u003cp\u003eThe response body, upon successful execution, returns an OAuth 2.0 access token and its corresponding expiration time in the defined JSON format.\u003c/p\u003e\n"],["\u003cp\u003eTo complete the request, the endpoint also requires authorization scopes, such as \u003ccode\u003ehttps://www.googleapis.com/auth/iam\u003c/code\u003e or \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,[]]
