Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
Authorization requires the following IAM permission on the specified resource name:
iam.serviceAccounts.signBlob
Request body
The request body contains data with the following structure:
JSON representation
{"delegates": [string],"payload": string}
Fields
delegates[]
string
The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.
The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
If successful, the response body contains data with the following structure:
JSON representation
{"keyId": string,"signedBlob": string}
Fields
keyId
string
The ID of the key used to sign the blob. The key used for signing will remain valid for at least 12 hours after the blob is signed. To verify the signature, you can retrieve the public key in several formats from the following endpoints:
RSA public key wrapped in an X.509 v3 certificate: https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT_EMAIL}
Raw key in JSON format: https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}
JSON Web Key (JWK): https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}
The signature for the blob. Does not include the original blob.
After the key pair referenced by the keyId response field expires, Google no longer exposes the public key that can be used to verify the blob. As a result, the receiver can no longer verify the signature.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-02-22 UTC."],[[["This endpoint uses a POST request to sign a blob using a service account's system-managed private key via the URL `https://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:signBlob`."],["The request requires a `name` path parameter specifying the service account resource and the `iam.serviceAccounts.signBlob` IAM permission, as well as a request body containing the `delegates` and `payload` fields, where payload is the data to sign."],["The successful response includes the `keyId`, which identifies the key used for signing and a `signedBlob`, the signature for the blob, both provided as a base64-encoded string."],["The signing process requires one of the following OAuth scopes: `https://www.googleapis.com/auth/iam` or `https://www.googleapis.com/auth/cloud-platform`."],["The `delegates` field in the request body, represents a sequence of service accounts, each with the `roles/iam.serviceAccountTokenCreator` role granted on its next service account in the chain."]]],[]]
