Method: projects.serviceAccounts.keys.create

Creates a ServiceAccountKey.

HTTP request


The URL uses gRPC Transcoding syntax.

Path parameters



Required. The resource name of the service account.

Use one of the following formats:

  • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}
  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

  • projects/-/serviceAccounts/{EMAIL_ADDRESS}
  • projects/-/serviceAccounts/{UNIQUE_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.create

Request body

The request body contains data with the following structure:

JSON representation
  "privateKeyType": enum (ServiceAccountPrivateKeyType),
  "keyAlgorithm": enum (ServiceAccountKeyAlgorithm)

enum (ServiceAccountPrivateKeyType)

The output format of the private key. The default value is TYPE_GOOGLE_CREDENTIALS_FILE, which is the Google Credentials File format.


enum (ServiceAccountKeyAlgorithm)

Which type of key and algorithm to use for the key. The default is currently a 2K RSA key. However this may change in the future.

Response body

If successful, the response body contains a newly created instance of ServiceAccountKey.

Authorization scopes

Requires one of the following OAuth scopes:


For more information, see the Authentication Overview.