When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/fake@example.com/keys/fake-key, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
Authorization requires the following IAM permission on the specified resource name:
iam.serviceAccountKeys.disable
Request body
The request body contains data with the following structure:
Optional. Describes the reason this key is being disabled. If unspecified, the default value of SERVICE_ACCOUNT_KEY_DISABLE_REASON_USER_INITIATED will be used.
extendedStatusMessage
string
Optional. Usable by internal google services only. An extendedStatusMessage can be used to include additional information about the key, such as its private key data being exposed on a public repository like GitHub.
Response body
If successful, the response body is an empty JSON object.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-21 UTC."],[[["\u003cp\u003eThis endpoint is used to disable a specified ServiceAccountKey, which can later be re-enabled using the keys.enable method.\u003c/p\u003e\n"],["\u003cp\u003eThe HTTP request is a POST operation to a specific URL that includes the service account key's resource name, following gRPC Transcoding syntax.\u003c/p\u003e\n"],["\u003cp\u003eThe request requires a \u003ccode\u003ename\u003c/code\u003e parameter in the URL path, which is the resource name of the service account key, and uses specific formats to specify which account the operation will take place on.\u003c/p\u003e\n"],["\u003cp\u003eThe request body may optionally include the \u003ccode\u003eserviceAccountKeyDisableReason\u003c/code\u003e to describe why the key is being disabled, and \u003ccode\u003eextendedStatusMessage\u003c/code\u003e for internal use.\u003c/p\u003e\n"],["\u003cp\u003eSuccessful requests will result in an empty JSON response, and the operation requires either the \u003ccode\u003ehttps://www.googleapis.com/auth/iam\u003c/code\u003e or \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e OAuth scope.\u003c/p\u003e\n"]]],[],null,["# Method: projects.serviceAccounts.keys.disable\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Path parameters](#body.PATH_PARAMETERS)\n- [Request body](#body.request_body)\n - [JSON representation](#body.request_body.SCHEMA_REPRESENTATION)\n- [Response body](#body.response_body)\n- [Authorization scopes](#body.aspect)\n- [Examples](#examples)\n- [Try it!](#try-it)\n\nDisable a [ServiceAccountKey](/iam/docs/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKey). A disabled service account key can be re-enabled with [keys.enable](/iam/docs/reference/rest/v1/projects.serviceAccounts.keys/enable#google.iam.admin.v1.IAM.EnableServiceAccountKey).\n\n### HTTP request\n\n`POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*/keys/*}:disable`\n\nThe URL uses [gRPC Transcoding](https://google.aip.dev/127) syntax.\n\n### Path parameters\n\n### Request body\n\nThe request body contains data with the following structure:\n\n### Response body\n\nIf successful, the response body is an empty JSON object.\n\n### Authorization scopes\n\nRequires one of the following OAuth scopes:\n\n- `https://www.googleapis.com/auth/iam`\n- `\n https://www.googleapis.com/auth/cloud-platform`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp)."]]
