When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/fake@example.com/keys/fake-key, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.
Authorization requires the following IAM permission on the specified resource name:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-21 UTC."],[[["\u003cp\u003eThis page details how to retrieve a \u003ccode\u003eServiceAccountKey\u003c/code\u003e using a \u003ccode\u003eGET\u003c/code\u003e request to the specified URL, which follows gRPC Transcoding syntax.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ename\u003c/code\u003e parameter in the URL path is required and specifies the resource name of the service account key, adhering to the defined formats that might include wildcard characters for project ID.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003epublicKeyType\u003c/code\u003e query parameter, which is optional, allows you to specify the format of the public key returned in the response, with \u003ccode\u003eTYPE_NONE\u003c/code\u003e as the default, meaning no key is returned.\u003c/p\u003e\n"],["\u003cp\u003eThe request body must be empty when performing this get operation, while a successful response will contain an instance of the \u003ccode\u003eServiceAccountKey\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eTo perform this operation, one of the specified OAuth scopes, \u003ccode\u003ehttps://www.googleapis.com/auth/iam\u003c/code\u003e or \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e, is required.\u003c/p\u003e\n"]]],[],null,["# Method: projects.serviceAccounts.keys.get\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Path parameters](#body.PATH_PARAMETERS)\n- [Query parameters](#body.QUERY_PARAMETERS)\n- [Request body](#body.request_body)\n- [Response body](#body.response_body)\n- [Authorization scopes](#body.aspect)\n- [ServiceAccountPublicKeyType](#ServiceAccountPublicKeyType)\n- [Examples](#examples)\n- [Try it!](#try-it)\n\nGets a [ServiceAccountKey](/iam/docs/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKey).\n\n### HTTP request\n\n`GET https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*/keys/*}`\n\nThe URL uses [gRPC Transcoding](https://google.aip.dev/127) syntax.\n\n### Path parameters\n\n### Query parameters\n\n### Request body\n\nThe request body must be empty.\n\n### Response body\n\nIf successful, the response body contains an instance of [ServiceAccountKey](/iam/docs/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKey).\n\n### Authorization scopes\n\nRequires one of the following OAuth scopes:\n\n- `https://www.googleapis.com/auth/iam`\n- `\n https://www.googleapis.com/auth/cloud-platform`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp).\n\nServiceAccountPublicKeyType\n---------------------------\n\nSupported public key output formats."]]
