Method: projects.serviceAccounts.keys.patch

Patches a ServiceAccountKey.

HTTP request


The URL uses gRPC Transcoding syntax.

Path parameters



The resource name of the service account key in the following format projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}.

Request body

The request body contains data with the following structure:

JSON representation
  "serviceAccountKey": {
    "name": string,
    "privateKeyType": enum (ServiceAccountPrivateKeyType),
    "keyAlgorithm": enum (ServiceAccountKeyAlgorithm),
    "privateKeyData": string,
    "publicKeyData": string,
    "validAfterTime": string,
    "validBeforeTime": string,
    "keyOrigin": enum (ServiceAccountKeyOrigin),
    "keyType": enum (KeyType),
    "disabled": boolean,
    "disableReason": enum (ServiceAccountKeyDisableReason),
    "extendedStatus": [
        "key": enum (ServiceAccountKeyExtendedStatusKey),
        "value": string
    "contact": string,
    "description": string,
    "creator": string
  "updateMask": string

enum (ServiceAccountPrivateKeyType)

The output format for the private key. Only provided in keys.create responses, not in keys.get or ListServiceAccountKey responses.

Google never exposes system-managed private keys, and never retains user-managed private keys.


enum (ServiceAccountKeyAlgorithm)

Specifies the algorithm (and possibly key size) for the key.


string (bytes format)

The private key data. Only provided in keys.create responses. Make sure to keep the private key data secure because it allows for the assertion of the service account identity. When base64 decoded, the private key data can be used to authenticate with Google API client libraries and with gcloud auth activate-service-account.

A base64-encoded string.


string (bytes format)

The public key data. Only provided in keys.get responses.

A base64-encoded string.


string (Timestamp format)

The key can be used after this timestamp.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".


string (Timestamp format)

The key can be used before this timestamp. For system-managed key pairs, this timestamp is the end time for the private key signing operation. The public key could still be used for verification for a few hours after this time.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".


enum (ServiceAccountKeyOrigin)

The key origin.


enum (KeyType)

The key type.



The key status.


enum (ServiceAccountKeyDisableReason)

Output only. optional. If the key is disabled, it may have a DisableReason describing why it was disabled.


object (ExtendedStatus)

Output only. Extended Status provides permanent information about a service account key. For example, if this key was detected as exposed or compromised, that information will remain for the lifetime of the key in the extendedStatus.


Optional. A user provided email address as the point of contact for this service account key. Must be an email address. Limit 64 characters.



Optional. A user provided description of this service account key.



Output only. The cloud identity that created this service account key. Populated automatically when the key is created and not editable by the user.


string (FieldMask format)

Required. The update mask to apply to the service account key. Only the following fields are eligible for patching: - contact - description

This is a comma-separated list of fully qualified names of fields. Example: "user.displayName,photo".

Response body

If successful, the response body contains an instance of ServiceAccountKey.

Authorization scopes

Requires one of the following OAuth scopes:


For more information, see the Authentication Overview.