As an alternative, you can use the - wildcard character instead of the project ID:
projects/-/serviceAccounts/{EMAIL_ADDRESS}
projects/-/serviceAccounts/{UNIQUE_ID}
When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not
Found error.
Authorization requires the following IAM permission on the specified resource name:
iam.serviceAccounts.signBlob
Request body
The request body contains data with the following structure:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-21 UTC."],[[["\u003cp\u003eThis document outlines the specifications for a deprecated method of signing a blob using a service account's private key.\u003c/p\u003e\n"],["\u003cp\u003eThe method uses an HTTP POST request to a specific URL, which includes a required \u003ccode\u003ename\u003c/code\u003e path parameter to identify the service account.\u003c/p\u003e\n"],["\u003cp\u003eThe request body expects a JSON object with a \u003ccode\u003ebytesToSign\u003c/code\u003e field, containing the base64-encoded bytes that will be signed.\u003c/p\u003e\n"],["\u003cp\u003eThe response body is also in JSON format and contains the \u003ccode\u003ekeyId\u003c/code\u003e of the key used and the \u003ccode\u003esignature\u003c/code\u003e, which is the base64-encoded signed blob.\u003c/p\u003e\n"],["\u003cp\u003eThis method is deprecated, and the document strongly encourages migration to the \u003ccode\u003esignBlob\u003c/code\u003e method within the IAM Service Account Credentials API, providing a link to a migration guide.\u003c/p\u003e\n"]]],[],null,["# Method: projects.serviceAccounts.signBlob\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Path parameters](#body.PATH_PARAMETERS)\n- [Request body](#body.request_body)\n - [JSON representation](#body.request_body.SCHEMA_REPRESENTATION)\n- [Response body](#body.response_body)\n - [JSON representation](#body.SignBlobResponse.SCHEMA_REPRESENTATION)\n- [Authorization scopes](#body.aspect)\n- [Examples](#examples)\n- [Try it!](#try-it)\n\n| This method is deprecated. Use the [signBlob](https://cloud.google.com/iam/help/rest-credentials/v1/projects.serviceAccounts/signBlob) method in the IAM Service Account Credentials API instead. If you currently use this method, see the [migration guide](https://cloud.google.com/iam/help/credentials/migrate-api) for instructions.\nSigns a blob using the system-managed private key for a [ServiceAccount](/iam/docs/reference/rest/v1/projects.serviceAccounts#ServiceAccount).\n\n### HTTP request\n\n`POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:signBlob`\n\nThe URL uses [gRPC Transcoding](https://google.aip.dev/127) syntax.\n\n### Path parameters\n\n### Request body\n\nThe request body contains data with the following structure:\n\n### Response body\n\nDeprecated. [Migrate to Service Account Credentials API](https://cloud.google.com/iam/help/credentials/migrate-api).\n\nThe service account sign blob response.\n\nIf successful, the response body contains data with the following structure:\n\n### Authorization scopes\n\nRequires one of the following OAuth scopes:\n\n- `https://www.googleapis.com/auth/iam`\n- `\n https://www.googleapis.com/auth/cloud-platform`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp)."]]
