Create signatures

This page shows you how to use the Google Cloud signBlob method to create a signature from a string-to-sign or policy document. Signatures are used as credentials in certains requests, such as signed URLs. This guide uses RSA keys for creating signatures.

Before you begin

  1. You must have the iam.serviceAccounts.signBlob permission for the service account that you use in this guide. The iam.serviceAccounts.signBlob permission is included in the roles/iam.serviceAccountTokenCreator role.

  2. The service account that you use in this guide must have permission to perform the request encoded within the signature. For example, if the signature will be used to read object data from a bucket, the service account must have permission to read the object data.

Create a signature

  1. Have gcloud CLI installed and initialized, in order to generate an access token for the Authorization header.

    Alternatively, you can create an access token using the OAuth 2.0 Playground and include it in the Authorization header.

  2. Create a JSON file that contains the following information:

      "payload": "REQUEST_INFORMATION"


  3. Use cURL to call the IAM API with a signBlob request:

    curl -X POST --data-binary @JSON_FILE_NAME \
      -H "Authorization: Bearer $(gcloud auth print-access-token)" \
      -H "Content-Type: application/json" \


    • JSON_FILE_NAME is the name of the file you created in Step 2.

    • SERVICE_ACCOUNT_EMAIL is the email address of the service account you want to use to create the signature. For example,

If successful, the signature is returned in the signedBlob field in the response.

What's next