This page explains how to create and delete service account keys using theGoogle Cloud console, theGoogle Cloud CLI,theIdentity and Access Management API, or oneof theGoogle Cloud Client Libraries.

Note: If you need to access resources from a workload that runs outside of Google Cloud, such as on Amazon Web Services (AWS) or Microsoft Azure, consider usingWorkload Identity Federation instead of service account keys. Federation lets your workloads access resources directly, using a short-lived access token, and eliminates the maintenance and security burden associated with service account keys.

Before you begin

• Enable the IAM API.

  Roles required to enable APIs

  To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

  Enable the API

• Set up authentication.

  Select the tab for how you plan to use the samples on this page:

  Console

  When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

  gcloud

  In the Google Cloud console, activate Cloud Shell.

  Activate Cloud Shell

  At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  C#

  To use the .NET samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  C++

  To use the C++ samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Go

  To use the Go samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Java

  To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Python

  To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  REST

  To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.

• Understandservice account credentials.

Required roles

To get the permissions that you need to create and delete service account keys, ask your administrator to grant you theService Account Key Admin (roles/iam.serviceAccountKeyAdmin) IAM role on the project, or the service account whose keys you wantto manage. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

For more information, seeService Accounts roles.

Depending on your organization policy configuration, you might also need toallow service account keys to be created in your projectbefore creating a key.

To get the permissions that you need to allow service account keys to be created in a project, ask your administrator to grant you the following IAM roles on your organization:

• Organization Policy Administrator (roles/orgpolicy.policyAdmin)
• Organization Viewer (roles/resourcemanager.organizationViewer)
• Tag Administrator (roles/resourcemanager.tagAdmin)

For more information about granting roles, seeManage access to projects, folders, and organizations.

These predefined roles contain the permissions required to allow service account keys to be created in a project. To see the exact permissions that are required, expand theRequired permissions section:

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Allow service account key creation

Before you create a service account key, make sure that theiam.disableServiceAccountKeyCreation organization policy constraint isn'tenforced for your project. If this constraint is enforced for your project,you can't create service account keys in that project.

Note: If your organization was created on or after May 3, 2024, this constraint is enforced by default.

We recommend enforcing this constraint for most projects and only exemptingprojects that truly require service account keys. For more information aboutalternative authentication methods, seeChoose the right authentication methodfor your use case.

To exempt a project from theiam.disableServiceAccountKeyCreation organizationpolicy constraint, ask an organization policy administrator to do the following:

1. At the organization level, create a tag key and tag value that you will use to define whether a resource should be exempt from the organization policy. We recommend creating a tag with the keydisableServiceAccountKeyCreation and the valuesenforced andnot_enforced.

   To learn how to create tag keys and tag values, seeCreating and defining a new tag.

2. Attach thedisableServiceAccountKeyCreation tag to the organization and set its value toenforced. All resources in the organization inherit this tag value, unless it's overwritten with a different tag value.

   To learn how to attach tags to resources, seeAttaching tags to resources.

3. For each project or folder that you want to exempt from the organization policy, attach thedisableServiceAccountKeyCreation tag and set its value tonot_enforced. Setting a tag value for a project or folder in this way overrides the tag value inherited from the organization.

4. Create or update the organization policy that prevents the creation of service account keys so that it doesn't enforce the constraint for exempt resources. This policy should have the following rules:

   • Configure theiam.disableServiceAccountKeyCreation constraint to not be enforced on any resources with thedisableServiceAccountKeyCreation: not_enforced tag. The condition in this rule should look like the following:

     "resource.matchTag('ORGANIZATION_ID/disableServiceAccountKeyCreation', 'not_enforced')"

   • Configure theiam.disableServiceAccountKeyCreation constraint to be enforced on all other resources.

Create a service account key

To use a service account from outside of Google Cloud, such as on otherplatforms or on-premises, you must first establish the identity of the serviceaccount. Public/private key pairs provide a secure way of accomplishing thisgoal. When you create a service account key, the public portion is stored onGoogle Cloud, while the private portion is available only to you. For moreinformation about public/private key pairs, seeService account keys.

You can create aservice account keyusing the Google Cloud console, the gcloud CLI, theserviceAccounts.keys.create()method, or one of theclient libraries.A service account can have up to 10 keys.

By default, service account keys never expire. You can use anorganization policy constraint to specify the length oftime for which a service account key is valid. For details, seeExpiry times for user-managed keys.

In the examples below,SA_NAME is the name of yourservice account, andPROJECT_ID is the ID of yourGoogle Cloud project. You can retrieve theSA_NAME@PROJECT_ID.iam.gserviceaccount.comstring from theService Accountspage in the Google Cloud console.

{"type":"service_account","project_id":"PROJECT_ID","private_key_id":"KEY_ID","private_key":"-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n","client_email":"SERVICE_ACCOUNT_EMAIL","client_id":"CLIENT_ID","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://accounts.google.com/o/oauth2/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"}

gcloud iam service-accounts keys createKEY_FILE \    --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com

created key [e44da1202f82f8f4bdd9d92bc412d1d8a837fa83] of type [json] as[/usr/home/username/KEY_FILE] for[SA_NAME@PROJECT_ID.iam.gserviceaccount.com]

{"type":"service_account","project_id":"PROJECT_ID","private_key_id":"KEY_ID","private_key":"-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n","client_email":"SERVICE_ACCOUNT_EMAIL","client_id":"CLIENT_ID","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"}

namespaceiam=::google::cloud::iam_admin_v1;return[](std::stringconst&name){iam::IAMClientclient(iam::MakeIAMConnection());autoresponse=client.CreateServiceAccountKey(name,google::iam::admin::v1::ServiceAccountPrivateKeyType::TYPE_GOOGLE_CREDENTIALS_FILE,google::iam::admin::v1::ServiceAccountKeyAlgorithm::KEY_ALG_RSA_2048);if(!response)throwstd::move(response).status();std::cout <<"ServiceAccountKey successfully created: "            <<response->DebugString() <<"\n"            <<"Please save the key in a secure location, as they cannot ""be downloaded later\n";returnresponse->name();}

usingSystem;usingSystem.Text;usingGoogle.Apis.Auth.OAuth2;usingGoogle.Apis.Iam.v1;usingGoogle.Apis.Iam.v1.Data;publicpartialclassServiceAccountKeys{publicstaticServiceAccountKeyCreateKey(stringserviceAccountEmail){varcredential=GoogleCredential.GetApplicationDefault().CreateScoped(IamService.Scope.CloudPlatform);varservice=newIamService(newIamService.Initializer{HttpClientInitializer=credential});varkey=service.Projects.ServiceAccounts.Keys.Create(newCreateServiceAccountKeyRequest(),"projects/-/serviceAccounts/"+serviceAccountEmail).Execute();// The PrivateKeyData field contains the base64-encoded service account key// in JSON format.// TODO(Developer): Save the below key (jsonKeyFile) to a secure location.//  You cannot download it later.byte[]valueBytes=System.Convert.FromBase64String(key.PrivateKeyData);stringjsonKeyContent=Encoding.UTF8.GetString(valueBytes);Console.WriteLine("Key created successfully");returnkey;}}

import("context"// "encoding/base64""fmt""io"iam"google.golang.org/api/iam/v1")// createKey creates a service account key.funccreateKey(wio.Writer,serviceAccountEmailstring)(*iam.ServiceAccountKey,error){ctx:=context.Background()service,err:=iam.NewService(ctx)iferr!=nil{returnnil,fmt.Errorf("iam.NewService: %w",err)}resource:="projects/-/serviceAccounts/"+serviceAccountEmailrequest:=&iam.CreateServiceAccountKeyRequest{}key,err:=service.Projects.ServiceAccounts.Keys.Create(resource,request).Do()iferr!=nil{returnnil,fmt.Errorf("Projects.ServiceAccounts.Keys.Create: %w",err)}// The PrivateKeyData field contains the base64-encoded service account key// in JSON format.// TODO(Developer): Save the below key (jsonKeyFile) to a secure location.// You cannot download it later.// jsonKeyFile, _ := base64.StdEncoding.DecodeString(key.PrivateKeyData)fmt.Fprintf(w,"Key created successfully")returnkey,nil}

importcom.google.cloud.iam.admin.v1.IAMClient;importcom.google.gson.Gson;importcom.google.iam.admin.v1.CreateServiceAccountKeyRequest;importcom.google.iam.admin.v1.ServiceAccountKey;importjava.io.IOException;publicclassCreateServiceAccountKey{publicstaticvoidmain(String[]args)throwsIOException{// TODO(Developer): Replace the below variables before running.StringprojectId="your-project-id";StringserviceAccountName="your-service-account-name";ServiceAccountKeykey=createKey(projectId,serviceAccountName);Gsongson=newGson();// System.out.println("Service account key: " + gson.toJson(key));}// Creates a key for a service account.publicstaticServiceAccountKeycreateKey(StringprojectId,StringaccountName)throwsIOException{Stringemail=String.format("%s@%s.iam.gserviceaccount.com",accountName,projectId);// Initialize client that will be used to send requests.// This client only needs to be created once, and can be reused for multiple requests.try(IAMClientiamClient=IAMClient.create()){CreateServiceAccountKeyRequestreq=CreateServiceAccountKeyRequest.newBuilder().setName(String.format("projects/%s/serviceAccounts/%s",projectId,email)).build();ServiceAccountKeycreatedKey=iamClient.createServiceAccountKey(req);System.out.println("Key created successfully");returncreatedKey;}}}

fromgoogle.cloudimportiam_admin_v1fromgoogle.cloud.iam_admin_v1importtypesdefcreate_key(project_id:str,account:str)->types.ServiceAccountKey:"""    Creates a key for a service account.    project_id: ID or number of the Google Cloud project you want to use.    account: ID or email which is unique identifier of the service account.    """iam_admin_client=iam_admin_v1.IAMClient()request=types.CreateServiceAccountKeyRequest()request.name=f"projects/{project_id}/serviceAccounts/{account}"key=iam_admin_client.create_service_account_key(request=request)# The private_key_data field contains the stringified service account key# in JSON format. You cannot download it again later.# If you want to get the value, you can do it in a following way:# import json# json_key_data = json.loads(key.private_key_data)# key_id = json_key_data["private_key_id"]returnkey

POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys

{  "keyAlgorithm": "KEY_ALGORITHM"}

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys" | Select-Object -Expand Content

{  "name": "projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL/keys/KEY_ID",  "privateKeyType": "TYPE_GOOGLE_CREDENTIALS_FILE",  "privateKeyData": "ENCODED_PRIVATE_KEY",  "validAfterTime": "DATE",  "validBeforeTime": "DATE",  "keyAlgorithm": "KEY_ALG_RSA_2048"}

echo'ENCODED_PRIVATE_KEY'|base64--decode>PATH

echo'ENCODED_PRIVATE_KEY'|base64--decode>PATH

Delete a service account key

Deleting a service account key permanently prevents you from using the key toauthenticate with Google APIs.

You cannot undelete a deleted key. Before you delete a key, we recommend thatyoudisable the key, then wait until you are sure that the keyis no longer needed. You can then delete the key.

As a best practice, rotate your service account keys regularly. To learn more aboutrotating service account keys, seeService account key rotation.

gcloud iam service-accounts keys deleteKEY_ID \    --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com

Deleted key [KEY_ID] for service account[SA_NAME@PROJECT_ID.iam.gserviceaccount.com]

namespaceiam=::google::cloud::iam_admin_v1;[](std::stringconst&name){iam::IAMClientclient(iam::MakeIAMConnection());autoresponse=client.DeleteServiceAccountKey(name);if(!response.ok())throwstd::runtime_error(response.message());std::cout <<"ServiceAccountKey successfully deleted.\n";}

usingSystem;usingGoogle.Apis.Auth.OAuth2;usingGoogle.Apis.Iam.v1;usingGoogle.Apis.Iam.v1.Data;publicpartialclassServiceAccountKeys{publicstaticvoidDeleteKey(stringfullKeyName){varcredential=GoogleCredential.GetApplicationDefault().CreateScoped(IamService.Scope.CloudPlatform);varservice=newIamService(newIamService.Initializer{HttpClientInitializer=credential});service.Projects.ServiceAccounts.Keys.Delete(fullKeyName).Execute();Console.WriteLine("Deleted key: "+fullKeyName);}}

import("context""fmt""io"iam"google.golang.org/api/iam/v1")// deleteKey deletes a service account key.funcdeleteKey(wio.Writer,fullKeyNamestring)error{ctx:=context.Background()service,err:=iam.NewService(ctx)iferr!=nil{returnfmt.Errorf("iam.NewService: %w",err)}_,err=service.Projects.ServiceAccounts.Keys.Delete(fullKeyName).Do()iferr!=nil{returnfmt.Errorf("Projects.ServiceAccounts.Keys.Delete: %w",err)}fmt.Fprintf(w,"Deleted key: %v",fullKeyName)returnnil}

importcom.google.cloud.iam.admin.v1.IAMClient;importcom.google.iam.admin.v1.DeleteServiceAccountKeyRequest;importcom.google.iam.admin.v1.KeyName;importjava.io.IOException;publicclassDeleteServiceAccountKey{publicstaticvoidmain(String[]args)throwsIOException{// TODO(developer): Replace the variables before running the sample.StringprojectId="your-project-id";StringserviceAccountName="my-service-account-name";StringserviceAccountKeyId="service-account-key-id";deleteKey(projectId,serviceAccountName,serviceAccountKeyId);}// Deletes a service account key.publicstaticvoiddeleteKey(StringprojectId,StringaccountName,StringserviceAccountKeyId)throwsIOException{//Initialize client that will be used to send requests.//This client only needs to be created once, and can be reused for multiple requests.try(IAMClientiamClient=IAMClient.create()){//Construct the service account email.//You can modify the ".iam.gserviceaccount.com" to match the service account name in which//you want to delete the key.//See, https://cloud.google.com/iam/docs/creating-managing-service-account-keys#deletingStringaccountEmail=String.format("%s@%s.iam.gserviceaccount.com",accountName,projectId);Stringname=KeyName.of(projectId,accountEmail,serviceAccountKeyId).toString();DeleteServiceAccountKeyRequestrequest=DeleteServiceAccountKeyRequest.newBuilder().setName(name).build();// Then you can delete the keyiamClient.deleteServiceAccountKey(request);System.out.println("Deleted key: "+serviceAccountKeyId);}}}

fromgoogle.cloudimportiam_admin_v1fromgoogle.cloud.iam_admin_v1importtypesdefdelete_key(project_id:str,account:str,key_id:str)->None:"""Deletes a key for a service account.    project_id: ID or number of the Google Cloud project you want to use.    account: ID or email which is unique identifier of the service account.    key_id: unique ID of the key.    """iam_admin_client=iam_admin_v1.IAMClient()request=types.DeleteServiceAccountKeyRequest()request.name=f"projects/{project_id}/serviceAccounts/{account}/keys/{key_id}"iam_admin_client.delete_service_account_key(request=request)print(f"Deleted key:{key_id}")

DELETE https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method DELETE `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID" | Select-Object -Expand Content

{}

What's next

• Learn how tolist and get service account keys.
• Learn how toupload your own public service account keys.
• Understand thebest practices for managing service accountkeys.
• Learn aboutalternatives to service account keys for authentication.