Disable and enable service account keys

This page explains how to disable and enable service account keys using theGoogle Cloud console, theGoogle Cloud CLI,theIdentity and Access Management API, or oneof theGoogle Cloud Client Libraries.

Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keyswhenever possible. If you must authenticate with a service account key, you are responsible for thesecurity of the private key and for other operations described by Best practices for managing service account keys.If you are prevented from creating a service account key, service account key creation mightbe disabled for your organization. For more information, see Managing secure-by-default organization resources.

If you acquired the service account key from an external source, you must validate it before use.For more information, see Security requirements for externally sourced credentials.

Before you begin

Enable the IAM API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.
Enable the API
Set up authentication.
Select the tab for how you plan to use the samples on this page:
gcloud
In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Java
To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.
Understandservice account credentials.

Required roles

To get the permissions that you need to disable and enable service account keys, ask your administrator to grant you theService Account Key Admin (roles/iam.serviceAccountKeyAdmin) IAM role on the project, or the service account whose keys you wantto manage. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

For more information, seeService Accounts roles.

IAM basic roles also contain permissions to manage serviceaccount keys. You should not grant basic roles in a production environment, but you can grant them in adevelopment or test environment.

Disable a service account key

Disabling a service account key prevents you from using the key to authenticatewith Google APIs. You canenable a disabled key at any time.

Important: Disabling a service account key does not revoke short-livedcredentials that were issued based on the key. To revoke a compromisedshort-lived credential, you must disable or delete the service account that the credentialrepresents. If you do so, any workload that uses the service account willimmediately lose access to your resources.

Before youdelete a service account key, we recommend that youdisable the key, then wait until you are sure that the key is no longer needed.You can then delete the key.

You can view disabled keys in the Google Cloud console, but you cannot use theGoogle Cloud console to disable a key. Use the gcloud CLI or theREST API instead.

gcloud

Execute thegcloud iam service-accounts keys disablecommand to disable a service account key.

Replace the following values:

KEY_ID: The ID of the key to disable. To find thekey's ID,list all keys for the service account, identify thekey that you want to disable, and then copy its ID.
SA_NAME: The name of the service account that the keybelongs to.
PROJECT_ID: Your Google Cloud project ID.

gcloudiamservice-accountskeysdisableKEY_ID\--iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com\--project=PROJECT_ID

Output:

Disabled key [KEY_ID] for service account[SA_NAME@PROJECT_ID.iam.gserviceaccount.com]

Java

To learn how to install and use the client library for IAM, seeIAM client libraries. For more information, see theIAMJava API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, seeBefore you begin.

importcom.google.cloud.iam.admin.v1.IAMClient;importjava.io.IOException;publicclassDisableServiceAccountKey{publicstaticvoidmain(String[]args)throwsIOException{// TODO(Developer): Replace the below variables before running.StringprojectId="gcloud-project-id";StringserviceAccountName="service-account-name";StringserviceAccountKeyName="service-account-key-name";disableServiceAccountKey(projectId,serviceAccountName,serviceAccountKeyName);}// Disables a service account key.publicstaticvoiddisableServiceAccountKey(StringprojectId,StringaccountName,Stringkey)throwsIOException{// Construct the service account email.// You can modify the ".iam.gserviceaccount.com" to match the service account name in which// you want to disable the key.// See, https://cloud.google.com/iam/docs/creating-managing-service-account-keys#disablingStringemail=String.format("%s@%s.iam.gserviceaccount.com",accountName,projectId);Stringname=String.format("projects/%s/serviceAccounts/%s/keys/%s",projectId,email,key);// Initialize client that will be used to send requests.// This client only needs to be created once, and can be reused for multiple requests.try(IAMClientiamClient=IAMClient.create()){iamClient.disableServiceAccountKey(name);System.out.println("Disabled service account key: "+name);}}}

REST

Theprojects.serviceAccounts.keys.disable method disables a service account key.

Before using any of the request data, make the following replacements:

PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
SA_NAME: The name of the service account whose key you want to disable.
KEY_ID: The ID of the key that you want to disable. To find the key's ID,list all keys for the service account, identify the key that you want to disable, and then copy its ID from the end of thename field. The key's ID is everything afterkeys/.

HTTP method and URL:

POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID:disable

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID:disable"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID:disable" | Select-Object -Expand Content

APIs Explorer (browser)

Open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and clickExecute.

You should receive a JSON response similar to the following:

{}

Enable a service account key

After you disable a service account key, you can enable the key at any time,then use the key to authenticate with Google APIs.

You cannot use the Google Cloud console to enable service account keys. Usethe gcloud CLI or the REST API instead.

gcloud

Execute thegcloud iam service-accounts keys enablecommand to enable a service account key.

Replace the following values:

KEY_ID: The ID of the key to enable. To find thekey's ID,list all keys for the service account, identify thekey that you want to enable, and then copy its ID.
SA_NAME: The name of the service account that the keybelongs to.
PROJECT_ID: Your Google Cloud project ID.

gcloudiamservice-accountskeysenableKEY_ID\--iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com\--project=PROJECT_ID

Output:

Enabled key [KEY_ID] for service account[SA_NAME@PROJECT_ID.iam.gserviceaccount.com]

Java

To learn how to install and use the client library for IAM, seeIAM client libraries. For more information, see theIAMJava API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, seeBefore you begin.

importcom.google.cloud.iam.admin.v1.IAMClient;importjava.io.IOException;publicclassEnableServiceAccountKey{publicstaticvoidmain(String[]args)throwsIOException{// TODO(Developer): Replace the below variables before running.StringprojectId="gcloud-project-id";StringserviceAccountName="service-account-name";StringserviceAccountKeyName="service-account-key-name";enableServiceAccountKey(projectId,serviceAccountName,serviceAccountKeyName);}// Enables a service account key.publicstaticvoidenableServiceAccountKey(StringprojectId,StringaccountName,Stringkey)throwsIOException{// Construct the service account email.// You can modify the ".iam.gserviceaccount.com" to match the service account name in which// you want to enable the key.// See, https://cloud.google.com/iam/docs/creating-managing-service-account-keys#enablingStringemail=String.format("%s@%s.iam.gserviceaccount.com",accountName,projectId);Stringname=String.format("projects/%s/serviceAccounts/%s/keys/%s",projectId,email,key);// Initialize client that will be used to send requests.// This client only needs to be created once, and can be reused for multiple requests.try(IAMClientiamClient=IAMClient.create()){iamClient.enableServiceAccountKey(name);System.out.println("Enabled service account key: "+name);}}}

REST

Theprojects.serviceAccounts.keys.enable method enables a service account key.

Before using any of the request data, make the following replacements:

PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
SA_NAME: The name of the service account whose key you want to enable.
KEY_ID: The ID of the key that you want to enable. To find the key's ID,list all keys for the service account, identify the key that you want to enable, and then copy its ID from the end of thename field. The key's ID is everything afterkeys/.

HTTP method and URL:

POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID:enable

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID:enable"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID:enable" | Select-Object -Expand Content

APIs Explorer (browser)

Open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and clickExecute.

You should receive a JSON response similar to the following:

{}

What's next

Learn how todelete service account keys.
Learn how tolist and get service account keys.
Learn how to use service account keys toauthenticate as a serviceaccount.
Learn aboutalternatives to service account keys for authentication.
Understand thebest practices for managing service accountkeys.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Get started for free

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Disable and enable service account keys Stay organized with collections Save and categorize content based on your preferences.

Before you begin

gcloud

Java

REST

Required roles

Disable a service account key

gcloud

Java

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

APIs Explorer (browser)

Enable a service account key

gcloud

Java

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

APIs Explorer (browser)

What's next

Try it for yourself

Disable and enable service account keys