Upload service account keys
This page explains how to upload a public key for a service account. After youupload the public key, you can use the private key from the key pair toauthenticate as the service account.
Note: If you need to access resources from a workload that runs outside of Google Cloud, such as on Amazon Web Services (AWS) or Microsoft Azure, consider usingWorkload Identity Federation instead of service account keys. Federation lets your workloads access resources directly, using a short-lived access token, and eliminates the maintenance and security burden associated with service account keys.
Before you begin
Enable the IAM API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.Understandservice account credentials.
Required roles
To get the permissions that you need to upload service account keys, ask your administrator to grant you theService Account Key Admin (roles/iam.serviceAccountKeyAdmin) IAM role on the project, or the service account whose keys you wantto manage. For more information about granting roles, seeManage access to projects, folders, and organizations.
You might also be able to get the required permissions throughcustom roles or otherpredefined roles.
Note:IAM basic roles might also contain permissions to upload service account keys. You shouldn't grant basic roles in a production environment, but you can grant them in a development or test environment.For more information, seeService Accounts roles.
Depending on your organization policy configuration, you might also need toallow service account keys to be uploaded in your projectbefore uploading a key.
To get the permissions that you need to allow service account keys to be uploaded in a project, ask your administrator to grant you the following IAM roles on your organization:
- Organization Policy Administrator (
roles/orgpolicy.policyAdmin) - Organization Viewer (
roles/resourcemanager.organizationViewer) - Tag Administrator (
roles/resourcemanager.tagAdmin)
For more information about granting roles, seeManage access to projects, folders, and organizations.
These predefined roles contain the permissions required to allow service account keys to be uploaded in a project. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to allow service account keys to be uploaded in a project:
orgpolicy.constraints.listorgpolicy.customConstraints.createorgpolicy.customConstraints.deleteorgpolicy.customConstraints.getorgpolicy.customConstraints.listorgpolicy.customConstraints.updateorgpolicy.policies.createorgpolicy.policies.deleteorgpolicy.policies.listorgpolicy.policies.updateorgpolicy.policy.getorgpolicy.policy.setresourcemanager.organizations.getresourcemanager.projects.listTagBindingsresourcemanager.projects.listEffectiveTagsresourcemanager.tagKeys.getresourcemanager.tagKeys.listresourcemanager.tagValues.listresourcemanager.tagValues.get
You might also be able to get these permissions withcustom roles or otherpredefined roles.
Note:IAM basic roles might also contain permissions to allow service account keys to be uploaded in a project. You shouldn't grant basic roles in a production environment, but you can grant them in a development or test environment.Allow service account key upload
Before you create a service account key, make sure that theiam.disableServiceAccountKeyUpload organization policy constraint isn'tenforced for your project. If this constraint is enforced for your project,you can't upload service account keys in that project.
We recommend enforcing this constraint for most projects and only exemptingprojects that truly require service account keys. For more information aboutalternative authentication methods, seeChoose the right authentication methodfor your use case.
To exempt a project from theiam.disableServiceAccountKeyUpload organizationpolicy constraint, ask an organization policy administrator to do the following:
At the organization level, create a tag key and tag value that you will use to define whether a resource should be exempt from the organization policy. We recommend creating a tag with the key
disableServiceAccountKeyUploadand the valuesenforcedandnot_enforced.To learn how to create tag keys and tag values, seeCreating and defining a new tag.
Attach the
disableServiceAccountKeyUploadtag to the organization and set its value toenforced. All resources in the organization inherit this tag value, unless it's overwritten with a different tag value.To learn how to attach tags to resources, seeAttaching tags to resources.
- For each project or folder that you want to exempt from the organization policy, attach the
disableServiceAccountKeyUploadtag and set its value tonot_enforced. Setting a tag value for a project or folder in this way overrides the tag value inherited from the organization. Create or update the organization policy that prevents uploading service account keys so that it doesn't enforce the constraint for exempt resources. This policy should have the following rules:
Configure the
iam.disableServiceAccountKeyUploadconstraint to not be enforced on any resources with thedisableServiceAccountKeyUpload: not_enforcedtag. The condition in this rule should look like the following:"resource.matchTag('ORGANIZATION_ID/disableServiceAccountKeyUpload', 'not_enforced')"- Configure the
iam.disableServiceAccountKeyUploadconstraint to be enforced on all other resources.
Upload a public key for a service account
You can upload the public key portion of auser-managed key pair to associate it with a serviceaccount. After you upload the public key, you can use the private key from thekey pair as a service account key.
The key you upload must be an RSA public key that is wrapped in anX.509 v3 certificate and encoded in base64. You canuse tools such asOpenSSL to generate a key andcertificate in this format.
Do not include any private information in the X.509 certificate.Specifically, use a generic subject, and do not add any optional attributes.Certificates are publicly visible; any private information in the certificate isvisible to anyone who retrieves the certificate. For more information,seeAvoid disclosing confidential information in uploaded X.509certificates.
If theiam.serviceAccountKeyExpiryHoursorganization policy constraint is enforced for your project, then the key thatyou upload needs to expire within the time period specified in the constraint.To set the expiry time of the key, use the-days value in the command that youuse to generate the X.509 certificate. If the-days value is greater than thetime period specified in the constraint, then the command will fail.
For example, the following command generates a 2048-bit RSA key pair and wrapsthe public key in a self-signed certificate that is valid for 365 days:
openssl req -x509 -nodes -newkey rsa:2048 -days 365 \ -keyout /path/to/private_key.pem \ -out /path/to/public_key.pem \ -subj "/CN=unused"You can then upload thepublic_key.pem file as the public key for a serviceaccount.
Console
- In the Google Cloud console, go to theService accounts page.
The remaining steps appear in the Google Cloud console.
- Select a project.
- On theService accounts page, click the email address of the service account that you want to upload a key for.
- Click theKeys tab.
- Click theAdd key drop-down menu, then selectUpload existing key.
- ClickBrowse, then find and select your public key file. Alternatively, you can copy and paste the contents of your public key file into thePaste existing key box.
- ClickUpload.
gcloud
Execute thegcloud iam service-accounts keys uploadcommand to upload a public key for signing service account keys.
Replace the following values:
KEY_FILE: The path to the file containing the key datato upload—for example,./public_key.pem.SA_NAME: The name of the service accountto upload a key for.PROJECT_ID: Your Google Cloud project ID.
gcloud iam service-accounts keys uploadKEY_FILE \ --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com
The output contains a unique identifier for the uploaded key:
Name: projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/c7b74879da78e4cdcbe7e1bf5e129375c0bfa8d0
To determine whether the command was successful, execute thegcloud iam service-accounts keys listcommand:
gcloud iam service-accounts keys list \ --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com
The output will contain the same unique identifier that was returned after thekey was created:
| KEY_ID | CREATED_AT | EXPIRES_AT | DISABLED |
| c7b74879da78e4cdcbe7e1bf5e129375c0bfa8d0 | 2019-06-26T21:01:42Z | 9999-12-31T23:59:59Z |
REST
Theprojects.serviceAccounts.keys.upload method uploads the public key from a user-managed key pair, and adds this key tothe service account.
Before using any of the request data, make the following replacements:
PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.SA_NAME: The name of the service account to associate the key with.PUBLIC_KEY_DATA: The public key data for the key pair. Must be an RSA public key that is wrapped in an X.509 v3 certificate. Encode the public key data in base64, including the first line,-----BEGIN CERTIFICATE-----, and the last line,-----END CERTIFICATE-----.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys:upload
Request JSON body:
{ "publicKeyData": "PUBLIC_KEY_DATA"}To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys:upload"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list. Save the request body in a file namedrequest.json, and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys:upload" | Select-Object -Expand Content
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
You should receive a JSON response similar to the following:
{ "name": "projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com/keys/c7b74879da78e4cdcbe7e1bf5e129375c0bfa8d0", "validAfterTime": "2020-05-17T19:31:19Z", "validBeforeTime": "2021-05-17T19:31:19Z", "keyAlgorithm": "KEY_ALG_RSA_2048", "keyOrigin": "USER_PROVIDED", "keyType": "USER_MANAGED"}Disable public key uploads
To disable the ability to upload keys for your project, seeRestricting service account key upload.
What's next
- Learn how tocreate and delete service account keys.
- Learn how tolist and get service account keys.
- Learn aboutalternatives to service account keys for authentication.
- Learn how to use service account keys toauthenticate as a serviceaccount.
- Understand thebest practices for managing service accountkeys.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for freeExcept as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.