IAM Service Account Credentials API
Creates short-lived credentials for impersonating IAM service accounts. Disabling this API also disables the IAM API (iam.googleapis.com). However, enabling this API doesn't enable the IAM API.
- REST Resource: v1.locations.workforcePools
- REST Resource: v1.projects.locations.workloadIdentityPools
- REST Resource: v1.projects.serviceAccounts
Service: iamcredentials.googleapis.com
To call this service, we recommend that you use the Google-providedclient libraries. If your application needs to use your own libraries to call this service, use the following information when you make the API requests.
Discovery document
ADiscovery Document is a machine-readable specification for describing and consuming REST APIs. It is used to build client libraries, IDE plugins, and other tools that interact with Google APIs. One service may provide multiple discovery documents. This service provides the following discovery document:
Service endpoint
Aservice endpoint is a base URL that specifies the network address of an API service. One service might have multiple service endpoints. This service has the following service endpoint and all URIs below are relative to this service endpoint:
https://iamcredentials.googleapis.com
REST Resource:v1.locations.workforcePools
| Methods | |
|---|---|
getAllowedLocations | GET /v1/{name=locations/*/workforcePools/*}/allowedLocationsReturns the trust boundary info for a given workforce pool. |
REST Resource:v1.projects.locations.workloadIdentityPools
| Methods | |
|---|---|
getAllowedLocations | GET /v1/{name=projects/*/locations/*/workloadIdentityPools/*}/allowedLocationsReturns the trust boundary info for a given workload identity pool. |
REST Resource:v1.projects.serviceAccounts
| Methods | |
|---|---|
generateAccessToken | POST /v1/{name=projects/*/serviceAccounts/*}:generateAccessTokenGenerates an OAuth 2.0 access token for a service account. |
generateIdToken | POST /v1/{name=projects/*/serviceAccounts/*}:generateIdTokenGenerates an OpenID Connect ID token for a service account. |
getAllowedLocations | GET /v1/{name=projects/*/serviceAccounts/*}/allowedLocationsReturns the trust boundary info for a given service account. |
signBlob | POST /v1/{name=projects/*/serviceAccounts/*}:signBlobSigns a blob using a service account's system-managed private key. |
signJwt | POST /v1/{name=projects/*/serviceAccounts/*}:signJwtSigns a JWT using a service account's system-managed private key. |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-05-21 UTC.