Method: projects.serviceAccounts.signBlob

Signs a blob using a service account's system-managed private key.

HTTP request

POST https://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:signBlob

The URL usesgRPC Transcoding syntax.

Path parameters

Parameters
name

string

Required. The resource name of the service account for which the credentials are requested, in the following format:projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The- wildcard character is required; replacing it with a project ID is invalid.

Authorization requires the followingIAM permission on the specified resourcename:

  • iam.serviceAccounts.signBlob

Request body

The request body contains data with the following structure:

JSON representation
{"delegates":[string],"payload":string}
Fields
delegates[]

string

The sequence of service accounts in a delegation chain. Each service account must be granted theroles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted theroles/iam.serviceAccountTokenCreator role on the service account that is specified in thename field of the request.

The delegates must have the following format:projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The- wildcard character is required; replacing it with a project ID is invalid.

payload

string (bytes format)

Required. The bytes to sign.

A base64-encoded string.

Response body

If successful, the response body contains data with the following structure:

JSON representation
{"keyId":string,"signedBlob":string}
Fields
keyId

string

The ID of the key used to sign the blob. The key used for signing will remain valid for at least 12 hours after the blob is signed. To verify the signature, you can retrieve the public key in several formats from the following endpoints:

  • RSA public key wrapped in an X.509 v3 certificate:https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT_EMAIL}
  • Raw key in JSON format:https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}
  • JSON Web Key (JWK):https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}
signedBlob

string (bytes format)

The signature for the blob. Does not include the original blob.

After the key pair referenced by thekeyId response field expires, Google no longer exposes the public key that can be used to verify the blob. As a result, the receiver can no longer verify the signature.

A base64-encoded string.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-21 UTC.