Create short-lived credentials for a service account

This page explains how to create short-lived credentials for a service account,which you can use toimpersonate the service account. Dependingon the type of token you create, the short-lived token provides the identity(for ID tokens) or permissions (for access tokens) associated with the serviceaccount.

If your system architecture requires you to use a series of token generationcalls, you canuse a delegation chain consisting of several serviceaccounts. In most cases, the direct method, as explainedon this page, is sufficient.

Before you begin

Enable the IAM and Service Account Credentials APIs:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.
```
gcloudservicesenableiam.googleapis.com iamcredentials.googleapis.com
```
Set up authentication.
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Go
To use the Go samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Java
To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Node.js
To use the Node.js samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Python
To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.
UnderstandIAM service accounts.
Understandservice account impersonation.
Understand what kind of token you need, and use the appropriate steps providedin the sections below:

Create a short-lived access token

Access tokens are accepted for authentication by most Google APIs. Whenyou generate an access token by using service account impersonation, theaccess token comes without a refresh token, which means that when thetoken expires, you must repeat the impersonation process to generate a newone.

For more information, seeAccess tokens.

To create a short-lived access token, complete these tasks:

Provide required permissions

Adirect request involves two identities: the callerthat requests the credential, and the service account for which thecredential is created. How you set up the permissions depends on whether thecaller is authenticating as a service account or as a user account.

If you want to run a REST or gcloud CLI command on this page in alocal development environment, the caller can be represented by usercredentials. For automated workloads, such as an application running onCompute Engine, the caller must be represented by a service account.

Service account

When the calling application uses a service account as its identity, the following principals are involved:

Caller service account (CALLER_SA)
This service account represents the calling application, which issues the request for the short-lived credentials.
Privilege-bearing service account (PRIV_SA)
This service account is granted the IAM roles needed for the short-lived token. This is the service account for which the short-lived token is created.

Note: In most cases, if you're using short-lived credentials to authenticate the caller service account, the caller service account and the privilege-bearing service account can't be the same. For more information, see Self-impersonation.

To giveCALLER_SA permissions to create short-lived credentials forPRIV_SA, you grantCALLER_SA the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) onPRIV_SA.

Grant the required role onPRIV_SA:

Console

In the Google Cloud console, go to theService Accounts page.
Go to Service Accounts
Select a project.
Click the email address of the privilege-bearing service account,PRIV_SA.
Click thePermissions tab.
UnderPrincipals with access to this service account, clickGrant Access.
Enter the email address of the caller service account,CALLER_SA.
For example,demo@my-project.iam.gserviceaccount.com.
Select the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
ClickSave to grant the role to the service account.

gcloud

Thegcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.

Before using any of the command data below, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the token is generated.
CALLER_SA: The email address of the service account representing the application that is requesting the short-lived token.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA\--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (PowerShell)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA`--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (cmd.exe)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA^--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountTokenCreator--format=json

You should receive a response similar to the following:

Updated IAM policy for serviceAccount [PRIV_SA].{  "bindings": [    {      "members": [        "serviceAccount:CALLER_SA"      ],      "role": "roles/iam.serviceAccountTokenCreator"    }  ],  "etag": "BwXhCB4eyjY=",  "version": 1}

REST

Read the allow policy forPRIV_SA:
TheserviceAccounts.getIamPolicy method gets a service account's allow policy.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy
```
Request JSON body:
```
{  "options": {    "requestedPolicyVersion":POLICY_VERSION  }}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
You should receive a JSON response similar to the following:
```
{  "version": 1,  "etag": "BwWKmjvelug=",  "bindings": [    {      "role": "roles/serviceAccountAdmin",      "members": [        "user:my-user@example.com"      ]    }  ]}
```
If you have not granted any roles on the service account, the response contains only anetag value. Include thatetag value in the next step.
Modify the allow policy to grantCALLER_SA the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
For example, to modify the sample response from the previous step, add the following:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["serviceAccount:CALLER_SA"]}]}
```
Write the updated allow policy:
TheserviceAccounts.setIamPolicy method sets an updated allow policy for the service account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
- POLICY: A JSON representation of the policy that youwant to set. For more information about the format of a policy, see thePolicy reference.
  For example, to set the allow policy shown in the previous step, replacePOLICY with the following, whereCALLER_SA is the service account creating the short-lived token:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["serviceAccount:CALLER_SA"]}]}
```
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy
```
Request JSON body:
```
{  "policy":POLICY}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy"
```
PowerShell (Windows)
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the updated allow policy.
Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.

User credentials

When you want to use the Google Cloud CLI to generate short-lived tokens, or you want to generate short-lived tokens from a local development environment, you can use a user account to generate the tokens. Often, you can use your own user account.

When you use a user account to generate short-lived tokens, the following identities are involved:

Caller account (CALLER_ACCOUNT)
This user account is used to generate short-lived credentials for the privilege-bearing service account.
Privilege-bearing service account (PRIV_SA)
This service account is granted the IAM roles needed for the short-lived token. This is the service account for which the short-lived token is created.

To enableCALLER_ACCOUNT to create short-lived credentials forPRIV_SA, you grantCALLER_ACCOUNT the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) onPRIV_SA.

Grant the required role onPRIV_SA:

Console

In the Google Cloud console, go to theService Accounts page.
Go to Service Accounts
Select a project.
Click the email address of the privilege-bearing service account,PRIV_SA.
Click thePermissions tab.
UnderPrincipals with access to this service account, clickGrant Access.
Enter the principal identifier of the caller account,CALLER_ACCOUNT.
For example,my-user@example.com.
Select the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
ClickSave to grant the role to the user account.

gcloud

Thegcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.

Before using any of the command data below, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the token is generated.
CALLER_ACCOUNT: The email address of the user account being used to request the short-lived token.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA\--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (PowerShell)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA`--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (cmd.exe)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA^--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountTokenCreator--format=json

You should receive a response similar to the following:

Updated IAM policy for serviceAccount [PRIV_SA].{  "bindings": [    {      "members": [        "user:my-user@example.com"      ],      "role": "roles/iam.serviceAccountTokenCreator"    }  ],  "etag": "BwX1ZbefjXU=",  "version": 1}

REST

Read the allow policy forPRIV_SA:
TheserviceAccounts.getIamPolicy method gets a service account's allow policy.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy
```
Request JSON body:
```
{  "options": {    "requestedPolicyVersion":POLICY_VERSION  }}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
You should receive a JSON response similar to the following:
```
{  "version": 1,  "etag": "BwWKmjvelug=",  "bindings": [    {      "role": "roles/serviceAccountAdmin",      "members": [        "user:my-user@example.com"      ]    }  ]}
```
If you have not granted any roles on the service account, the response contains only anetag value. Include thatetag value in the next step.
Modify the allow policy to grantCALLER_ACCOUNT the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
For example, to modify the sample response from the previous step, add the following:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["user:my-user@example.com"]}]}
```
Write the updated allow policy:
TheserviceAccounts.setIamPolicy method sets an updated allow policy for the service account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
- POLICY: A JSON representation of the policy that youwant to set. For more information about the format of a policy, see thePolicy reference.
  For example, to set the allow policy shown in the previous step, replacePOLICY with the following, whereCALLER_ACCOUNT is the user account creating the short-lived token:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["CALLER_ACCOUNT"]}]}
```
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy
```
Request JSON body:
```
{  "policy":POLICY}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy"
```
PowerShell (Windows)
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the updated allow policy.
Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.

Generate the access token

You can generate an OAuth 2.0 access token by using the gcloud CLI,the REST API, or the Cloud Client Libraries and Google API Client Libraries.

If you use the REST API, and your system is configured to allow extendedtoken lifetimes, you can create a token with a lifetime longer than the default.The Google Cloud CLI does not support setting a lifetime for the token.

The samples below are designed to be used in a local development environment;the caller must be represented by a user account, rather than a service account.

Generate an OAuth 2.0 access token for a service account:

gcloud

Ensure that you are signed into the gcloud CLIwith the caller user account.

Generate a token for the service account by using thegcloud authprint-access-token command.

Before using any of the command data below, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudauthprint-access-token--impersonate-service-account=PRIV_SA

Windows (PowerShell)

gcloudauthprint-access-token--impersonate-service-account=PRIV_SA

Windows (cmd.exe)

gcloudauthprint-access-token--impersonate-service-account=PRIV_SA

You should receive a response similar to the following:

WARNING: This command is using service account impersonation. All API calls will be executed as[my-sa@my-project.iam.gserviceaccount.com].ya29.c.b0AXv0zTPnzTnDV8F8Aj5Fgy46Yf2v_v8eZIoKq7xGpfbpXuy23aQ1693m3gAuE8AZga7w6kdagN7a9bfdDYbdeoGY0CMHOClsCwIdutL7k_RFC672lOCbUgF5hS8Iu2nCA8hle-11LJXBLmaxFmH08ZTBJLuDrWSNd8cYqGYFunSC1K1qLIPBF18tsa0hxVgKPucI8b1A9L8_MK1JGLGcr0n7-zY77_lmbcdODG3NmIbLOGWOutjJgqSO_YoeCKK2QTUZIp5PG7RkKlXWnmYJA9pEahzNoQrs5sWZctc2bia9af_ITzqqlXC9h1Kj5-me6e8rd734MJvpagqYazRk0gGWpMb03XmMGpgPc_FBp4pnX9rGOzW83SNpcDz8zeFO1Q0Bo3N7CuZougjRce0y8I2_4rtw5ME_nV3wrCWa..................................................................................................................................................................................................................................................................................................

REST

The Service Account Credentials API'sserviceAccounts.generateAccessToken method generates an OAuth 2.0 access token for a service account.

Before using any of the request data, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
LIFETIME: The amount of time until the access token expires, in seconds. For example,300s.
By default, the maximum token lifetime is 1 hour (3,600 seconds). To extend the maximum lifetime for these tokens to 12 hours (43,200 seconds), add the service account to an organization policy that includes theconstraints/iam.allowServiceAccountCredentialLifetimeExtension list constraint.

HTTP method and URL:

POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateAccessToken

Request JSON body:

{  "scope": [    "https://www.googleapis.com/auth/cloud-platform"  ],  "lifetime": "LIFETIME"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateAccessToken"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateAccessToken" | Select-Object -Expand Content

APIs Explorer (browser)

Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.

If thegenerateAccessToken request was successful, the response body contains an OAuth 2.0 access token and an expiration time. TheaccessToken can then be used to authenticate a request on behalf of the service account until theexpireTime has been reached:

{  "accessToken": "eyJ0eXAi...NiJ9",  "expireTime": "2020-04-07T15:01:23.045123456Z"}

Go

import("context""fmt""io""time""golang.org/x/oauth2/google""google.golang.org/api/impersonate""google.golang.org/api/option")// getAccessTokenFromImpersonatedCredentials uses a service account (SA1) to impersonate// another service account (SA2) and obtain OAuth2 token for the impersonated account.// To obtain a token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission on SA2.funcgetAccessTokenFromImpersonatedCredentials(wio.Writer,impersonatedServiceAccount,scopestring)error{// impersonatedServiceAccount := "name@project.service.gserviceaccount.com"// scope := "https://www.googleapis.com/auth/cloud-platform"ctx:=context.Background()// Construct the GoogleCredentials object which obtains the default configuration from your// working environment.credentials,err:=google.FindDefaultCredentials(ctx,scope)iferr!=nil{fmt.Fprintf(w,"failed to generate default credentials: %v",err)returnfmt.Errorf("failed to generate default credentials: %w",err)}ts,err:=impersonate.CredentialsTokenSource(ctx,impersonate.CredentialsConfig{TargetPrincipal:impersonatedServiceAccount,Scopes:[]string{scope},Lifetime:300*time.Second,// delegates: The chained list of delegates required to grant the final accessToken.// For more information, see:// https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions// Delegates is NOT USED here.Delegates:[]string{},},option.WithCredentials(credentials))iferr!=nil{fmt.Fprintf(w,"CredentialsTokenSource error: %v",err)returnfmt.Errorf("CredentialsTokenSource error: %w",err)}// Get the OAuth2 token.// Once you've obtained the OAuth2 token, you can use it to make an authenticated call.t,err:=ts.Token()iferr!=nil{fmt.Fprintf(w,"failed to receive token: %v",err)returnfmt.Errorf("failed to receive token: %w",err)}fmt.Fprintf(w,"Generated OAuth2 token with length %d.\n",len(t.AccessToken))returnnil}

Java

packagecom.google.cloud.auth.samples;importcom.google.auth.oauth2.GoogleCredentials;importcom.google.auth.oauth2.ImpersonatedCredentials;importjava.io.IOException;importjava.util.Arrays;importjava.util.List;publicclassAccessTokenFromImpersonatedCredentials{publicstaticvoidmain(String[]args)throwsIOException{// TODO(Developer): Replace the below variables before running the code.// Provide the scopes that you might need to request access to Google APIs,// depending on the level of access you need.// This example uses the cloud-wide scope and uses IAM to narrow the permissions.// https://cloud.google.com/docs/authentication/external/authorization-gcp// For more information, see: https://developers.google.com/identity/protocols/oauth2/scopesStringscope="https://www.googleapis.com/auth/cloud-platform";// The name of the privilege-bearing service account for whom the credential is created.StringimpersonatedServiceAccount="name@project.service.gserviceaccount.com";getAccessToken(impersonatedServiceAccount,scope);}// Use a service account (SA1) to impersonate another service account (SA2) and obtain an ID token// for the impersonated account.// To obtain a token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator"// permission on SA2.publicstaticvoidgetAccessToken(StringimpersonatedServiceAccount,Stringscope)throwsIOException{// Construct the GoogleCredentials object which obtains the default configuration from your// working environment.GoogleCredentialsgoogleCredentials=GoogleCredentials.getApplicationDefault();// delegates: The chained list of delegates required to grant the final accessToken.// For more information, see:// https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions// Delegate is NOT USED here.List<String>delegates=null;// Create the impersonated credential.ImpersonatedCredentialsimpersonatedCredentials=ImpersonatedCredentials.newBuilder().setSourceCredentials(googleCredentials).setTargetPrincipal(impersonatedServiceAccount).setScopes(Arrays.asList(scope)).setLifetime(300).setDelegates(delegates).build();// Get the OAuth2 token.// Once you've obtained the OAuth2 token, you can use it to make an authenticated call.impersonatedCredentials.refresh();StringaccessToken=impersonatedCredentials.getAccessToken().getTokenValue();System.out.println("Generated access token.");}}

Node.js

/** * TODO(developer): *  Uncomment and replace these variables before running the sample. */// const impersonatedServiceAccount = 'name@project.service.gserviceaccount.com';// const scope = 'https://www.googleapis.com/auth/cloud-platform';const{GoogleAuth,Impersonated}=require('google-auth-library');asyncfunctiongetAccessTokenFromImpersonatedCredentials(){constgoogleAuth=newGoogleAuth({scopes:scope,});// Construct the GoogleCredentials object which obtains the default configuration from your// working environment.const{credential}=awaitgoogleAuth.getApplicationDefault();// delegates: The chained list of delegates required to grant the final accessToken.// For more information, see:// https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions// Delegate is NOT USED here.constdelegates=[];// Create the impersonated credential.constimpersonatedCredentials=newImpersonated({sourceClient:credential,delegates,targetPrincipal:impersonatedServiceAccount,targetScopes:[scope],lifetime:300,});// Get the OAuth2 token.// Once you've obtained the OAuth2 token, you can use it to make an authenticated call// to the target audience.constresp=awaitimpersonatedCredentials.getAccessToken();// Token is in resp.token.console.log('Generated OAuth2 token with length %s',resp.token.length);}getAccessTokenFromImpersonatedCredentials();

Python

defaccesstoken_from_impersonated_credentials(impersonated_service_account:str,scope:str):fromgoogle.authimportimpersonated_credentialsimportgoogle.auth.transport.requests"""      Use a service account (SA1) to impersonate another service account (SA2)      and obtain an ID token for the impersonated account.      To obtain a token for SA2, SA1 should have the      "roles/iam.serviceAccountTokenCreator" permission on SA2.    Args:        impersonated_service_account: The name of the privilege-bearing service account for whom the credential is created.            Examples: name@project.service.gserviceaccount.com        scope: Provide the scopes that you might need to request to access Google APIs,            depending on the level of access you need.            For this example, we use the cloud-wide scope and use IAM to narrow the permissions.            https://cloud.google.com/docs/authentication#authorization_for_services            For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes    """# Construct the GoogleCredentials object which obtains the default configuration from your# working environment.credentials,project_id=google.auth.default()# Create the impersonated credential.target_credentials=impersonated_credentials.Credentials(source_credentials=credentials,target_principal=impersonated_service_account,# delegates: The chained list of delegates required to grant the final accessToken.# For more information, see:# https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions# Delegate is NOT USED here.delegates=[],target_scopes=[scope],lifetime=300,)# Get the OAuth2 token.# Once you've obtained the OAuth2 token, use it to make an authenticated call# to the target audience.request=google.auth.transport.requests.Request()target_credentials.refresh(request)# The token field is target_credentials.token.print("Generated OAuth2 token.")

Create an OpenID Connect (OIDC) ID token

ID tokens follow theOpenID Connect (OIDC) specification. ID tokens areaccepted by a limited number of services and applications.

For more information, seeID tokens andAuthentication for applications hosted on Cloud Run or Cloud Run functions.

To create an ID token, complete these tasks:

Provide the required permissions to the caller.
Use the Service Account OpenID Connect Identity Token Creator role(roles/iam.serviceAccountOpenIdTokenCreator) for creating an IDtoken. This is a different role than the role you use for other tokentypes.
Generate the ID token.

Provide required permissions

Service account

When the calling application uses a service account as its identity, the following principals are involved:

Caller service account (CALLER_SA)
This service account represents the calling application, which issues the request for the short-lived credentials.
Privilege-bearing service account (PRIV_SA)
This service account is granted the IAM roles needed for the short-lived token. This is the service account for which the short-lived token is created.

To giveCALLER_SA permissions to create short-lived credentials forPRIV_SA, you grantCALLER_SA the Service Account OpenID Connect Identity Token Creator role (roles/iam.serviceAccountOpenIdTokenCreator) onPRIV_SA.

Grant the required role onPRIV_SA:

Console

In the Google Cloud console, go to theService Accounts page.
Go to Service Accounts
Select a project.
Click the email address of the privilege-bearing service account,PRIV_SA.
Click thePermissions tab.
UnderPrincipals with access to this service account, clickGrant Access.
Enter the email address of the caller service account,CALLER_SA.
For example,demo@my-project.iam.gserviceaccount.com.
Select the Service Account OpenID Connect Identity Token Creator role (roles/iam.serviceAccountOpenIdTokenCreator).
ClickSave to grant the role to the service account.

gcloud

Thegcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.

Before using any of the command data below, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the token is generated.
CALLER_SA: The email address of the service account representing the application that is requesting the short-lived token.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA\--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountOpenIdTokenCreator--format=json

Windows (PowerShell)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA`--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountOpenIdTokenCreator--format=json

Windows (cmd.exe)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA^--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountOpenIdTokenCreator--format=json

You should receive a response similar to the following:

Updated IAM policy for serviceAccount [PRIV_SA].{  "bindings": [    {      "members": [        "serviceAccount:CALLER_SA"      ],      "role": "roles/iam.serviceAccountOpenIdTokenCreator"    }  ],  "etag": "BwXhCB4eyjY=",  "version": 1}

REST

Read the allow policy forPRIV_SA:
TheserviceAccounts.getIamPolicy method gets a service account's allow policy.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy
```
Request JSON body:
```
{  "options": {    "requestedPolicyVersion":POLICY_VERSION  }}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
You should receive a JSON response similar to the following:
```
{  "version": 1,  "etag": "BwWKmjvelug=",  "bindings": [    {      "role": "roles/serviceAccountAdmin",      "members": [        "user:my-user@example.com"      ]    }  ]}
```
If you have not granted any roles on the service account, the response contains only anetag value. Include thatetag value in the next step.
Modify the allow policy to grantCALLER_SA the Service Account OpenID Connect Identity Token Creator role (roles/iam.serviceAccountOpenIdTokenCreator).
For example, to modify the sample response from the previous step, add the following:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountOpenIdTokenCreator","members":["serviceAccount:CALLER_SA"]}]}
```
Write the updated allow policy:
TheserviceAccounts.setIamPolicy method sets an updated allow policy for the service account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
- POLICY: A JSON representation of the policy that youwant to set. For more information about the format of a policy, see thePolicy reference.
  For example, to set the allow policy shown in the previous step, replacePOLICY with the following, whereCALLER_SA is the service account creating the short-lived token:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountOpenIdTokenCreator","members":["serviceAccount:CALLER_SA"]}]}
```
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy
```
Request JSON body:
```
{  "policy":POLICY}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy"
```
PowerShell (Windows)
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the updated allow policy.
Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.

User credentials

When you use a user account to generate short-lived tokens, the following identities are involved:

Caller account (CALLER_ACCOUNT)
This user account is used to generate short-lived credentials for the privilege-bearing service account.
Privilege-bearing service account (PRIV_SA)
This service account is granted the IAM roles needed for the short-lived token. This is the service account for which the short-lived token is created.

To enableCALLER_ACCOUNT to create short-lived credentials forPRIV_SA, you grantCALLER_ACCOUNT the Service Account OpenID Connect Identity Token Creator role (roles/iam.serviceAccountOpenIdTokenCreator) onPRIV_SA.

Grant the required role onPRIV_SA:

Console

In the Google Cloud console, go to theService Accounts page.
Go to Service Accounts
Select a project.
Click the email address of the privilege-bearing service account,PRIV_SA.
Click thePermissions tab.
UnderPrincipals with access to this service account, clickGrant Access.
Enter the principal identifier of the caller account,CALLER_ACCOUNT.
For example,my-user@example.com.
Select the Service Account OpenID Connect Identity Token Creator role (roles/iam.serviceAccountOpenIdTokenCreator).
ClickSave to grant the role to the user account.

gcloud

Thegcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.

Before using any of the command data below, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the token is generated.
CALLER_ACCOUNT: The email address of the user account being used to request the short-lived token.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA\--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountOpenIdTokenCreator--format=json

Windows (PowerShell)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA`--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountOpenIdTokenCreator--format=json

Windows (cmd.exe)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA^--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountOpenIdTokenCreator--format=json

You should receive a response similar to the following:

Updated IAM policy for serviceAccount [PRIV_SA].{  "bindings": [    {      "members": [        "user:my-user@example.com"      ],      "role": "roles/iam.serviceAccountOpenIdTokenCreator"    }  ],  "etag": "BwX1ZbefjXU=",  "version": 1}

REST

Read the allow policy forPRIV_SA:
TheserviceAccounts.getIamPolicy method gets a service account's allow policy.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy
```
Request JSON body:
```
{  "options": {    "requestedPolicyVersion":POLICY_VERSION  }}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
You should receive a JSON response similar to the following:
```
{  "version": 1,  "etag": "BwWKmjvelug=",  "bindings": [    {      "role": "roles/serviceAccountAdmin",      "members": [        "user:my-user@example.com"      ]    }  ]}
```
If you have not granted any roles on the service account, the response contains only anetag value. Include thatetag value in the next step.
Modify the allow policy to grantCALLER_ACCOUNT the Service Account OpenID Connect Identity Token Creator role (roles/iam.serviceAccountOpenIdTokenCreator).
For example, to modify the sample response from the previous step, add the following:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountOpenIdTokenCreator","members":["user:my-user@example.com"]}]}
```
Write the updated allow policy:
TheserviceAccounts.setIamPolicy method sets an updated allow policy for the service account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
- POLICY: A JSON representation of the policy that youwant to set. For more information about the format of a policy, see thePolicy reference.
  For example, to set the allow policy shown in the previous step, replacePOLICY with the following, whereCALLER_ACCOUNT is the user account creating the short-lived token:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountOpenIdTokenCreator","members":["CALLER_ACCOUNT"]}]}
```
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy
```
Request JSON body:
```
{  "policy":POLICY}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy"
```
PowerShell (Windows)
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the updated allow policy.
Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.

Generate the ID token

You can generate an OpenID Connect (OIDC) ID token by using thegcloud CLI, the REST API, or the Cloud Client Libraries andGoogle API Client Libraries.

The samples below are designed to be used in a local development environment;the caller must be represented by a user account, rather than a service account.

OIDC ID tokens are valid for 1 hour(3,600 seconds).

Generate a Google-signed OIDC ID token for a service account:

gcloud

Ensure that you are signed into the gcloud CLIwith the caller user account.

Generate a token for the service account by using thegcloud authprint-identity-token command.

Before using any of the command data below, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
AUDIENCE_NAME: The audience for the token, usually the URL of the application or service that the token will be used to access.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudauthprint-identity-token--impersonate-service-account=PRIV_SA--audiences="AUDIENCE_NAME"

Windows (PowerShell)

gcloudauthprint-identity-token--impersonate-service-account=PRIV_SA--audiences="AUDIENCE_NAME"

Windows (cmd.exe)

gcloudauthprint-identity-token--impersonate-service-account=PRIV_SA--audiences="AUDIENCE_NAME"

You should receive a response similar to the following:

WARNING: This command is using service account impersonation. All API calls will be executed as[my-sa@my-project.iam.gserviceaccount.com].eyJhbGciOiJSUzI1NiIsImtpZDNhMDg4ZDRmZmMjJkYTVmZTM5MDZjY2MiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJ3d3cuZXhhbXBsJhenAiOiIxMTYzwNDYyMDk0ODIiLCJleHAiOjE2NTQ4ODU0MzEsImlhdCI6MTY1NDg4MTgzMSwiaXN6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIMDQ2MjA5NDgyIn0.F7mu8IHj5VQdu7ItFrnYAKyGd7YqXuOP_rFLc98q8BaFBycAF1zAQnSnwqnSUXba0UK9PDT_-IOry68qLwBObz4XlX9lk0ehpN0O0W9FcFToKLB6wefXXPd4h7xtuPe5KzmpSOqj2Qqv34HriGw00Nqd-oGSgNY_lZ4wGEf4rT4oQa_kEcrY57Q2G6pwd769BhgeFwoLi5aK_Cv2kvf_zfMszC-xlkP9zwWQ8XinJBwe-qcQBa4NTgrbueNtXsEjccBS366zmw

REST

The Service Account Credentials API'sserviceAccounts.generateIdToken method generates an OIDC ID token for a service account.

Before using any of the request data, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
AUDIENCE_NAME: The audience for the token, usually the URL of the application or service that the token will be used to access.

HTTP method and URL:

POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateIdToken

Request JSON body:

{  "audience": "AUDIENCE_NAME",  "includeEmail": "true"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateIdToken"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateIdToken" | Select-Object -Expand Content

APIs Explorer (browser)

If thegenerateId request was successful, the response body contains an ID token that is valid for 1 hour. Thetoken can then be used to authenticate a request on behalf of the service account:

{  "token": "eyJ0eXAi...NiJ9"}

Create a self-signed JSON Web Token (JWT)

Self-signed JSON Web Tokens (JWTs) are useful in a variety of scenarios:

Securely communicating between your own applications. In this scenario, oneapplication can sign a token that can be verified by another application forauthentication purposes.
Authenticating a call to a Google API as described inService account authorization without OAuth.
Authenticating to an API deployed with API Gateway.
Treating a service account as an identity provider by signing a JWT thatcontains arbitrary claims about a user, account, or device.

To create a JWT, complete these tasks:

Provide required permissions

Service account

When the calling application uses a service account as its identity, the following principals are involved:

Caller service account (CALLER_SA)
This service account represents the calling application, which issues the request for the short-lived credentials.
Privilege-bearing service account (PRIV_SA)
This service account is granted the IAM roles needed for the short-lived token. This is the service account for which the short-lived token is created.

To giveCALLER_SA permissions to create short-lived credentials forPRIV_SA, you grantCALLER_SA the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) onPRIV_SA.

Grant the required role onPRIV_SA:

Console

In the Google Cloud console, go to theService Accounts page.
Go to Service Accounts
Select a project.
Click the email address of the privilege-bearing service account,PRIV_SA.
Click thePermissions tab.
UnderPrincipals with access to this service account, clickGrant Access.
Enter the email address of the caller service account,CALLER_SA.
For example,demo@my-project.iam.gserviceaccount.com.
Select the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
ClickSave to grant the role to the service account.

gcloud

Thegcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.

Before using any of the command data below, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the token is generated.
CALLER_SA: The email address of the service account representing the application that is requesting the short-lived token.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA\--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (PowerShell)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA`--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (cmd.exe)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA^--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountTokenCreator--format=json

You should receive a response similar to the following:

Updated IAM policy for serviceAccount [PRIV_SA].{  "bindings": [    {      "members": [        "serviceAccount:CALLER_SA"      ],      "role": "roles/iam.serviceAccountTokenCreator"    }  ],  "etag": "BwXhCB4eyjY=",  "version": 1}

REST

Read the allow policy forPRIV_SA:
TheserviceAccounts.getIamPolicy method gets a service account's allow policy.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy
```
Request JSON body:
```
{  "options": {    "requestedPolicyVersion":POLICY_VERSION  }}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
You should receive a JSON response similar to the following:
```
{  "version": 1,  "etag": "BwWKmjvelug=",  "bindings": [    {      "role": "roles/serviceAccountAdmin",      "members": [        "user:my-user@example.com"      ]    }  ]}
```
If you have not granted any roles on the service account, the response contains only anetag value. Include thatetag value in the next step.
Modify the allow policy to grantCALLER_SA the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
For example, to modify the sample response from the previous step, add the following:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["serviceAccount:CALLER_SA"]}]}
```
Write the updated allow policy:
TheserviceAccounts.setIamPolicy method sets an updated allow policy for the service account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
- POLICY: A JSON representation of the policy that youwant to set. For more information about the format of a policy, see thePolicy reference.
  For example, to set the allow policy shown in the previous step, replacePOLICY with the following, whereCALLER_SA is the service account creating the short-lived token:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["serviceAccount:CALLER_SA"]}]}
```
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy
```
Request JSON body:
```
{  "policy":POLICY}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy"
```
PowerShell (Windows)
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the updated allow policy.
Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.

User credentials

When you use a user account to generate short-lived tokens, the following identities are involved:

Caller account (CALLER_ACCOUNT)
This user account is used to generate short-lived credentials for the privilege-bearing service account.
Privilege-bearing service account (PRIV_SA)
This service account is granted the IAM roles needed for the short-lived token. This is the service account for which the short-lived token is created.

To enableCALLER_ACCOUNT to create short-lived credentials forPRIV_SA, you grantCALLER_ACCOUNT the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) onPRIV_SA.

Grant the required role onPRIV_SA:

Console

In the Google Cloud console, go to theService Accounts page.
Go to Service Accounts
Select a project.
Click the email address of the privilege-bearing service account,PRIV_SA.
Click thePermissions tab.
UnderPrincipals with access to this service account, clickGrant Access.
Enter the principal identifier of the caller account,CALLER_ACCOUNT.
For example,my-user@example.com.
Select the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
ClickSave to grant the role to the user account.

gcloud

Thegcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.

Before using any of the command data below, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the token is generated.
CALLER_ACCOUNT: The email address of the user account being used to request the short-lived token.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA\--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (PowerShell)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA`--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (cmd.exe)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA^--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountTokenCreator--format=json

You should receive a response similar to the following:

Updated IAM policy for serviceAccount [PRIV_SA].{  "bindings": [    {      "members": [        "user:my-user@example.com"      ],      "role": "roles/iam.serviceAccountTokenCreator"    }  ],  "etag": "BwX1ZbefjXU=",  "version": 1}

REST

Read the allow policy forPRIV_SA:
TheserviceAccounts.getIamPolicy method gets a service account's allow policy.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy
```
Request JSON body:
```
{  "options": {    "requestedPolicyVersion":POLICY_VERSION  }}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
You should receive a JSON response similar to the following:
```
{  "version": 1,  "etag": "BwWKmjvelug=",  "bindings": [    {      "role": "roles/serviceAccountAdmin",      "members": [        "user:my-user@example.com"      ]    }  ]}
```
If you have not granted any roles on the service account, the response contains only anetag value. Include thatetag value in the next step.
Modify the allow policy to grantCALLER_ACCOUNT the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
For example, to modify the sample response from the previous step, add the following:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["user:my-user@example.com"]}]}
```
Write the updated allow policy:
TheserviceAccounts.setIamPolicy method sets an updated allow policy for the service account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
- POLICY: A JSON representation of the policy that youwant to set. For more information about the format of a policy, see thePolicy reference.
  For example, to set the allow policy shown in the previous step, replacePOLICY with the following, whereCALLER_ACCOUNT is the user account creating the short-lived token:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["CALLER_ACCOUNT"]}]}
```
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy
```
Request JSON body:
```
{  "policy":POLICY}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy"
```
PowerShell (Windows)
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the updated allow policy.
Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.

Generate the JWT

Generate a self-signed JWT:

REST

The Service Account Credentials API'sserviceAccounts.signJwt method signs a JWT using a service account's system-managed private key.

Before using any of the request data, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
JWT_PAYLOAD: The JWT payload to sign, which is a JSON object that contains a JWT Claims Set. Include the claims that are necessary for your desired use case and to meet the validation requirements for the service you are calling. If you are calling a Google API, see Google's Authentication Guide for claim requirements.
Theexp (expiration time) claim must be no more than 12 hours in the future. If you are calling a Google API, theexp claim must be set no more than 1 hour in the future.
The following example payload contains claims to call a Google API, whereEXP is an integer timestamp representing the expiration time:
```
{\"iss\": \"PRIV_SA\", \"sub\": \"PRIV_SA\", \"aud\": \"https://firestore.googleapis.com/\", \"iat\": 1529350000, \"exp\":EXP }
```

HTTP method and URL:

POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:signJwt

Request JSON body:

{  "payload": "JWT_PAYLOAD"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:signJwt"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:signJwt" | Select-Object -Expand Content

APIs Explorer (browser)

If thesignJwt request was successful, the response body contains a signed JWT and the signing key ID that was used to sign the JWT. You can use thesignedJwt value as a bearer token to directly authenticate a request on behalf of the service account. The token is valid up to the expiration time specified in the request:

{  "keyId": "42ba1e...fc0a",  "signedJwt": "eyJ0eXAi...NiJ9"}

Create a self-signed binary object (blob)

Self-signed binary objects, or blobs, are used to transmit binary data in such away that the originator of the data is known (because the blob is self-signed).Blobs can be used to create signatures, a Cloud Storage object required forvarious authentication flows including signed URLs. For information aboutsignatures, seethe Cloud Storage documentation.

To create a self-signed binary object, complete these tasks:

Provide required permissions

Service account

When the calling application uses a service account as its identity, the following principals are involved:

Caller service account (CALLER_SA)
This service account represents the calling application, which issues the request for the short-lived credentials.
Privilege-bearing service account (PRIV_SA)
This service account is granted the IAM roles needed for the short-lived token. This is the service account for which the short-lived token is created.

To giveCALLER_SA permissions to create short-lived credentials forPRIV_SA, you grantCALLER_SA the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) onPRIV_SA.

Grant the required role onPRIV_SA:

Console

In the Google Cloud console, go to theService Accounts page.
Go to Service Accounts
Select a project.
Click the email address of the privilege-bearing service account,PRIV_SA.
Click thePermissions tab.
UnderPrincipals with access to this service account, clickGrant Access.
Enter the email address of the caller service account,CALLER_SA.
For example,demo@my-project.iam.gserviceaccount.com.
Select the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
ClickSave to grant the role to the service account.

gcloud

Thegcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.

Before using any of the command data below, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the token is generated.
CALLER_SA: The email address of the service account representing the application that is requesting the short-lived token.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA\--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (PowerShell)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA`--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (cmd.exe)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA^--member=serviceAccount:CALLER_SA--role=roles/iam.serviceAccountTokenCreator--format=json

You should receive a response similar to the following:

Updated IAM policy for serviceAccount [PRIV_SA].{  "bindings": [    {      "members": [        "serviceAccount:CALLER_SA"      ],      "role": "roles/iam.serviceAccountTokenCreator"    }  ],  "etag": "BwXhCB4eyjY=",  "version": 1}

REST

Read the allow policy forPRIV_SA:
TheserviceAccounts.getIamPolicy method gets a service account's allow policy.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy
```
Request JSON body:
```
{  "options": {    "requestedPolicyVersion":POLICY_VERSION  }}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
You should receive a JSON response similar to the following:
```
{  "version": 1,  "etag": "BwWKmjvelug=",  "bindings": [    {      "role": "roles/serviceAccountAdmin",      "members": [        "user:my-user@example.com"      ]    }  ]}
```
If you have not granted any roles on the service account, the response contains only anetag value. Include thatetag value in the next step.
Modify the allow policy to grantCALLER_SA the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
For example, to modify the sample response from the previous step, add the following:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["serviceAccount:CALLER_SA"]}]}
```
Write the updated allow policy:
TheserviceAccounts.setIamPolicy method sets an updated allow policy for the service account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
- POLICY: A JSON representation of the policy that youwant to set. For more information about the format of a policy, see thePolicy reference.
  For example, to set the allow policy shown in the previous step, replacePOLICY with the following, whereCALLER_SA is the service account creating the short-lived token:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["serviceAccount:CALLER_SA"]}]}
```
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy
```
Request JSON body:
```
{  "policy":POLICY}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy"
```
PowerShell (Windows)
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the updated allow policy.
Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.

User credentials

When you use a user account to generate short-lived tokens, the following identities are involved:

Caller account (CALLER_ACCOUNT)
This user account is used to generate short-lived credentials for the privilege-bearing service account.
Privilege-bearing service account (PRIV_SA)
This service account is granted the IAM roles needed for the short-lived token. This is the service account for which the short-lived token is created.

To enableCALLER_ACCOUNT to create short-lived credentials forPRIV_SA, you grantCALLER_ACCOUNT the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) onPRIV_SA.

Grant the required role onPRIV_SA:

Console

In the Google Cloud console, go to theService Accounts page.
Go to Service Accounts
Select a project.
Click the email address of the privilege-bearing service account,PRIV_SA.
Click thePermissions tab.
UnderPrincipals with access to this service account, clickGrant Access.
Enter the principal identifier of the caller account,CALLER_ACCOUNT.
For example,my-user@example.com.
Select the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
ClickSave to grant the role to the user account.

gcloud

Thegcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.

Before using any of the command data below, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the token is generated.
CALLER_ACCOUNT: The email address of the user account being used to request the short-lived token.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA\--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (PowerShell)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA`--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountTokenCreator--format=json

Windows (cmd.exe)

gcloudiamservice-accountsadd-iam-policy-bindingPRIV_SA^--member=user:CALLER_ACCOUNT--role=roles/iam.serviceAccountTokenCreator--format=json

You should receive a response similar to the following:

Updated IAM policy for serviceAccount [PRIV_SA].{  "bindings": [    {      "members": [        "user:my-user@example.com"      ],      "role": "roles/iam.serviceAccountTokenCreator"    }  ],  "etag": "BwX1ZbefjXU=",  "version": 1}

REST

Read the allow policy forPRIV_SA:
TheserviceAccounts.getIamPolicy method gets a service account's allow policy.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy
```
Request JSON body:
```
{  "options": {    "requestedPolicyVersion":POLICY_VERSION  }}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
You should receive a JSON response similar to the following:
```
{  "version": 1,  "etag": "BwWKmjvelug=",  "bindings": [    {      "role": "roles/serviceAccountAdmin",      "members": [        "user:my-user@example.com"      ]    }  ]}
```
If you have not granted any roles on the service account, the response contains only anetag value. Include thatetag value in the next step.
Modify the allow policy to grantCALLER_ACCOUNT the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator).
For example, to modify the sample response from the previous step, add the following:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["user:my-user@example.com"]}]}
```
Write the updated allow policy:
TheserviceAccounts.setIamPolicy method sets an updated allow policy for the service account.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project.
- PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
- POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.
- POLICY: A JSON representation of the policy that youwant to set. For more information about the format of a policy, see thePolicy reference.
  For example, to set the allow policy shown in the previous step, replacePOLICY with the following, whereCALLER_ACCOUNT is the user account creating the short-lived token:
```
{"version":1,"etag":"BwWKmjvelug=","bindings":[{"role":"roles/serviceAccountAdmin","members":["user:my-user@example.com"]},{"role":"roles/iam.serviceAccountTokenCreator","members":["CALLER_ACCOUNT"]}]}
```
HTTP method and URL:
```
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy
```
Request JSON body:
```
{  "policy":POLICY}
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Save the request body in a file namedrequest.json, and execute the following command:
```
curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy"
```
PowerShell (Windows)
Save the request body in a file namedrequest.json, and execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy" | Select-Object -Expand Content
```
APIs Explorer (browser)
Copy the request body and open themethod reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and clickExecute.
The response contains the updated allow policy.
Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.

Generate the self-signed blob

Generate a self-signed blob for the service account:

REST

The Service Account Credentials API'sserviceAccounts.signBlob method signs a blob using a service account's system-managed private key.

Before using any of the request data, make the following replacements:

PRIV_SA: The email address of the privilege-bearing service account for which the short-lived token is created.
BLOB_PAYLOAD: A base64-encoded string of bytes. For example,VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wZWQgb3ZlciB0aGUgbGF6eSBkb2cu.

HTTP method and URL:

POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:signBlob

Request JSON body:

{  "payload": "BLOB_PAYLOAD"}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:signBlob"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:signBlob" | Select-Object -Expand Content

APIs Explorer (browser)

If thesignBlob request was successful, the response body contains a signed blob and the signing key ID that was used to sign the blob. You can use thesignedBlob value as a bearer token to directly authenticate a request on behalf of the service account. The token is valid until the service account's system-managed private key expires. This key's ID is the value of thekeyId field in the response.

{  "keyId": "42ba1e...fc0a",  "signedBlob": "eyJ0eXAi...NiJ9"}

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Create short-lived credentials for a service account Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Console

gcloud

Go

Java

Node.js

Python

REST

Create a short-lived access token

Provide required permissions

Service account

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

APIs Explorer (browser)

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

APIs Explorer (browser)

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

APIs Explorer (browser)

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

APIs Explorer (browser)

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

APIs Explorer (browser)

Go

Java

Node.js

Python

Create an OpenID Connect (OIDC) ID token

Provide required permissions

Service account

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

APIs Explorer (browser)

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

APIs Explorer (browser)

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

APIs Explorer (browser)

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

APIs Explorer (browser)

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl (Linux, macOS, or Cloud Shell)

Create short-lived credentials for a service account