Create signatures
This page shows you how to use theGoogle CloudsignBlob methodto create asignature from a string-to-sign or policy document. Signaturesare used as credentials in certains requests, such assigned URLs. Thisguide uses RSA keys for creating signatures.
signBlobmethod are rotated regularly. If you set an expiration time for a signature thatis greater than 12 hours and generate the signature using thesignBlob method,the signature is usable for at least 12 hours, but might stop working prior tothe expiration time due to key rotation. Signatures generated using thesignBlob method are best used for short-lived access to resources.Before you begin
Enable the Service Account Credentials API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.You must have the
iam.serviceAccounts.signBlobpermission for the serviceaccount that you use in this guide. Theiam.serviceAccounts.signBlobpermission is included in theroles/iam.serviceAccountTokenCreatorrole.The service account that you use in this guide must have permission toperform the request encoded within the signature. For example, if thesignature will be used to read object data from a bucket, the serviceaccount must have permission to read the object data.
Create a signature
Have gcloud CLIinstalled and initialized, which lets you generate an access token for the
Authorizationheader.Create a JSON file that contains the following information:
{"payload":"REQUEST_INFORMATION"}
Where:
REQUEST_INFORMATIONis astring-to-sign or apolicy document. For both, content must be base64-encoded.
Use
cURLto call the IAM API with asignBlobrequest:curl -X POST --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_EMAIL:signBlob"
Where:
JSON_FILE_NAMEis the name of the file you createdin Step 2.SERVICE_ACCOUNT_EMAILis the email address of theservice account you want to use to create the signature. For example,example-service-account@my-pet-project.iam.gserviceaccount.com.
If successful, amessage digest is returned in the
signedBlobfield inthe response, which is base64 encoded.To complete the signature, ensure the message digest is base64 decoded, andthen hex-encode the message digest.
What's next
- See the reference page for signing blobs with theGoogle Cloud CLI.
- Create a signed URL manually, using the signature you created.
- Create a signed URL with Google Cloud tools.
- Learn more aboutsignatures.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.