This page explains how to list and get service account keys using theGoogle Cloud console, the Google Cloud CLI,the Identity and Access Management API, or oneof the Google Cloud Client Libraries.
Before you begin
Enable the IAM API.
Set up authentication.
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
C++
To use the C++ samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create local authentication credentials for your user account:
gcloud auth application-default login
For more information, see Set up authentication for a local development environment in the Google Cloud authentication documentation.
C#
To use the .NET samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
See AlsoGoogle Cloud Keys- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create local authentication credentials for your user account:
gcloud auth application-default login
For more information, see Set up authentication for a local development environment in the Google Cloud authentication documentation.
Go
To use the Go samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create local authentication credentials for your user account:
gcloud auth application-default login
For more information, see Set up authentication for a local development environment in the Google Cloud authentication documentation.
Java
To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create local authentication credentials for your user account:
gcloud auth application-default login
For more information, see Set up authentication for a local development environment in the Google Cloud authentication documentation.
Python
To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create local authentication credentials for your user account:
gcloud auth application-default login
For more information, see Set up authentication for a local development environment in the Google Cloud authentication documentation.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
Understand service account credentials.
Required roles
To get the permissions that you need to list and get service account keys, ask your administrator to grant you the View Service Accounts (roles/iam.serviceAccountViewer
) IAM role on either the project or the service account whose keys youwant to manage. For more information about granting roles, see Manage access.
You might also be able to get the required permissions through custom roles or other predefined roles.
For more information, seeService Accounts roles.
IAM basic roles also contain permissions to manage serviceaccount keys. You should not grant basic roles in a production environment, but you can grant them in adevelopment or test environment.
List service account keys
You can list the service account keys for a service account using theGoogle Cloud console, the gcloud CLI, theserviceAccount.keys.list()
method, or one of the client libraries.
The serviceAccount.keys.list()
method is commonly used to audit serviceaccounts and keys, or to build custom tooling for managing service accounts.
To find out which project your key belongs to, you can download the key as aJSON file and look at that file.
You might see keys listed that you did not create. These are keys created byGoogle and used by the Service Account Credentials API. To learn more, seeGoogle-managed key pairs.
Console
- In the Google Cloud console, go to the Service accounts page.
The remaining steps appear in the Google Cloud console.
- Select a project.
- On the Service accounts page, click the email address of the service account whose keys you want to list.
- Click Keys. The Google Cloud console displays a list of keys for the service account.
gcloud
Execute the gcloud iam service-accounts keys list
command to list service account keys.
Replace the following values:
SA_NAME
: The name of the service accountto list keys for.PROJECT_ID
: Your Google Cloud project ID.
gcloud iam service-accounts keys list \ --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com
Output:
KEY_ID | CREATED_AT | EXPIRES_AT | DISABLED | DISABLE_REASON | EXTENDED_STATUS |
8e6e3936d7024646f8ceb39792006c07f4a9760c | 2021-01-01T21:01:42Z | 9999-12-31T23:59:59Z | |||
937c98f870f5c8db970af527aa3c12fd88b1c20a | 2021-01-01T20:55:40Z | 9999-12-31T23:59:59Z | True | USER INITIATED | |
937c98f870f5c8db970af527aa3c12fd88b1c20a | 2021-01-01T20:55:40Z | 9999-12-31T23:59:59Z | True | EXPOSED | ['key':'SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_EXPOSED' 'value':'{exposure URL}'] |
C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
namespace iam = ::google::cloud::iam_admin_v1;[](std::string const& service_account_name, std::vector<std::string> const& key_type_labels) { iam::IAMClient client(iam::MakeIAMConnection()); std::vector<google::iam::admin::v1::ListServiceAccountKeysRequest::KeyType> key_types; for (auto const& type : key_type_labels) { if (type == "USER_MANAGED") { key_types.push_back(google::iam::admin::v1:: ListServiceAccountKeysRequest::USER_MANAGED); } else if (type == "SYSTEM_MANAGED") { key_types.push_back(google::iam::admin::v1:: ListServiceAccountKeysRequest::SYSTEM_MANAGED); } } auto response = client.ListServiceAccountKeys(service_account_name, key_types); if (!response) throw std::move(response).status(); std::cout << "ServiceAccountKeys successfully retrieved: " << response->DebugString() << "\n";}
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
using System;using System.Collections.Generic;using Google.Apis.Auth.OAuth2;using Google.Apis.Iam.v1;using Google.Apis.Iam.v1.Data;public partial class ServiceAccountKeys{ public static IList<ServiceAccountKey> ListKeys(string serviceAccountEmail) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credential }); var response = service.Projects.ServiceAccounts.Keys .List($"projects/-/serviceAccounts/{serviceAccountEmail}") .Execute(); foreach (ServiceAccountKey key in response.Keys) { Console.WriteLine("Key: " + key.Name); } return response.Keys; }}
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
import ("context""fmt""io"iam "google.golang.org/api/iam/v1")// listKey lists a service account's keys.func listKeys(w io.Writer, serviceAccountEmail string) ([]*iam.ServiceAccountKey, error) {ctx := context.Background()service, err := iam.NewService(ctx)if err != nil {return nil, fmt.Errorf("iam.NewService: %w", err)}resource := "projects/-/serviceAccounts/" + serviceAccountEmailresponse, err := service.Projects.ServiceAccounts.Keys.List(resource).Do()if err != nil {return nil, fmt.Errorf("Projects.ServiceAccounts.Keys.List: %w", err)}for _, key := range response.Keys {fmt.Fprintf(w, "Listing key: %v", key.Name)}return response.Keys, nil}
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
import com.google.cloud.iam.admin.v1.IAMClient;import com.google.iam.admin.v1.ListServiceAccountKeysRequest;import com.google.iam.admin.v1.ServiceAccountKey;import java.io.IOException;import java.util.List;public class ListServiceAccountKeys { public static void main(String[] args) throws IOException { // TODO(Developer): Replace the below variables before running. String projectId = "your-project-id"; String serviceAccountName = "your-service-account-name"; List<ServiceAccountKey> keys = listKeys(projectId, serviceAccountName); keys.forEach(key -> System.out.println("Key: " + key.getName())); } // Lists all keys for a service account. public static List<ServiceAccountKey> listKeys(String projectId, String accountName) throws IOException { // Initialize client that will be used to send requests. // This client only needs to be created once, and can be reused for multiple requests. String email = String.format("%s@%s.iam.gserviceaccount.com", accountName, projectId); try (IAMClient iamClient = IAMClient.create()) { ListServiceAccountKeysRequest req = ListServiceAccountKeysRequest.newBuilder() .setName(String.format("projects/%s/serviceAccounts/%s", projectId, email)) .build(); return iamClient.listServiceAccountKeys(req).getKeysList(); } }}
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
from typing import Listfrom google.cloud import iam_admin_v1from google.cloud.iam_admin_v1 import typesdef list_keys(project_id: str, account: str) -> List[iam_admin_v1.ServiceAccountKey]: """ Creates a key for a service account. project_id: ID or number of the Google Cloud project you want to use. account: ID or email which is unique identifier of the service account. """ iam_admin_client = iam_admin_v1.IAMClient() request = types.ListServiceAccountKeysRequest() request.name = f"projects/{project_id}/serviceAccounts/{account}" response = iam_admin_client.list_service_account_keys(request=request) return response.keys
REST
The projects.serviceAccounts.keys.list
method lists all of the service account keys for a service account.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project
.SA_NAME
: The name of the service account whose keys you want to list.KEY_TYPES
: Optional. A comma-separated list of key types that you want to include in the response. The key type indicates whether a key is user-managed (USER_MANAGED
) or system-managed (SYSTEM_MANAGED
). If left blank, all keys are returned.
HTTP method and URL:
GET https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys?keyTypes=KEY_TYPES
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys?keyTypes=KEY_TYPES"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys?keyTypes=KEY_TYPES" | Select-Object -Expand Content
APIs Explorer (browser)
Open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and click Execute.
You should receive a JSON response similar to the following:
{ "keys": [ { "name": "projects/my-project/serviceAccounts/[email protected]/keys/90c48f61c65cd56224a12ab18e6ee9ca9c3aee7c", "validAfterTime": "2020-03-04T17:39:47Z", "validBeforeTime": "9999-12-31T23:59:59Z", "keyAlgorithm": "KEY_ALG_RSA_2048", "keyOrigin": "GOOGLE_PROVIDED", "keyType": "USER_MANAGED" }, { "name": "projects/my-project/serviceAccounts/[email protected]/keys/e5e3800831ac1adc8a5849da7d827b4724b1fce8", "validAfterTime": "2020-03-31T23:50:09Z", "validBeforeTime": "9999-12-31T23:59:59Z", "keyAlgorithm": "KEY_ALG_RSA_2048", "keyOrigin": "GOOGLE_PROVIDED", "keyType": "USER_MANAGED" }, { "name": "projects/my-project/serviceAccounts/[email protected]/keys/b97699f042b8eee6a846f4f96259fbcd13e2682e", "validAfterTime": "2020-05-17T18:58:13Z", "validBeforeTime": "9999-12-31T23:59:59Z", "keyAlgorithm": "KEY_ALG_RSA_2048", "keyOrigin": "GOOGLE_PROVIDED", "keyType": "USER_MANAGED", "disabled": true "disable_reason": "SERVICE_ACCOUNT_KEY_DISABLE_REASON_EXPOSED" "extended_status": "SERVICE_ACCOUNT_KEY_EXTENDED_STATUS_KEY_EXPOSED" "extended_status_message": "exposed at: https://www.github.com/SomePublicRepo" } ]}
Get a service account key
You can use the gcloud CLI or the REST API to get the public key datafor a service account key. In addition, you can use the Google Cloud console,the gcloud CLI, or the REST API to get metadata for the key, such asthe algorithm that the key uses and whether the key is managed by you or byGoogle.
Console
To get the public key data for a service account key:
Use the gcloud CLI or the REST API. This data is not available in theGoogle Cloud console.
To get metadata for a service account key:
- In the Google Cloud console, go to the Service accounts page.
The remaining steps appear in the Google Cloud console.
- Select a project.
- On the Service accounts page, click the email address of the service account whose keys you want to list.
- Click Keys. The Google Cloud console displays a list of keys for the service account, including metadata for each key.
gcloud
To get the public key data for a service account key:
Run thegcloud beta iam service-accounts keys get-public-key
command:
gcloud beta iam service-accounts keys get-public-key KEY_ID \ --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com \ --output-file=FILENAME
Provide the following values:
KEY_ID
: The ID of the public key you want to get.To find the key's ID, list all keys for the service account,identify the key that you want to get, and then copy its ID.SA_NAME
: The name of the service account whose publickey you want to get.PROJECT_ID
: Your Google Cloud project ID.FILENAME
: The file in which to save the public keydata.
By default, the public key data is saved in X.509 PEM format. To get the rawpublic key, run the command with the additional flag --type=raw
.
For example, the following command gets the public key data for the keyc97cc34494c07c9b483701f28368f20145b9ef97
, which belongs to the service account[email protected]
, then saves the publickey data to the file public_key.pem
:
gcloud beta iam service-accounts keys get-public-key \ c97cc34494c07c9b483701f28368f20145b9ef97 \ --iam-account=my-service-account@my-project.iam.gserviceaccount.com \ --output-file=public_key.pem
To get metadata for a service account key:
Run the gcloud iam service-accounts keys list
command:
gcloud iam service-accounts keys list --iam-account=SA_NAME \ --filter="name~KEY_ID" --format=json
Provide the following values:
SA_NAME
: The name of the service account for which youwant key metadata.KEY_ID
: The ID of the key for which you want metadata.
For example, the following command gets metadata for the keyc97cc34494c07c9b483701f28368f20145b9ef97
, which belongs to the service account[email protected]
:
gcloud iam service-accounts keys list \ --iam-account=my-service-account@my-project.iam.gserviceaccount.com \ --filter="name~c97cc34494c07c9b483701f28368f20145b9ef97" --format=json
REST
The projects.serviceAccounts.keys.get
method returns information about a public key for a service account.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud projectID. Project IDs are alphanumeric strings, likemy-project
.SA_NAME
: The name of the service account whose public key you want to get.-
KEY_ID
: The ID of the public key you want to get. To find the key's ID, list all keys for the service account, identify the key that you want to get, and then copy its ID from the end of thename
field. The key's ID is everything afterkeys/
. KEY_TYPE
: The format in which to return the public key. UseTYPE_X509_PEM_FILE
for X.509 PEM format orTYPE_RAW_PUBLIC_KEY
for the raw public key. If you omit this query parameter, the method returns metadata for the key, but it does not return the public key data.
HTTP method and URL:
GET https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID?publicKeyType=KEY_TYPE
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID?publicKeyType=KEY_TYPE"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID?publicKeyType=KEY_TYPE" | Select-Object -Expand Content
APIs Explorer (browser)
Open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and click Execute.
You should receive a JSON response similar to the following:
{ "name": "projects/my-project/serviceAccounts/[email protected]/keys/f4a83933ac07cf52bb74e0e66d99662a09f51a36", "validAfterTime": "2021-12-10T17:32:06Z", "validBeforeTime": "9999-12-31T23:59:59Z", "publicKeyData": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvRENDQWVTZ0F3SUJBZ0lJT2lCdm9hR09nV0F3RFFZSktvWklodmNOQVFFRkJRQXdJREVlTUJ3R0ExVUUKQXhNVk1UQXhNVGsxTlRFMk5UWXlPRGszTmpFek1qQXpNQ0FYRFRJeE1USXhNREUzTXpJd05sb1lEems1T1RreApNak14TWpNMU9UVTVXakFnTVI0d0hBWURWUVFERXhVeE1ERXhPVf*ckTVRZMU5qSTRPVGMyTVRNeU1ETXdnZ0VpCk1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzdzeDBFcXVUMGNwSXhlczl1SW0yRy9DS3EKdnc4YTl2a2JkaWZZbDZHSDh1ZUxEWDhGNHVUeEVQMkNzU3JLTHZtOFo2My9IVUxnWjBtQXByb0JlM08vaVR1ZwpmYVZ0NVNtakhvWm9YQ1lpbjR0MS93SkpvdDhrRFdPeDZhOEdieUdqZ215ak8yYk1XdEtaQ2dqeGZ3cUV0MmN3CklnajA5VzJKYTlHTWRsdVA0VGVubTRKSkJoaFpFbTJ1bVAwYVZZdkRnUWF5d0RCYnJuNG8yY0EzSWplRDZGM1gKK0VHRDNKU0s4VW02Sk5sM21adGp6VWNZSHBrYkF0U1A2ZDI5d1RmZkdIRFY0THJRWlM3bG15d3hsb3p5WnpaawpCOFpHckMzSkF1MVNVRTdQOTN6bWtFb1B6MlRUNWhaYXZMWFQ5TGM2SExiRklRVHFnVEJVWHlNMkpIcGZBZ01CCkFBR2pPREEyTUF3R0ExVWRFd0VCL3dRQ01BQXdEZ1lEVlIwUEFRSC9CQVFEQWdlQU1CWUdBMVVkSlFFQi93UU0KTUFvR0NDc0dBUVVGQndNQ01BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQkhPNXlpUDY3NkE4UEN2RjdRSzdFMApYZVljbzdsSStFZkowaGJrWVlmdUtnSENPcXcvd3FBbCtOSithanljT2FPWDFPMlRZN3ZOc05pR2t3eWc2QXdqCklhL1NHVjd3NkxpS2JldFRuSVp4UlhRY25lcnVvZEwycUR5eWphMDJJSXJVTmVKY1o0MVJBNXRTL3NkcTFGNm4KM0NjSXFoZTI1OTA4TUNna3cwaFB1K0VLbFF6R1B5T3pVRHBLdXg0cnRBaHJTYTBUVW1wbEMxdTJnUk1YRkF6aApWUjU0V2dNa2tabURyalBNeWdBS3JmNkd0bHo2VHRTYTVLb1BWdGpsWExUQkxaSnlhdk4zc1F2dFlBK1NFQWpWCnA1N1ZabFBYZmR0dWN4ekJaOC9zS25SOHNyYU5hVWFjamg1NEE1Nm1URTE3b0IyUWkrTHBJUTYvNnVqVnNXaUYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=", "keyAlgorithm": "KEY_ALG_RSA_2048", "keyOrigin": "GOOGLE_PROVIDED", "keyType": "USER_MANAGED"}
What's next
- Learn how to create and delete service account keys.
- Learn how to disable and enable service account keys.
- Learn aboutalternatives to service account keys for authentication.
- Learn how to use service account keys to authenticate as a serviceaccount.
- Understand the best practices for managing service accountkeys.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-07-25 UTC.
[{ "type": "thumb-down", "id": "hardToUnderstand", "label":"Hard to understand" },{ "type": "thumb-down", "id": "incorrectInformationOrSampleCode", "label":"Incorrect information or sample code" },{ "type": "thumb-down", "id": "missingTheInformationSamplesINeed", "label":"Missing the information/samples I need" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]