{
	"id": "0823a62d-be61-4944-8455-54243a3fe822",
	"created_at": "2026-04-06T00:13:17.396513Z",
	"updated_at": "2026-04-10T03:19:56.12477Z",
	"deleted_at": null,
	"sha1_hash": "6a0c019186e4afd1fde650c293b1726d301c54f7",
	"title": "Create short-lived credentials for a service account",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 525997,
	"plain_text": "Create short-lived credentials for a service account\r\nArchived: 2026-04-05 16:36:28 UTC\r\nSkip to main content\r\nTechnology areas\r\nOverview\r\nGuides\r\nReference\r\nSamples\r\nResources\r\nCross-product tools\r\nConsole\r\nDiscover\r\nProduct overview\r\nGet started\r\nGrant roles in the Google Cloud console\r\nGrant roles using client libraries\r\nIAM and your security architecture\r\nIdentity management for Google Cloud\r\nConfigure identities for users\r\nIdentities for users\r\nCreate and manage Google groups in the Google Cloud console\r\nBest practices for using Google groups\r\nFederate identities for users\r\nWorkforce identity federation\r\nSCIM provisioning for Workforce Identity Federation\r\nObtain short-lived credentials for Workforce Identity Federation\r\nManage workforce identity pools and providers\r\nDelete Workforce Identity Federation users and their data\r\nSet up user access to console (federated)\r\nSign in to the gcloud CLI with your federated identity\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 1 of 65\n\nConfigure identities for workloads\r\nIdentities for workloads\r\nUse managed workload identities\r\nAbout managed workload identities\r\nGKE\r\nCreate managed workload identities for GKE\r\nTroubleshoot managed workload identities for GKE\r\nUse custom organization policies\r\nBuilt-in identities for resources\r\nControl access to resources\r\nGrant access\r\nManage access to projects, folders, and organizations\r\nManage access to service accounts\r\nManage access to other resources\r\nTest allow policy changes\r\nDeny access\r\nTemporary elevated access\r\nTemporary elevated access overview\r\nRequest temporary elevated access with PAM\r\nWithdraw grants\r\nApprove or deny grants with PAM\r\nCreate short-lived credentials for a service account\r\nCreate short-lived credentials for multiple service accounts\r\nMigrate to the Service Account Credentials API\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 2 of 65\n\nTest permissions for custom user interfaces\r\nUse custom organization policies for allow policies\r\nUse IAM to help prevent exfiltration from data pipelines\r\nOptimize your IAM configuration\r\nUse IAM securely\r\nOptimize IAM policies by using Policy Intelligence tools\r\nHelp secure IAM using VPC Service Controls\r\nMonitor\r\nAudit logging\r\nIAM API audit logging\r\nIAM SCIM audit logging\r\nService Account Credentials API audit logging\r\nPrivileged Access Manager audit logging\r\nSecurity Token Service API audit logging\r\nExample logs for service accounts\r\nExample logs for Workforce Identity Federation\r\nExample logs for Workforce OAuth application integration\r\nExample logs for Workload Identity Federation\r\nAnalyze access to resources\r\nReview allow policy history\r\nReview security insights\r\nTroubleshoot\r\nTroubleshoot allow and deny policies\r\nTroubleshoot organization policy errors for service accounts\r\nTroubleshoot \"withcond\" in policies and role bindings\r\nTroubleshoot Workforce Identity Federation\r\nTroubleshoot Workload Identity Federation\r\nSamples\r\nAll Identity and Access Management code samples\r\nCode samples for all products\r\nCreate short-lived credentials for a service account Stay organized with collections\r\nSave and categorize content based on your preferences.\r\nOn this page\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 3 of 65\n\nBefore you begin\r\nCreate a short-lived access token\r\nProvide required permissions\r\nGenerate the access token\r\nCreate an OpenID Connect (OIDC) ID token\r\nProvide required permissions\r\nGenerate the ID token\r\nCreate a self-signed JSON Web Token (JWT)\r\nProvide required permissions\r\nGenerate the JWT\r\nCreate a self-signed binary object (blob)\r\nProvide required permissions\r\nGenerate the self-signed blob\r\nThis page explains how to create short-lived credentials for a service account, which you can use to impersonate\r\nthe service account. Depending on the type of token you create, the short-lived token provides the identity (for ID\r\ntokens) or permissions (for access tokens) associated with the service account.\r\nIf your system architecture requires you to use a series of token generation calls, you can use a delegation chain\r\nconsisting of several service accounts. In most cases, the direct method, as explained on this page, is sufficient.\r\nBefore you begin\r\nEnable the IAM and Service Account Credentials APIs:\r\nRoles required to enable APIs\r\nTo enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ),\r\nwhich contains the serviceusage.services.enable permission. Learn how to grant roles.\r\ngcloud services enable iam.googleapis.comiamcredentials.googleapis.com\r\nSet up authentication.\r\nSelect the tab for how you plan to use the samples on this page:\r\nWhen you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set\r\nup authentication.\r\nIn the Google Cloud console, activate Cloud Shell.\r\nActivate Cloud Shell\r\nAt the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line\r\nprompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 4 of 65\n\nalready set for your current project. It can take a few seconds for the session to initialize.\r\nTo use the Go samples on this page in a local development environment, install and initialize the gcloud\r\nCLI, and then set up Application Default Credentials with your user credentials.\r\n1. Install the Google Cloud CLI.\r\n2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your\r\nfederated identity.\r\n3. If you're using a local shell, then create local authentication credentials for your user account:\r\ngcloud auth application-default login\r\nYou don't need to do this if you're using Cloud Shell.\r\nIf an authentication error is returned, and you are using an external identity provider (IdP), confirm\r\nthat you have signed in to the gcloud CLI with your federated identity.\r\nFor more information, see Set up ADC for a local development environment in the Google Cloud\r\nauthentication documentation.\r\nTo use the Java samples on this page in a local development environment, install and initialize the gcloud\r\nCLI, and then set up Application Default Credentials with your user credentials.\r\n1. Install the Google Cloud CLI.\r\n2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your\r\nfederated identity.\r\n3. If you're using a local shell, then create local authentication credentials for your user account:\r\ngcloud auth application-default login\r\nYou don't need to do this if you're using Cloud Shell.\r\nIf an authentication error is returned, and you are using an external identity provider (IdP), confirm\r\nthat you have signed in to the gcloud CLI with your federated identity.\r\nFor more information, see Set up ADC for a local development environment in the Google Cloud\r\nauthentication documentation.\r\nTo use the Node.js samples on this page in a local development environment, install and initialize the\r\ngcloud CLI, and then set up Application Default Credentials with your user credentials.\r\n1. Install the Google Cloud CLI.\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 5 of 65\n\n2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your\r\nfederated identity.\r\n3. If you're using a local shell, then create local authentication credentials for your user account:\r\ngcloud auth application-default login\r\nYou don't need to do this if you're using Cloud Shell.\r\nIf an authentication error is returned, and you are using an external identity provider (IdP), confirm\r\nthat you have signed in to the gcloud CLI with your federated identity.\r\nFor more information, see Set up ADC for a local development environment in the Google Cloud\r\nauthentication documentation.\r\nTo use the Python samples on this page in a local development environment, install and initialize the\r\ngcloud CLI, and then set up Application Default Credentials with your user credentials.\r\n1. Install the Google Cloud CLI.\r\n2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your\r\nfederated identity.\r\n3. If you're using a local shell, then create local authentication credentials for your user account:\r\ngcloud auth application-default login\r\nYou don't need to do this if you're using Cloud Shell.\r\nIf an authentication error is returned, and you are using an external identity provider (IdP), confirm\r\nthat you have signed in to the gcloud CLI with your federated identity.\r\nFor more information, see Set up ADC for a local development environment in the Google Cloud\r\nauthentication documentation.\r\nTo use the REST API samples on this page in a local development environment, you use the credentials\r\nyou provide to the gcloud CLI.\r\nInstall the Google Cloud CLI.\r\nIf you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your\r\nfederated identity.\r\nFor more information, see Authenticate for using REST in the Google Cloud authentication documentation.\r\nUnderstand IAM service accounts.\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 6 of 65\n\nUnderstand service account impersonation.\r\nUnderstand what kind of token you need, and use the appropriate steps provided in the sections below:\r\nOAuth 2.0 access tokens\r\nOpenID Connect (OIDC) ID tokens\r\nSelf-signed JSON Web Tokens (JWTs)\r\nSelf-signed binary blobs\r\nCreate a short-lived access token\r\nAccess tokens are accepted for authentication by most Google APIs. When you generate an access token by using\r\nservice account impersonation, the access token comes without a refresh token, which means that when the token\r\nexpires, you must repeat the impersonation process to generate a new one.\r\nFor more information, see Access tokens.\r\nTo create a short-lived access token, complete these tasks:\r\nProvide the required permissions to the caller.\r\nGenerate the access token.\r\nProvide required permissions\r\nA direct request involves two identities: the caller that requests the credential, and the service account for which\r\nthe credential is created. How you set up the permissions depends on whether the caller is authenticating as a\r\nservice account or as a user account.\r\nIf you want to run a REST or gcloud CLI command on this page in a local development environment, the caller\r\ncan be represented by user credentials. For automated workloads, such as an application running on Compute\r\nEngine, the caller must be represented by a service account.\r\nWhen the calling application uses a service account as its identity, the following principals are involved:\r\nCaller service account ( CALLER_SA )\r\nThis service account represents the calling application, which issues the request for the short-lived\r\ncredentials.\r\nPrivilege-bearing service account ( PRIV_SA )\r\nThis service account is granted the IAM roles needed for the short-lived token. This is the service account\r\nfor which the short-lived token is created.\r\nTo give CALLER_SA permissions to create short-lived credentials for PRIV_SA , you grant CALLER_SA the Service\r\nAccount Token Creator role ( roles/iam.serviceAccountTokenCreator ) on PRIV_SA .\r\nGrant the required role on PRIV_SA :\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 7 of 65\n\n1. In the Google Cloud console, go to the Service Accounts page.\r\nGo to Service Accounts\r\n2. Select a project.\r\n3. Click the email address of the privilege-bearing service account, PRIV_SA .\r\n4. Click the Permissions tab.\r\n5. Under Principals with access to this service account, click Grant Access.\r\n6. Enter the email address of the caller service account, CALLER_SA .\r\nFor example, demo@my-project.iam.gserviceaccount.com .\r\n7. Select the Service Account Token Creator role ( roles/iam.serviceAccountTokenCreator ).\r\n8. Click Save to grant the role to the service account.\r\nThe gcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.\r\nBefore using any of the command data below, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the token is generated.\r\nCALLER_SA : The email address of the service account representing the application that is requesting the\r\nshort-lived token.\r\nExecute the following command:\r\nLinux, macOS, or Cloud Shell\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA \\\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (PowerShell)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA `\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (cmd.exe)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA ^\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountTokenCreator --format=json\r\nYou should receive a response similar to the following:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 8 of 65\n\nUpdated IAM policy for serviceAccount [PRIV_SA].\r\n{\r\n \"bindings\": [\r\n {\r\n \"members\": [\r\n \"serviceAccount:CALLER_SA\"\r\n ],\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\"\r\n }\r\n ],\r\n \"etag\": \"BwXhCB4eyjY=\",\r\n \"version\": 1\r\n}\r\n1. Read the allow policy for PRIV_SA :\r\nThe serviceAccounts.getIamPolicy method gets a service account's allow policy.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\r\nRequest JSON body:\r\n{\r\n \"options\": {\r\n \"requestedPolicyVersion\": POLICY_VERSION\r\n }\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 9 of 65\n\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nYou should receive a JSON response similar to the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\nIf you have not granted any roles on the service account, the response contains only an etag value.\r\nInclude that etag value in the next step.\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 10 of 65\n\n2. Modify the allow policy to grant CALLER_SA the Service Account Token Creator role\r\n( roles/iam.serviceAccountTokenCreator ).\r\nFor example, to modify the sample response from the previous step, add the following:\r\n {\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\n \"members\": [\r\n \"serviceAccount:CALLER_SA\"\r\n ]\r\n }\r\n ]\r\n }\r\n3. Write the updated allow policy:\r\nThe serviceAccounts.setIamPolicy method sets an updated allow policy for the service account.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nPOLICY : A JSON representation of the policy that you want to set. For more information about the\r\nformat of a policy, see the Policy reference.\r\nFor example, to set the allow policy shown in the previous step, replace POLICY with the\r\nfollowing, where CALLER_SA is the service account creating the short-lived token:\r\n{\r\n \"version\": 1,\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 11 of 65\n\n\"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\n \"members\": [\r\n \"serviceAccount:CALLER_SA\"\r\n ]\r\n }\r\n ]\r\n}\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\r\nRequest JSON body:\r\n{\r\n \"policy\": POLICY\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 12 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nThe response contains the updated allow policy.\r\nWhen you want to use the Google Cloud CLI to generate short-lived tokens, or you want to generate short-lived\r\ntokens from a local development environment, you can use a user account to generate the tokens. Often, you can\r\nuse your own user account.\r\nWhen you use a user account to generate short-lived tokens, the following identities are involved:\r\nCaller account ( CALLER_ACCOUNT )\r\nThis user account is used to generate short-lived credentials for the privilege-bearing service account.\r\nPrivilege-bearing service account ( PRIV_SA )\r\nThis service account is granted the IAM roles needed for the short-lived token. This is the service account\r\nfor which the short-lived token is created.\r\nTo enable CALLER_ACCOUNT to create short-lived credentials for PRIV_SA , you grant CALLER_ACCOUNT the\r\nService Account Token Creator role ( roles/iam.serviceAccountTokenCreator ) on PRIV_SA .\r\nGrant the required role on PRIV_SA :\r\n1. In the Google Cloud console, go to the Service Accounts page.\r\nGo to Service Accounts\r\n2. Select a project.\r\n3. Click the email address of the privilege-bearing service account, PRIV_SA .\r\n4. Click the Permissions tab.\r\n5. Under Principals with access to this service account, click Grant Access.\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 13 of 65\n\n6. Enter the principal identifier of the caller account, CALLER_ACCOUNT .\r\nFor example, my-user@example.com .\r\n7. Select the Service Account Token Creator role ( roles/iam.serviceAccountTokenCreator ).\r\n8. Click Save to grant the role to the user account.\r\nThe gcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.\r\nBefore using any of the command data below, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the token is generated.\r\nCALLER_ACCOUNT : The email address of the user account being used to request the short-lived token.\r\nExecute the following command:\r\nLinux, macOS, or Cloud Shell\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA \\\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (PowerShell)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA `\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (cmd.exe)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA ^\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountTokenCreator --format=json\r\nYou should receive a response similar to the following:\r\nUpdated IAM policy for serviceAccount [PRIV_SA].\r\n{\r\n \"bindings\": [\r\n {\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ],\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\"\r\n }\r\n ],\r\n \"etag\": \"BwX1ZbefjXU=\",\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 14 of 65\n\n\"version\": 1\r\n}\r\n1. Read the allow policy for PRIV_SA :\r\nThe serviceAccounts.getIamPolicy method gets a service account's allow policy.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\r\nRequest JSON body:\r\n{\r\n \"options\": {\r\n \"requestedPolicyVersion\": POLICY_VERSION\r\n }\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 15 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nYou should receive a JSON response similar to the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\nIf you have not granted any roles on the service account, the response contains only an etag value.\r\nInclude that etag value in the next step.\r\n2. Modify the allow policy to grant CALLER_ACCOUNT the Service Account Token Creator role (\r\nroles/iam.serviceAccountTokenCreator ).\r\nFor example, to modify the sample response from the previous step, add the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 16 of 65\n\n\"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\n3. Write the updated allow policy:\r\nThe serviceAccounts.setIamPolicy method sets an updated allow policy for the service account.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nPOLICY : A JSON representation of the policy that you want to set. For more information about the\r\nformat of a policy, see the Policy reference.\r\nFor example, to set the allow policy shown in the previous step, replace POLICY with the\r\nfollowing, where CALLER_ACCOUNT is the user account creating the short-lived token:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 17 of 65\n\n\"members\": [\r\n \"CALLER_ACCOUNT\"\r\n ]\r\n }\r\n ]\r\n}\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\r\nRequest JSON body:\r\n{\r\n \"policy\": POLICY\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 18 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nThe response contains the updated allow policy.\r\nGenerate the access token\r\nYou can generate an OAuth 2.0 access token by using the gcloud CLI, the REST API, or the Cloud Client\r\nLibraries and Google API Client Libraries.\r\nIf you use the REST API, and your system is configured to allow extended token lifetimes, you can create a token\r\nwith a lifetime longer than the default. The Google Cloud CLI does not support setting a lifetime for the token.\r\nThe samples below are designed to be used in a local development environment; the caller must be represented by\r\na user account, rather than a service account.\r\nGenerate an OAuth 2.0 access token for a service account:\r\n1. Ensure that you are signed into the gcloud CLI with the caller user account.\r\n2. Generate a token for the service account by using the gcloud auth print-access-token command.\r\nBefore using any of the command data below, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nExecute the following command:\r\nLinux, macOS, or Cloud Shell\r\ngcloud auth print-access-token --impersonate-service-account=PRIV_SA\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 19 of 65\n\nWindows (PowerShell)\r\ngcloud auth print-access-token --impersonate-service-account=PRIV_SA\r\nWindows (cmd.exe)\r\ngcloud auth print-access-token --impersonate-service-account=PRIV_SA\r\nYou should receive a response similar to the following:\r\nWARNING: This command is using service account impersonation. All API calls will be executed a\r\n[my-sa@my-project.iam.gserviceaccount.com].\r\nya29.c.b0AXv0zTPnzTnDV8F8Aj5Fgy46Yf2v_v8eZIoKq7xGpfbpXuy23aQ1693m3gAuE8AZga7w6kdagN7a9bfdDYbde\r\nThe Service Account Credentials API's serviceAccounts.generateAccessToken method generates an OAuth 2.0\r\naccess token for a service account.\r\nBefore using any of the request data, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived token is\r\ncreated.\r\nLIFETIME : The amount of time until the access token expires, in seconds. For example, 300s .\r\nBy default, the maximum token lifetime is 1 hour (3,600 seconds). To extend the maximum lifetime for\r\nthese tokens to 12 hours (43,200 seconds), add the service account to an organization policy that includes\r\nthe constraints/iam.allowServiceAccountCredentialLifetimeExtension list constraint.\r\nHTTP method and URL:\r\nPOST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateAccessToken\r\nRequest JSON body:\r\n{\r\n \"scope\": [\r\n \"https://www.googleapis.com/auth/cloud-platform\"\r\n ],\r\n \"lifetime\": \"LIFETIME\"\r\n}\r\nTo send your request, expand one of these options:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 20 of 65\n\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateAccessToken\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/\r\nPRIV_SA:generateAccessToken\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right side of\r\nthe page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other\r\nrequired fields, and click Execute.\r\nIf the generateAccessToken request was successful, the response body contains an OAuth 2.0 access token and\r\nan expiration time. The accessToken can then be used to authenticate a request on behalf of the service account\r\nuntil the expireTime has been reached:\r\n{\r\n \"accessToken\": \"eyJ0eXAi...NiJ9\",\r\n \"expireTime\": \"2020-04-07T15:01:23.045123456Z\"\r\n}\r\nCreate an OpenID Connect (OIDC) ID token\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 21 of 65\n\nID tokens follow the OpenID Connect (OIDC) specification. ID tokens are accepted by a limited number of\r\nservices and applications.\r\nFor more information, see ID tokens and Authentication for applications hosted on Cloud Run or Cloud Run\r\nfunctions.\r\nTo create an ID token, complete these tasks:\r\nProvide the required permissions to the caller.\r\nUse the Service Account OpenID Connect Identity Token Creator role\r\n( roles/iam.serviceAccountOpenIdTokenCreator ) for creating an ID token. This is a different role than the\r\nrole you use for other token types.\r\nGenerate the ID token.\r\nProvide required permissions\r\nA direct request involves two identities: the caller that requests the credential, and the service account for which\r\nthe credential is created. How you set up the permissions depends on whether the caller is authenticating as a\r\nservice account or as a user account.\r\nIf you want to run a REST or gcloud CLI command on this page in a local development environment, the caller\r\ncan be represented by user credentials. For automated workloads, such as an application running on Compute\r\nEngine, the caller must be represented by a service account.\r\nWhen the calling application uses a service account as its identity, the following principals are involved:\r\nCaller service account ( CALLER_SA )\r\nThis service account represents the calling application, which issues the request for the short-lived\r\ncredentials.\r\nPrivilege-bearing service account ( PRIV_SA )\r\nThis service account is granted the IAM roles needed for the short-lived token. This is the service account\r\nfor which the short-lived token is created.\r\nTo give CALLER_SA permissions to create short-lived credentials for PRIV_SA , you grant CALLER_SA the Service\r\nAccount OpenID Connect Identity Token Creator role ( roles/iam.serviceAccountOpenIdTokenCreator ) on\r\nPRIV_SA .\r\nGrant the required role on PRIV_SA :\r\n1. In the Google Cloud console, go to the Service Accounts page.\r\nGo to Service Accounts\r\n2. Select a project.\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 22 of 65\n\n3. Click the email address of the privilege-bearing service account, PRIV_SA .\r\n4. Click the Permissions tab.\r\n5. Under Principals with access to this service account, click Grant Access.\r\n6. Enter the email address of the caller service account, CALLER_SA .\r\nFor example, demo@my-project.iam.gserviceaccount.com .\r\n7. Select the Service Account OpenID Connect Identity Token Creator role\r\n( roles/iam.serviceAccountOpenIdTokenCreator ).\r\n8. Click Save to grant the role to the service account.\r\nThe gcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.\r\nBefore using any of the command data below, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the token is generated.\r\nCALLER_SA : The email address of the service account representing the application that is requesting the\r\nshort-lived token.\r\nExecute the following command:\r\nLinux, macOS, or Cloud Shell\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA \\\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountOpenIdTokenCreator --format=json\r\nWindows (PowerShell)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA `\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountOpenIdTokenCreator --format=json\r\nWindows (cmd.exe)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA ^\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountOpenIdTokenCreator --format=json\r\nYou should receive a response similar to the following:\r\nUpdated IAM policy for serviceAccount [PRIV_SA].\r\n{\r\n \"bindings\": [\r\n {\r\n \"members\": [\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 23 of 65\n\n\"serviceAccount:CALLER_SA\"\r\n ],\r\n \"role\": \"roles/iam.serviceAccountOpenIdTokenCreator\"\r\n }\r\n ],\r\n \"etag\": \"BwXhCB4eyjY=\",\r\n \"version\": 1\r\n}\r\n1. Read the allow policy for PRIV_SA :\r\nThe serviceAccounts.getIamPolicy method gets a service account's allow policy.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\r\nRequest JSON body:\r\n{\r\n \"options\": {\r\n \"requestedPolicyVersion\": POLICY_VERSION\r\n }\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 24 of 65\n\n-d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nYou should receive a JSON response similar to the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\nIf you have not granted any roles on the service account, the response contains only an etag value.\r\nInclude that etag value in the next step.\r\n2. Modify the allow policy to grant CALLER_SA the Service Account OpenID Connect Identity Token Creator\r\nrole ( roles/iam.serviceAccountOpenIdTokenCreator ).\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 25 of 65\n\nFor example, to modify the sample response from the previous step, add the following:\r\n {\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountOpenIdTokenCreator\",\r\n \"members\": [\r\n \"serviceAccount:CALLER_SA\"\r\n ]\r\n }\r\n ]\r\n }\r\n3. Write the updated allow policy:\r\nThe serviceAccounts.setIamPolicy method sets an updated allow policy for the service account.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nPOLICY : A JSON representation of the policy that you want to set. For more information about the\r\nformat of a policy, see the Policy reference.\r\nFor example, to set the allow policy shown in the previous step, replace POLICY with the\r\nfollowing, where CALLER_SA is the service account creating the short-lived token:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 26 of 65\n\n\"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountOpenIdTokenCreator\",\r\n \"members\": [\r\n \"serviceAccount:CALLER_SA\"\r\n ]\r\n }\r\n ]\r\n}\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\r\nRequest JSON body:\r\n{\r\n \"policy\": POLICY\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 27 of 65\n\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nThe response contains the updated allow policy.\r\nWhen you want to use the Google Cloud CLI to generate short-lived tokens, or you want to generate short-lived\r\ntokens from a local development environment, you can use a user account to generate the tokens. Often, you can\r\nuse your own user account.\r\nWhen you use a user account to generate short-lived tokens, the following identities are involved:\r\nCaller account ( CALLER_ACCOUNT )\r\nThis user account is used to generate short-lived credentials for the privilege-bearing service account.\r\nPrivilege-bearing service account ( PRIV_SA )\r\nThis service account is granted the IAM roles needed for the short-lived token. This is the service account\r\nfor which the short-lived token is created.\r\nTo enable CALLER_ACCOUNT to create short-lived credentials for PRIV_SA , you grant CALLER_ACCOUNT the\r\nService Account OpenID Connect Identity Token Creator role ( roles/iam.serviceAccountOpenIdTokenCreator )\r\non PRIV_SA .\r\nGrant the required role on PRIV_SA :\r\n1. In the Google Cloud console, go to the Service Accounts page.\r\nGo to Service Accounts\r\n2. Select a project.\r\n3. Click the email address of the privilege-bearing service account, PRIV_SA .\r\n4. Click the Permissions tab.\r\n5. Under Principals with access to this service account, click Grant Access.\r\n6. Enter the principal identifier of the caller account, CALLER_ACCOUNT .\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 28 of 65\n\nFor example, my-user@example.com .\r\n7. Select the Service Account OpenID Connect Identity Token Creator role\r\n( roles/iam.serviceAccountOpenIdTokenCreator ).\r\n8. Click Save to grant the role to the user account.\r\nThe gcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.\r\nBefore using any of the command data below, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the token is generated.\r\nCALLER_ACCOUNT : The email address of the user account being used to request the short-lived token.\r\nExecute the following command:\r\nLinux, macOS, or Cloud Shell\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA \\\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountOpenIdTokenCreator --format=json\r\nWindows (PowerShell)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA `\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountOpenIdTokenCreator --format=json\r\nWindows (cmd.exe)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA ^\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountOpenIdTokenCreator --format=json\r\nYou should receive a response similar to the following:\r\nUpdated IAM policy for serviceAccount [PRIV_SA].\r\n{\r\n \"bindings\": [\r\n {\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ],\r\n \"role\": \"roles/iam.serviceAccountOpenIdTokenCreator\"\r\n }\r\n ],\r\n \"etag\": \"BwX1ZbefjXU=\",\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 29 of 65\n\n\"version\": 1\r\n}\r\n1. Read the allow policy for PRIV_SA :\r\nThe serviceAccounts.getIamPolicy method gets a service account's allow policy.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\r\nRequest JSON body:\r\n{\r\n \"options\": {\r\n \"requestedPolicyVersion\": POLICY_VERSION\r\n }\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 30 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nYou should receive a JSON response similar to the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\nIf you have not granted any roles on the service account, the response contains only an etag value.\r\nInclude that etag value in the next step.\r\n2. Modify the allow policy to grant CALLER_ACCOUNT the Service Account OpenID Connect Identity Token\r\nCreator role ( roles/iam.serviceAccountOpenIdTokenCreator ).\r\nFor example, to modify the sample response from the previous step, add the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 31 of 65\n\n\"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountOpenIdTokenCreator\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\n3. Write the updated allow policy:\r\nThe serviceAccounts.setIamPolicy method sets an updated allow policy for the service account.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nPOLICY : A JSON representation of the policy that you want to set. For more information about the\r\nformat of a policy, see the Policy reference.\r\nFor example, to set the allow policy shown in the previous step, replace POLICY with the\r\nfollowing, where CALLER_ACCOUNT is the user account creating the short-lived token:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountOpenIdTokenCreator\",\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 32 of 65\n\n\"members\": [\r\n \"CALLER_ACCOUNT\"\r\n ]\r\n }\r\n ]\r\n}\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\r\nRequest JSON body:\r\n{\r\n \"policy\": POLICY\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 33 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nThe response contains the updated allow policy.\r\nGenerate the ID token\r\nYou can generate an OpenID Connect (OIDC) ID token by using the gcloud CLI, the REST API, or the Cloud\r\nClient Libraries and Google API Client Libraries.\r\nThe samples below are designed to be used in a local development environment; the caller must be represented by\r\na user account, rather than a service account.\r\nOIDC ID tokens are valid for 1 hour (3,600 seconds).\r\nGenerate a Google-signed OIDC ID token for a service account:\r\n1. Ensure that you are signed into the gcloud CLI with the caller user account.\r\n2. Generate a token for the service account by using the gcloud auth print-identity-token command.\r\nBefore using any of the command data below, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nAUDIENCE_NAME : The audience for the token, usually the URL of the application or service that the\r\ntoken will be used to access.\r\nExecute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 34 of 65\n\nLinux, macOS, or Cloud Shell\r\ngcloud auth print-identity-token --impersonate-service-account=PRIV_SA --audience\r\nWindows (PowerShell)\r\ngcloud auth print-identity-token --impersonate-service-account=PRIV_SA --audience\r\nWindows (cmd.exe)\r\ngcloud auth print-identity-token --impersonate-service-account=PRIV_SA --audience\r\nYou should receive a response similar to the following:\r\nWARNING: This command is using service account impersonation. All API calls will b\r\n[my-sa@my-project.iam.gserviceaccount.com].\r\neyJhbGciOiJSUzI1NiIsImtpZDNhMDg4ZDRmZmMjJkYTVmZTM5MDZjY2MiLCJ0eXAiOiJKV1QifQ.eyJhd\r\nThe Service Account Credentials API's serviceAccounts.generateIdToken method generates an OIDC ID token\r\nfor a service account.\r\nBefore using any of the request data, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived token is\r\ncreated.\r\nAUDIENCE_NAME : The audience for the token, usually the URL of the application or service that the token\r\nwill be used to access.\r\nHTTP method and URL:\r\nPOST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateIdToken\r\nRequest JSON body:\r\n{\r\n \"audience\": \"AUDIENCE_NAME\",\r\n \"includeEmail\": \"true\"\r\n}\r\nTo send your request, expand one of these options:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 35 of 65\n\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:generateIdToken\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/\r\nPRIV_SA:generateIdToken\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right side of\r\nthe page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other\r\nrequired fields, and click Execute.\r\nIf the generateId request was successful, the response body contains an ID token that is valid for 1 hour. The\r\ntoken can then be used to authenticate a request on behalf of the service account:\r\n{\r\n \"token\": \"eyJ0eXAi...NiJ9\"\r\n}\r\nCreate a self-signed JSON Web Token (JWT)\r\nSelf-signed JSON Web Tokens (JWTs) are useful in a variety of scenarios:\r\nSecurely communicating between your own applications. In this scenario, one application can sign a token\r\nthat can be verified by another application for authentication purposes.\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 36 of 65\n\nAuthenticating a call to a Google API as described in Service account authorization without OAuth.\r\nAuthenticating to an API deployed with API Gateway.\r\nTreating a service account as an identity provider by signing a JWT that contains arbitrary claims about a\r\nuser, account, or device.\r\nTo create a JWT, complete these tasks:\r\nProvide the required permissions to the caller.\r\nGenerate the JWT.\r\nProvide required permissions\r\nA direct request involves two identities: the caller that requests the credential, and the service account for which\r\nthe credential is created. How you set up the permissions depends on whether the caller is authenticating as a\r\nservice account or as a user account.\r\nIf you want to run a REST or gcloud CLI command on this page in a local development environment, the caller\r\ncan be represented by user credentials. For automated workloads, such as an application running on Compute\r\nEngine, the caller must be represented by a service account.\r\nWhen the calling application uses a service account as its identity, the following principals are involved:\r\nCaller service account ( CALLER_SA )\r\nThis service account represents the calling application, which issues the request for the short-lived\r\ncredentials.\r\nPrivilege-bearing service account ( PRIV_SA )\r\nThis service account is granted the IAM roles needed for the short-lived token. This is the service account\r\nfor which the short-lived token is created.\r\nTo give CALLER_SA permissions to create short-lived credentials for PRIV_SA , you grant CALLER_SA the Service\r\nAccount Token Creator role ( roles/iam.serviceAccountTokenCreator ) on PRIV_SA .\r\nGrant the required role on PRIV_SA :\r\n1. In the Google Cloud console, go to the Service Accounts page.\r\nGo to Service Accounts\r\n2. Select a project.\r\n3. Click the email address of the privilege-bearing service account, PRIV_SA .\r\n4. Click the Permissions tab.\r\n5. Under Principals with access to this service account, click Grant Access.\r\n6. Enter the email address of the caller service account, CALLER_SA .\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 37 of 65\n\nFor example, demo@my-project.iam.gserviceaccount.com .\r\n7. Select the Service Account Token Creator role ( roles/iam.serviceAccountTokenCreator ).\r\n8. Click Save to grant the role to the service account.\r\nThe gcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.\r\nBefore using any of the command data below, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the token is generated.\r\nCALLER_SA : The email address of the service account representing the application that is requesting the\r\nshort-lived token.\r\nExecute the following command:\r\nLinux, macOS, or Cloud Shell\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA \\\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (PowerShell)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA `\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (cmd.exe)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA ^\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountTokenCreator --format=json\r\nYou should receive a response similar to the following:\r\nUpdated IAM policy for serviceAccount [PRIV_SA].\r\n{\r\n \"bindings\": [\r\n {\r\n \"members\": [\r\n \"serviceAccount:CALLER_SA\"\r\n ],\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\"\r\n }\r\n ],\r\n \"etag\": \"BwXhCB4eyjY=\",\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 38 of 65\n\n\"version\": 1\r\n}\r\n1. Read the allow policy for PRIV_SA :\r\nThe serviceAccounts.getIamPolicy method gets a service account's allow policy.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\r\nRequest JSON body:\r\n{\r\n \"options\": {\r\n \"requestedPolicyVersion\": POLICY_VERSION\r\n }\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 39 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nYou should receive a JSON response similar to the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\nIf you have not granted any roles on the service account, the response contains only an etag value.\r\nInclude that etag value in the next step.\r\n2. Modify the allow policy to grant CALLER_SA the Service Account Token Creator role\r\n( roles/iam.serviceAccountTokenCreator ).\r\nFor example, to modify the sample response from the previous step, add the following:\r\n {\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 40 of 65\n\n\"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\n \"members\": [\r\n \"serviceAccount:CALLER_SA\"\r\n ]\r\n }\r\n ]\r\n }\r\n3. Write the updated allow policy:\r\nThe serviceAccounts.setIamPolicy method sets an updated allow policy for the service account.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nPOLICY : A JSON representation of the policy that you want to set. For more information about the\r\nformat of a policy, see the Policy reference.\r\nFor example, to set the allow policy shown in the previous step, replace POLICY with the\r\nfollowing, where CALLER_SA is the service account creating the short-lived token:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 41 of 65\n\n\"members\": [\r\n \"serviceAccount:CALLER_SA\"\r\n ]\r\n }\r\n ]\r\n}\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\r\nRequest JSON body:\r\n{\r\n \"policy\": POLICY\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 42 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nThe response contains the updated allow policy.\r\nWhen you want to use the Google Cloud CLI to generate short-lived tokens, or you want to generate short-lived\r\ntokens from a local development environment, you can use a user account to generate the tokens. Often, you can\r\nuse your own user account.\r\nWhen you use a user account to generate short-lived tokens, the following identities are involved:\r\nCaller account ( CALLER_ACCOUNT )\r\nThis user account is used to generate short-lived credentials for the privilege-bearing service account.\r\nPrivilege-bearing service account ( PRIV_SA )\r\nThis service account is granted the IAM roles needed for the short-lived token. This is the service account\r\nfor which the short-lived token is created.\r\nTo enable CALLER_ACCOUNT to create short-lived credentials for PRIV_SA , you grant CALLER_ACCOUNT the\r\nService Account Token Creator role ( roles/iam.serviceAccountTokenCreator ) on PRIV_SA .\r\nGrant the required role on PRIV_SA :\r\n1. In the Google Cloud console, go to the Service Accounts page.\r\nGo to Service Accounts\r\n2. Select a project.\r\n3. Click the email address of the privilege-bearing service account, PRIV_SA .\r\n4. Click the Permissions tab.\r\n5. Under Principals with access to this service account, click Grant Access.\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 43 of 65\n\n6. Enter the principal identifier of the caller account, CALLER_ACCOUNT .\r\nFor example, my-user@example.com .\r\n7. Select the Service Account Token Creator role ( roles/iam.serviceAccountTokenCreator ).\r\n8. Click Save to grant the role to the user account.\r\nThe gcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.\r\nBefore using any of the command data below, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the token is generated.\r\nCALLER_ACCOUNT : The email address of the user account being used to request the short-lived token.\r\nExecute the following command:\r\nLinux, macOS, or Cloud Shell\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA \\\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (PowerShell)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA `\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (cmd.exe)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA ^\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountTokenCreator --format=json\r\nYou should receive a response similar to the following:\r\nUpdated IAM policy for serviceAccount [PRIV_SA].\r\n{\r\n \"bindings\": [\r\n {\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ],\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\"\r\n }\r\n ],\r\n \"etag\": \"BwX1ZbefjXU=\",\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 44 of 65\n\n\"version\": 1\r\n}\r\n1. Read the allow policy for PRIV_SA :\r\nThe serviceAccounts.getIamPolicy method gets a service account's allow policy.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\r\nRequest JSON body:\r\n{\r\n \"options\": {\r\n \"requestedPolicyVersion\": POLICY_VERSION\r\n }\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 45 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nYou should receive a JSON response similar to the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\nIf you have not granted any roles on the service account, the response contains only an etag value.\r\nInclude that etag value in the next step.\r\n2. Modify the allow policy to grant CALLER_ACCOUNT the Service Account Token Creator role (\r\nroles/iam.serviceAccountTokenCreator ).\r\nFor example, to modify the sample response from the previous step, add the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 46 of 65\n\n\"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\n3. Write the updated allow policy:\r\nThe serviceAccounts.setIamPolicy method sets an updated allow policy for the service account.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nPOLICY : A JSON representation of the policy that you want to set. For more information about the\r\nformat of a policy, see the Policy reference.\r\nFor example, to set the allow policy shown in the previous step, replace POLICY with the\r\nfollowing, where CALLER_ACCOUNT is the user account creating the short-lived token:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 47 of 65\n\n\"members\": [\r\n \"CALLER_ACCOUNT\"\r\n ]\r\n }\r\n ]\r\n}\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\r\nRequest JSON body:\r\n{\r\n \"policy\": POLICY\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 48 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nThe response contains the updated allow policy.\r\nGenerate the JWT\r\nGenerate a self-signed JWT:\r\nThe Service Account Credentials API's serviceAccounts.signJwt method signs a JWT using a service account's\r\nsystem-managed private key.\r\nBefore using any of the request data, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived token is\r\ncreated.\r\nJWT_PAYLOAD : The JWT payload to sign, which is a JSON object that contains a JWT Claims Set. Include\r\nthe claims that are necessary for your desired use case and to meet the validation requirements for the\r\nservice you are calling. If you are calling a Google API, see Google's Authentication Guide for claim\r\nrequirements.\r\nThe exp (expiration time) claim must be no more than 12 hours in the future. If you are calling a Google\r\nAPI, the exp claim must be set no more than 1 hour in the future.\r\nThe following example payload contains claims to call a Google API, where EXP is an integer timestamp\r\nrepresenting the expiration time:\r\n{ \\\"iss\\\": \\\"PRIV_SA\\\", \\\"sub\\\": \\\"PRIV_SA\\\", \\\"aud\\\": \\\"https://firestore.googleapis.com/\\\",\r\nHTTP method and URL:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 49 of 65\n\nPOST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:signJwt\r\nRequest JSON body:\r\n{\r\n \"payload\": \"JWT_PAYLOAD\"\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:signJwt\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/\r\nPRIV_SA:signJwt\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right side of\r\nthe page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other\r\nrequired fields, and click Execute.\r\nIf the signJwt request was successful, the response body contains a signed JWT and the signing key ID that was\r\nused to sign the JWT. You can use the signedJwt value as a bearer token to directly authenticate a request on\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 50 of 65\n\nbehalf of the service account. The token is valid up to the expiration time specified in the request:\r\n{\r\n \"keyId\": \"42ba1e...fc0a\",\r\n \"signedJwt\": \"eyJ0eXAi...NiJ9\"\r\n}\r\nCreate a self-signed binary object (blob)\r\nSelf-signed binary objects, or blobs, are used to transmit binary data in such a way that the originator of the data is\r\nknown (because the blob is self-signed). Blobs can be used to create signatures, a Cloud Storage object required\r\nfor various authentication flows including signed URLs. For information about signatures, see the Cloud Storage\r\ndocumentation.\r\nTo create a self-signed binary object, complete these tasks:\r\nProvide the required permissions to the caller.\r\nGenerate the self-signed blob.\r\nProvide required permissions\r\nA direct request involves two identities: the caller that requests the credential, and the service account for which\r\nthe credential is created. How you set up the permissions depends on whether the caller is authenticating as a\r\nservice account or as a user account.\r\nIf you want to run a REST or gcloud CLI command on this page in a local development environment, the caller\r\ncan be represented by user credentials. For automated workloads, such as an application running on Compute\r\nEngine, the caller must be represented by a service account.\r\nWhen the calling application uses a service account as its identity, the following principals are involved:\r\nCaller service account ( CALLER_SA )\r\nThis service account represents the calling application, which issues the request for the short-lived\r\ncredentials.\r\nPrivilege-bearing service account ( PRIV_SA )\r\nThis service account is granted the IAM roles needed for the short-lived token. This is the service account\r\nfor which the short-lived token is created.\r\nTo give CALLER_SA permissions to create short-lived credentials for PRIV_SA , you grant CALLER_SA the Service\r\nAccount Token Creator role ( roles/iam.serviceAccountTokenCreator ) on PRIV_SA .\r\nGrant the required role on PRIV_SA :\r\n1. In the Google Cloud console, go to the Service Accounts page.\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 51 of 65\n\nGo to Service Accounts\r\n2. Select a project.\r\n3. Click the email address of the privilege-bearing service account, PRIV_SA .\r\n4. Click the Permissions tab.\r\n5. Under Principals with access to this service account, click Grant Access.\r\n6. Enter the email address of the caller service account, CALLER_SA .\r\nFor example, demo@my-project.iam.gserviceaccount.com .\r\n7. Select the Service Account Token Creator role ( roles/iam.serviceAccountTokenCreator ).\r\n8. Click Save to grant the role to the service account.\r\nThe gcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.\r\nBefore using any of the command data below, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the token is generated.\r\nCALLER_SA : The email address of the service account representing the application that is requesting the\r\nshort-lived token.\r\nExecute the following command:\r\nLinux, macOS, or Cloud Shell\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA \\\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (PowerShell)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA `\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (cmd.exe)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA ^\r\n --member=serviceAccount:CALLER_SA --role=roles/iam.serviceAccountTokenCreator --format=json\r\nYou should receive a response similar to the following:\r\nUpdated IAM policy for serviceAccount [PRIV_SA].\r\n{\r\n \"bindings\": [\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 52 of 65\n\n{\r\n \"members\": [\r\n \"serviceAccount:CALLER_SA\"\r\n ],\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\"\r\n }\r\n ],\r\n \"etag\": \"BwXhCB4eyjY=\",\r\n \"version\": 1\r\n}\r\n1. Read the allow policy for PRIV_SA :\r\nThe serviceAccounts.getIamPolicy method gets a service account's allow policy.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\r\nRequest JSON body:\r\n{\r\n \"options\": {\r\n \"requestedPolicyVersion\": POLICY_VERSION\r\n }\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 53 of 65\n\n-H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nYou should receive a JSON response similar to the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\nIf you have not granted any roles on the service account, the response contains only an etag value.\r\nInclude that etag value in the next step.\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 54 of 65\n\n2. Modify the allow policy to grant CALLER_SA the Service Account Token Creator role\r\n( roles/iam.serviceAccountTokenCreator ).\r\nFor example, to modify the sample response from the previous step, add the following:\r\n {\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\n \"members\": [\r\n \"serviceAccount:CALLER_SA\"\r\n ]\r\n }\r\n ]\r\n }\r\n3. Write the updated allow policy:\r\nThe serviceAccounts.setIamPolicy method sets an updated allow policy for the service account.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nPOLICY : A JSON representation of the policy that you want to set. For more information about the\r\nformat of a policy, see the Policy reference.\r\nFor example, to set the allow policy shown in the previous step, replace POLICY with the\r\nfollowing, where CALLER_SA is the service account creating the short-lived token:\r\n{\r\n \"version\": 1,\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 55 of 65\n\n\"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\n \"members\": [\r\n \"serviceAccount:CALLER_SA\"\r\n ]\r\n }\r\n ]\r\n}\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\r\nRequest JSON body:\r\n{\r\n \"policy\": POLICY\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 56 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nThe response contains the updated allow policy.\r\nWhen you want to use the Google Cloud CLI to generate short-lived tokens, or you want to generate short-lived\r\ntokens from a local development environment, you can use a user account to generate the tokens. Often, you can\r\nuse your own user account.\r\nWhen you use a user account to generate short-lived tokens, the following identities are involved:\r\nCaller account ( CALLER_ACCOUNT )\r\nThis user account is used to generate short-lived credentials for the privilege-bearing service account.\r\nPrivilege-bearing service account ( PRIV_SA )\r\nThis service account is granted the IAM roles needed for the short-lived token. This is the service account\r\nfor which the short-lived token is created.\r\nTo enable CALLER_ACCOUNT to create short-lived credentials for PRIV_SA , you grant CALLER_ACCOUNT the\r\nService Account Token Creator role ( roles/iam.serviceAccountTokenCreator ) on PRIV_SA .\r\nGrant the required role on PRIV_SA :\r\n1. In the Google Cloud console, go to the Service Accounts page.\r\nGo to Service Accounts\r\n2. Select a project.\r\n3. Click the email address of the privilege-bearing service account, PRIV_SA .\r\n4. Click the Permissions tab.\r\n5. Under Principals with access to this service account, click Grant Access.\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 57 of 65\n\n6. Enter the principal identifier of the caller account, CALLER_ACCOUNT .\r\nFor example, my-user@example.com .\r\n7. Select the Service Account Token Creator role ( roles/iam.serviceAccountTokenCreator ).\r\n8. Click Save to grant the role to the user account.\r\nThe gcloud iam service-accounts add-iam-policy-binding command grants a role on a service account.\r\nBefore using any of the command data below, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the token is generated.\r\nCALLER_ACCOUNT : The email address of the user account being used to request the short-lived token.\r\nExecute the following command:\r\nLinux, macOS, or Cloud Shell\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA \\\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (PowerShell)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA `\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountTokenCreator --format=json\r\nWindows (cmd.exe)\r\ngcloud iam service-accounts add-iam-policy-binding PRIV_SA ^\r\n --member=user:CALLER_ACCOUNT --role=roles/iam.serviceAccountTokenCreator --format=json\r\nYou should receive a response similar to the following:\r\nUpdated IAM policy for serviceAccount [PRIV_SA].\r\n{\r\n \"bindings\": [\r\n {\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ],\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\"\r\n }\r\n ],\r\n \"etag\": \"BwX1ZbefjXU=\",\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 58 of 65\n\n\"version\": 1\r\n}\r\n1. Read the allow policy for PRIV_SA :\r\nThe serviceAccounts.getIamPolicy method gets a service account's allow policy.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\r\nRequest JSON body:\r\n{\r\n \"options\": {\r\n \"requestedPolicyVersion\": POLICY_VERSION\r\n }\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 59 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:getIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nYou should receive a JSON response similar to the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\nIf you have not granted any roles on the service account, the response contains only an etag value.\r\nInclude that etag value in the next step.\r\n2. Modify the allow policy to grant CALLER_ACCOUNT the Service Account Token Creator role (\r\nroles/iam.serviceAccountTokenCreator ).\r\nFor example, to modify the sample response from the previous step, add the following:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 60 of 65\n\n\"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n }\r\n ]\r\n}\r\n3. Write the updated allow policy:\r\nThe serviceAccounts.setIamPolicy method sets an updated allow policy for the service account.\r\nBefore using any of the request data, make the following replacements:\r\nPROJECT_ID : Your Google Cloud project ID. Project IDs are alphanumeric strings, like my-project .\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived\r\ntoken is created.\r\nPOLICY_VERSION : The policy version to be returned. Requests should specify the most recent\r\npolicy version, which is policy version 3. See Specifying a policy version when getting a policy for\r\ndetails.\r\nPOLICY : A JSON representation of the policy that you want to set. For more information about the\r\nformat of a policy, see the Policy reference.\r\nFor example, to set the allow policy shown in the previous step, replace POLICY with the\r\nfollowing, where CALLER_ACCOUNT is the user account creating the short-lived token:\r\n{\r\n \"version\": 1,\r\n \"etag\": \"BwWKmjvelug=\",\r\n \"bindings\": [\r\n {\r\n \"role\": \"roles/serviceAccountAdmin\",\r\n \"members\": [\r\n \"user:my-user@example.com\"\r\n ]\r\n },\r\n {\r\n \"role\": \"roles/iam.serviceAccountTokenCreator\",\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 61 of 65\n\n\"members\": [\r\n \"CALLER_ACCOUNT\"\r\n ]\r\n }\r\n ]\r\n}\r\nHTTP method and URL:\r\nPOST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\r\nRequest JSON body:\r\n{\r\n \"policy\": POLICY\r\n}\r\nTo send your request, expand one of these options:\r\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 62 of 65\n\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iam.googleapis.com/v1/projects/\r\nPROJECT_ID/serviceAccounts/PRIV_SA:setIamPolicy\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right\r\nside of the page. You can interact with this tool to send requests. Paste the request body in this tool,\r\ncomplete any other required fields, and click Execute.\r\nThe response contains the updated allow policy.\r\nGenerate the self-signed blob\r\nGenerate a self-signed blob for the service account:\r\nThe Service Account Credentials API's serviceAccounts.signBlob method signs a blob using a service account's\r\nsystem-managed private key.\r\nBefore using any of the request data, make the following replacements:\r\nPRIV_SA : The email address of the privilege-bearing service account for which the short-lived token is\r\ncreated.\r\nBLOB_PAYLOAD : A base64-encoded string of bytes. For example,\r\nVGhlIHF1aWNrIGJyb3duIGZveCBqdW1wZWQgb3ZlciB0aGUgbGF6eSBkb2cu .\r\nHTTP method and URL:\r\nPOST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:signBlob\r\nRequest JSON body:\r\n{\r\n \"payload\": \"BLOB_PAYLOAD\"\r\n}\r\nTo send your request, expand one of these options:\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 63 of 65\n\ncurl (Linux, macOS, or Cloud Shell)\r\nSave the request body in a file named request.json , and execute the following command:\r\ncurl -X POST \\\r\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\r\n -H \"Content-Type: application/json; charset=utf-8\" \\\r\n -d @request.json \\\r\n \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/PRIV_SA:signBlob\"\r\nPowerShell (Windows)\r\nSave the request body in a file named request.json , and execute the following command:\r\n$cred = gcloud auth print-access-token\r\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\r\nInvoke-WebRequest `\r\n -Method POST `\r\n -Headers $headers `\r\n -ContentType: \"application/json; charset=utf-8\" `\r\n -InFile request.json `\r\n -Uri \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/\r\nPRIV_SA:signBlob\" | Select-Object -Expand Content\r\nAPIs Explorer (browser)\r\nCopy the request body and open the method reference page. The APIs Explorer panel opens on the right side of\r\nthe page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other\r\nrequired fields, and click Execute.\r\nIf the signBlob request was successful, the response body contains a signed blob and the signing key ID that\r\nwas used to sign the blob. You can use the signedBlob value as a bearer token to directly authenticate a request\r\non behalf of the service account. The token is valid until the service account's system-managed private key\r\nexpires. This key's ID is the value of the keyId field in the response.\r\n{\r\n \"keyId\": \"42ba1e...fc0a\",\r\n \"signedBlob\": \"eyJ0eXAi...NiJ9\"\r\n}\r\nExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0\r\nLicense, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 64 of 65\n\nPolicies. Java is a registered trademark of Oracle and/or its affiliates.\r\nLast updated 2026-04-02 UTC.\r\nSource: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nhttps://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials\r\nPage 65 of 65",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials"
	],
	"report_names": [
		"creating-short-lived-service-account-credentials"
	],
	"threat_actors": [],
	"ts_created_at": 1775434397,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6a0c019186e4afd1fde650c293b1726d301c54f7.pdf",
		"text": "https://archive.orkl.eu/6a0c019186e4afd1fde650c293b1726d301c54f7.txt",
		"img": "https://archive.orkl.eu/6a0c019186e4afd1fde650c293b1726d301c54f7.jpg"
	}
}