IAM Service Account Credentials API . projects . serviceAccounts

Instance Methods

generateAccessToken(name=None, body=None, x__xgafv=None)

Generates an OAuth 2.0 access token for a service account.

generateIdToken(name=None, body=None, x__xgafv=None)

Generates an OpenID Connect ID token for a service account.

signBlob(name=None, body=None, x__xgafv=None)

Signs a blob using a service account's system-managed private key.

signJwt(name=None, body=None, x__xgafv=None)

Signs a JWT using a service account's system-managed private key.

Method Details

generateAccessToken(name=None, body=None, x__xgafv=None) 
Generates an OAuth 2.0 access token for a service account.

Args:
  name: string, Required. The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
  body: object, The request body.
    The object takes the form of:

{
    "lifetime": "A String", # The desired lifetime duration of the access token in seconds.
        # Must be set to a value less than or equal to 3600 (1 hour). If a value is
        # not specified, the token's lifetime will be set to a default value of one
        # hour.
    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on its next service account in the chain. The last service account in the
        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on the service account that is specified in the `name` field of the
        # request.
        # 
        # The delegates must have the following format:
        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
        # character is required; replacing it with a project ID is invalid.
      "A String",
    ],
    "scope": [ # Required. Code to identify the scopes to be included in the OAuth 2.0 access token.
        # See https://developers.google.com/identity/protocols/googlescopes for more
        # information.
        # At least one value required.
      "A String",
    ],
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    {
    "expireTime": "A String", # Token expiration time.
        # The expiration time is always set.
    "accessToken": "A String", # The OAuth 2.0 access token.
  }
generateIdToken(name=None, body=None, x__xgafv=None) 
Generates an OpenID Connect ID token for a service account.

Args:
  name: string, Required. The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
  body: object, The request body.
    The object takes the form of:

{
    "includeEmail": True or False, # Include the service account email in the token. If set to `true`, the
        # token will contain `email` and `email_verified` claims.
    "audience": "A String", # Required. The audience for the token, such as the API or account that this token
        # grants access to.
    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on its next service account in the chain. The last service account in the
        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on the service account that is specified in the `name` field of the
        # request.
        # 
        # The delegates must have the following format:
        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
        # character is required; replacing it with a project ID is invalid.
      "A String",
    ],
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    {
    "token": "A String", # The OpenId Connect ID token.
  }
signBlob(name=None, body=None, x__xgafv=None) 
Signs a blob using a service account's system-managed private key.

Args:
  name: string, Required. The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
  body: object, The request body.
    The object takes the form of:

{
    "payload": "A String", # Required. The bytes to sign.
    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on its next service account in the chain. The last service account in the
        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on the service account that is specified in the `name` field of the
        # request.
        # 
        # The delegates must have the following format:
        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
        # character is required; replacing it with a project ID is invalid.
      "A String",
    ],
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    {
    "signedBlob": "A String", # The signed blob.
    "keyId": "A String", # The ID of the key used to sign the blob.
  }
signJwt(name=None, body=None, x__xgafv=None) 
Signs a JWT using a service account's system-managed private key.

Args:
  name: string, Required. The resource name of the service account for which the credentials
are requested, in the following format:
`projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
character is required; replacing it with a project ID is invalid. (required)
  body: object, The request body.
    The object takes the form of:

{
    "delegates": [ # The sequence of service accounts in a delegation chain. Each service
        # account must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on its next service account in the chain. The last service account in the
        # chain must be granted the `roles/iam.serviceAccountTokenCreator` role
        # on the service account that is specified in the `name` field of the
        # request.
        # 
        # The delegates must have the following format:
        # `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
        # character is required; replacing it with a project ID is invalid.
      "A String",
    ],
    "payload": "A String", # Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    {
    "keyId": "A String", # The ID of the key used to sign the JWT.
    "signedJwt": "A String", # The signed JWT.
  }