创建和删除服务账号密钥

本页面介绍了如何使用Google Cloud 控制台、Google Cloud CLI、Identity and Access Management API 或某个 Google Cloud 客户端库来创建和删除服务账号密钥。

准备工作

• Enable the IAM API.

  Roles required to enable APIs

  To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

  Enable the API

• 设置身份验证。

  Select the tab for how you plan to use the samples on this page:

  Console

  When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

  gcloud

  In the Google Cloud console, activate Cloud Shell.

  Activate Cloud Shell

  At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  C#

  如需在本地开发环境中使用本页面上的 .NET 示例，请安装并初始化 gcloud CLI，然后使用您的用户凭证设置应用默认凭证。

  安装 Google Cloud CLI。

  如果您使用的是外部身份提供方 (IdP)，则必须先使用联合身份登录 gcloud CLI。

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloud auth application-default login

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  Google Cloud

  C++

  如需在本地开发环境中使用本页面上的 C++ 示例，请安装并初始化 gcloud CLI，然后使用您的用户凭证设置应用默认凭证。

  安装 Google Cloud CLI。

  如果您使用的是外部身份提供方 (IdP)，则必须先使用联合身份登录 gcloud CLI。

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloud auth application-default login

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  如需了解详情，请参阅 Google Cloud 身份验证文档中的为本地开发环境设置 ADC。

  Go

  如需在本地开发环境中使用本页面上的 Go 示例，请安装并初始化 gcloud CLI，然后使用您的用户凭证设置应用默认凭证。

  安装 Google Cloud CLI。

  如果您使用的是外部身份提供方 (IdP)，则必须先使用联合身份登录 gcloud CLI。

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloud auth application-default login

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  Google Cloud

  Java

  如需在本地开发环境中使用本页面上的 Java 示例，请安装并初始化 gcloud CLI，然后使用您的用户凭证设置应用默认凭证。

  安装 Google Cloud CLI。

  如果您使用的是外部身份提供方 (IdP)，则必须先使用联合身份登录 gcloud CLI。

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloud auth application-default login

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  Google Cloud

  Python

  如需在本地开发环境中使用本页面上的 Python 示例，请安装并初始化 gcloud CLI，然后使用您的用户凭证设置应用默认凭证。

  安装 Google Cloud CLI。

  如果您使用的是外部身份提供方 (IdP)，则必须先使用联合身份登录 gcloud CLI。

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloud auth application-default login

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  Google Cloud

  REST

  如需在本地开发环境中使用本页面上的 REST API 示例，请使用您提供给 gcloud CLI 的凭证。

  安装 Google Cloud CLI。

  如果您使用的是外部身份提供方 (IdP)，则必须先使用联合身份登录 gcloud CLI。

  如需了解详情，请参阅 Google Cloud 身份验证文档中的使用 REST 时进行身份验证。

  了解服务账号凭证。

所需的角色

如需获得创建和删除服务账号密钥所需的权限，请让您的管理员为您授予项目或者您要管理其密钥的服务账号的 Service Account Key Admin (roles/iam.serviceAccountKeyAdmin) IAM 角色。 如需详细了解如何授予角色，请参阅管理对项目、文件夹和组织的访问权限。

您也可以通过自定义角色或其他预定义角色来获取所需的权限。

如需了解详情，请参阅服务账号角色。

根据您的组织政策配置，您可能还需要允许在项目中创建服务账号密钥，然后才能创建密钥。

如需获得允许在项目中创建服务账号密钥所需的权限，请让您的管理员为您授予组织的以下 IAM 角色：

• Organization Policy Administrator (roles/orgpolicy.policyAdmin)
• Organization Viewer (roles/resourcemanager.organizationViewer)
• Tag Administrator (roles/resourcemanager.tagAdmin)

如需详细了解如何授予角色，请参阅管理对项目、文件夹和组织的访问权限。

这些预定义角色可提供允许在项目中创建服务账号密钥所需的权限。如需查看所需的确切权限，请展开所需权限部分：

您也可以使用自定义角色或其他预定义角色来获取这些权限。

允许创建服务账号密钥

在创建服务账号密钥之前，请确保系统未对您的项目强制执行 iam.disableServiceAccountKeyCreation 组织政策限制条件。如果系统对您的项目强制执行了此限制条件，您将无法在该项目中创建服务账号密钥。

我们建议对大多数项目强制执行此限制条件，仅豁免真正需要服务账号密钥的项目。如需详细了解其他身份验证方法，请参阅为您的应用场景选择合适的身份验证方法。

如需在 iam.disableServiceAccountKeyCreation 组织政策限制条件中豁免某个项目，请让组织政策管理员执行以下操作：

1. 在组织级层，创建标记键和标记值，您将使用该标记值来定义资源是否应豁免该组织政策。我们建议使用键 disableServiceAccountKeyCreation 和值 enforced 和 not_enforced 创建标记。

   如需了解如何创建标记键和标记值，请参阅创建和定义新标记。

2. 将 disableServiceAccountKeyCreation 标记附加到组织，并将其值设置为 enforced。组织中的所有资源都会继承此标记值，除非该标记值被其他标记值覆盖。

   如需了解如何将标记附加到资源，请参阅将标记附加到资源。

3. 对于要从组织政策中豁免的每个项目或文件夹，请附加 disableServiceAccountKeyCreation 标记并将其值设置为 not_enforced。以这种方式设置项目或文件夹的标记值会替换从组织继承的标记值。

4. 创建或更新防止创建服务账号密钥的组织政策，使该政策不对豁免资源强制执行限制条件。此政策应具有以下规则：

   • 配置 iam.disableServiceAccountKeyCreation 限制条件，使其不对具有 disableServiceAccountKeyCreation: not_enforced 标记的资源强制执行。此规则中的条件应如下所示：

     "resource.matchTag('ORGANIZATION_ID/disableServiceAccountKeyCreation', 'not_enforced')"
     

   • 配置对所有其他资源强制执行的 iam.disableServiceAccountKeyCreation 限制条件。

创建服务账号密钥

如要在 Google Cloud之外（例如在其他平台上或在本地）使用服务账号，您必须首先确定服务账号的身份。为确保安全地实现此目标，您可以使用公钥/私钥对。 创建服务账号密钥时，公共部分存储在Google Cloud上，而不公开部分仅供您使用。如需详细了解公钥/私钥对，请参阅服务账号密钥。

您可以使用 Google Cloud 控制台、gcloud CLI、serviceAccounts.keys.create() 方法或某个客户端库创建服务账号密钥。 一个服务账号最多可以有 10 个密钥。

默认情况下，服务账号密钥永不过期。您可以使用组织政策限制条件指定服务账号密钥的有效时长。如需了解详情，请参阅用户管理的密钥的过期时间。

在下面的示例中，SA_NAME 是您的服务账号的名称，而 PROJECT_ID 是您的Google Cloud 项目的 ID。您可以从 Google Cloud 控制台中的服务账号页面检索 SA_NAME@PROJECT_ID.iam.gserviceaccount.com 字符串。

{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "KEY_ID",
  "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "SERVICE_ACCOUNT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}

gcloud iam service-accounts keys create KEY_FILE \
    --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com

created key [e44da1202f82f8f4bdd9d92bc412d1d8a837fa83] of type [json] as
[/usr/home/username/KEY_FILE] for
[SA_NAME@PROJECT_ID.iam.gserviceaccount.com]

{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "KEY_ID",
  "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "SERVICE_ACCOUNT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}

namespace iam = ::google::cloud::iam_admin_v1;
return [](std::string const& name) {
  iam::IAMClient client(iam::MakeIAMConnection());
  auto response = client.CreateServiceAccountKey(
      name,
      google::iam::admin::v1::ServiceAccountPrivateKeyType::
          TYPE_GOOGLE_CREDENTIALS_FILE,
      google::iam::admin::v1::ServiceAccountKeyAlgorithm::KEY_ALG_RSA_2048);
  if (!response) throw std::move(response).status();
  std::cout << "ServiceAccountKey successfully created: "
            << response->DebugString() << "\n"
            << "Please save the key in a secure location, as they cannot "
               "be downloaded later\n";
  return response->name();
}

using System;
using System.Text;
using Google.Apis.Auth.OAuth2;
using Google.Apis.Iam.v1;
using Google.Apis.Iam.v1.Data;

public partial class ServiceAccountKeys
{
    public static ServiceAccountKey CreateKey(string serviceAccountEmail)
    {
        var credential = GoogleCredential.GetApplicationDefault()
            .CreateScoped(IamService.Scope.CloudPlatform);
        var service = new IamService(new IamService.Initializer
        {
            HttpClientInitializer = credential
        });

        var key = service.Projects.ServiceAccounts.Keys.Create(
            new CreateServiceAccountKeyRequest(),
            "projects/-/serviceAccounts/" + serviceAccountEmail)
            .Execute();

        // The PrivateKeyData field contains the base64-encoded service account key
        // in JSON format.
        // TODO(Developer): Save the below key (jsonKeyFile) to a secure location.
        //  You cannot download it later.
        byte[] valueBytes = System.Convert.FromBase64String(key.PrivateKeyData);
        string jsonKeyContent = Encoding.UTF8.GetString(valueBytes);

        Console.WriteLine("Key created successfully");
        return key;
    }
}

import (
	"context"
	// "encoding/base64"
	"fmt"
	"io"

	iam "google.golang.org/api/iam/v1"
)

// createKey creates a service account key.
func createKey(w io.Writer, serviceAccountEmail string) (*iam.ServiceAccountKey, error) {
	ctx := context.Background()
	service, err := iam.NewService(ctx)
	if err != nil {
		return nil, fmt.Errorf("iam.NewService: %w", err)
	}

	resource := "projects/-/serviceAccounts/" + serviceAccountEmail
	request := &iam.CreateServiceAccountKeyRequest{}
	key, err := service.Projects.ServiceAccounts.Keys.Create(resource, request).Do()
	if err != nil {
		return nil, fmt.Errorf("Projects.ServiceAccounts.Keys.Create: %w", err)
	}
	// The PrivateKeyData field contains the base64-encoded service account key
	// in JSON format.
	// TODO(Developer): Save the below key (jsonKeyFile) to a secure location.
	// You cannot download it later.
	// jsonKeyFile, _ := base64.StdEncoding.DecodeString(key.PrivateKeyData)
	fmt.Fprintf(w, "Key created successfully")
	return key, nil
}

import com.google.cloud.iam.admin.v1.IAMClient;
import com.google.gson.Gson;
import com.google.iam.admin.v1.CreateServiceAccountKeyRequest;
import com.google.iam.admin.v1.ServiceAccountKey;
import java.io.IOException;

public class CreateServiceAccountKey {

  public static void main(String[] args) throws IOException {
    // TODO(Developer): Replace the below variables before running.
    String projectId = "your-project-id";
    String serviceAccountName = "your-service-account-name";

    ServiceAccountKey key = createKey(projectId, serviceAccountName);
    Gson gson = new Gson();

    // System.out.println("Service account key: " + gson.toJson(key));
  }

  // Creates a key for a service account.
  public static ServiceAccountKey createKey(String projectId, String accountName)
          throws IOException {
    String email = String.format("%s@%s.iam.gserviceaccount.com", accountName, projectId);

    // Initialize client that will be used to send requests.
    // This client only needs to be created once, and can be reused for multiple requests.
    try (IAMClient iamClient = IAMClient.create()) {
      CreateServiceAccountKeyRequest req = CreateServiceAccountKeyRequest.newBuilder()
              .setName(String.format("projects/%s/serviceAccounts/%s", projectId, email))
              .build();
      ServiceAccountKey createdKey = iamClient.createServiceAccountKey(req);
      System.out.println("Key created successfully");

      return createdKey;
    }
  }
}

from google.cloud import iam_admin_v1
from google.cloud.iam_admin_v1 import types


def create_key(project_id: str, account: str) -> types.ServiceAccountKey:
    """
    Creates a key for a service account.

    project_id: ID or number of the Google Cloud project you want to use.
    account: ID or email which is unique identifier of the service account.
    """

    iam_admin_client = iam_admin_v1.IAMClient()
    request = types.CreateServiceAccountKeyRequest()
    request.name = f"projects/{project_id}/serviceAccounts/{account}"

    key = iam_admin_client.create_service_account_key(request=request)

    # The private_key_data field contains the stringified service account key
    # in JSON format. You cannot download it again later.
    # If you want to get the value, you can do it in a following way:
    # import json
    # json_key_data = json.loads(key.private_key_data)
    # key_id = json_key_data["private_key_id"]

    return key

POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys

{
  "keyAlgorithm": "KEY_ALGORITHM"
}

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys" | Select-Object -Expand Content

{
  "name": "projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL/keys/KEY_ID",
  "privateKeyType": "TYPE_GOOGLE_CREDENTIALS_FILE",
  "privateKeyData": "ENCODED_PRIVATE_KEY",
  "validAfterTime": "DATE",
  "validBeforeTime": "DATE",
  "keyAlgorithm": "KEY_ALG_RSA_2048"
}

echo 'ENCODED_PRIVATE_KEY' | base64 --decode > PATH

echo 'ENCODED_PRIVATE_KEY' | base64 --decode > PATH

删除服务账号密钥

删除服务账号密钥会永久阻止您使用该密钥向 Google API 进行身份验证。

您不能恢复删除的密钥。在删除密钥之前，我们建议您先停用密钥，然后等到您确定不再需要该密钥时，即可将其删除。

最佳做法是定期变换您的服务账号密钥。如需详细了解如何变换服务账号密钥，请参阅服务账号密钥变换。

gcloud iam service-accounts keys delete KEY_ID \
    --iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount.com

Deleted key [KEY_ID] for service account
[SA_NAME@PROJECT_ID.iam.gserviceaccount.com]

namespace iam = ::google::cloud::iam_admin_v1;
[](std::string const& name) {
  iam::IAMClient client(iam::MakeIAMConnection());
  auto response = client.DeleteServiceAccountKey(name);
  if (!response.ok()) throw std::runtime_error(response.message());
  std::cout << "ServiceAccountKey successfully deleted.\n";
}

using System;
using Google.Apis.Auth.OAuth2;
using Google.Apis.Iam.v1;
using Google.Apis.Iam.v1.Data;

public partial class ServiceAccountKeys
{
    public static void DeleteKey(string fullKeyName)
    {
        var credential = GoogleCredential.GetApplicationDefault()
            .CreateScoped(IamService.Scope.CloudPlatform);
        var service = new IamService(new IamService.Initializer
        {
            HttpClientInitializer = credential
        });

        service.Projects.ServiceAccounts.Keys.Delete(fullKeyName).Execute();
        Console.WriteLine("Deleted key: " + fullKeyName);
    }
}

import (
	"context"
	"fmt"
	"io"

	iam "google.golang.org/api/iam/v1"
)

// deleteKey deletes a service account key.
func deleteKey(w io.Writer, fullKeyName string) error {
	ctx := context.Background()
	service, err := iam.NewService(ctx)
	if err != nil {
		return fmt.Errorf("iam.NewService: %w", err)
	}

	_, err = service.Projects.ServiceAccounts.Keys.Delete(fullKeyName).Do()
	if err != nil {
		return fmt.Errorf("Projects.ServiceAccounts.Keys.Delete: %w", err)
	}
	fmt.Fprintf(w, "Deleted key: %v", fullKeyName)
	return nil
}

import com.google.cloud.iam.admin.v1.IAMClient;
import com.google.iam.admin.v1.DeleteServiceAccountKeyRequest;
import com.google.iam.admin.v1.KeyName;
import java.io.IOException;

public class DeleteServiceAccountKey {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace the variables before running the sample.
    String projectId = "your-project-id";
    String serviceAccountName = "my-service-account-name";
    String serviceAccountKeyId = "service-account-key-id";

    deleteKey(projectId, serviceAccountName, serviceAccountKeyId);
  }

  // Deletes a service account key.
  public static void deleteKey(String projectId, String accountName,
                               String serviceAccountKeyId) throws IOException {
    //Initialize client that will be used to send requests.
    //This client only needs to be created once, and can be reused for multiple requests.
    try (IAMClient iamClient = IAMClient.create()) {

      //Construct the service account email.
      //You can modify the ".iam.gserviceaccount.com" to match the service account name in which
      //you want to delete the key.
      //See, https://cloud.google.com/iam/docs/creating-managing-service-account-keys#deleting

      String accountEmail = String.format("%s@%s.iam.gserviceaccount.com", accountName, projectId);

      String name = KeyName.of(projectId, accountEmail, serviceAccountKeyId).toString();

      DeleteServiceAccountKeyRequest request = DeleteServiceAccountKeyRequest.newBuilder()
              .setName(name)
              .build();

      // Then you can delete the key
      iamClient.deleteServiceAccountKey(request);

      System.out.println("Deleted key: " + serviceAccountKeyId);
    }
  }
}

from google.cloud import iam_admin_v1
from google.cloud.iam_admin_v1 import types


def delete_key(project_id: str, account: str, key_id: str) -> None:
    """Deletes a key for a service account.

    project_id: ID or number of the Google Cloud project you want to use.
    account: ID or email which is unique identifier of the service account.
    key_id: unique ID of the key.
    """

    iam_admin_client = iam_admin_v1.IAMClient()
    request = types.DeleteServiceAccountKeyRequest()
    request.name = f"projects/{project_id}/serviceAccounts/{account}/keys/{key_id}"

    iam_admin_client.delete_service_account_key(request=request)
    print(f"Deleted key: {key_id}")

DELETE https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method DELETE `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys/KEY_ID" | Select-Object -Expand Content

{
}

后续步骤

• 了解如何列出和获取服务账号密钥。
• 了解如何上传您自己的公共服务账号密钥。
• 了解管理服务账号密钥的最佳实践。
• 了解使用服务账号密钥进行身份验证的替代方案。