IAM Service Account Credentials API

Name: IAM Service Account Credentials API API
Brand: IAM Service Account Credentials API
Availability: InStock

✓ Official Vendor SpecIdentity AuthAuthenticationoauth25 EndpointsREST

For Agents

Mint short-lived OAuth access tokens, ID tokens, signed JWTs, or signed blobs in the identity of a Google Cloud service account, without distributing private keys.

Quickstart

Get started with IAM Service Account Credentials API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"mint a short-lived access token for a service account"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with IAM Service Account Credentials API API.

Generate a 1-hour OAuth 2.0 access token in the identity of a target service account

Mint an OpenID Connect ID token with a custom audience for service-to-service authentication

Sign a binary blob using the target service account's private key without exposing the key

Sign a JWT payload as the target service account for use with Google or third-party services

GET STARTED

Start building with IAM Service Account Credentials API API

Explore with Jentic

View OpenAPI Document

Use for: Mint a short-lived access token for a service account, Generate an ID token for service-to-service authentication, Sign a JWT as a Google Cloud service account, Sign a binary blob without exposing the service account key

Not supported: Does not create service accounts, manage IAM bindings, or rotate keys — use for minting short-lived credentials for existing service accounts only.

The IAM Service Account Credentials API mints short-lived credentials for Google Cloud service accounts. A caller with iam.serviceAccountTokenCreator on a target service account can request a 1-hour OAuth 2.0 access token, an OpenID Connect ID token, a signed JWT, or a signed binary blob, all issued in the target service account's identity. This is the standard mechanism for service-account impersonation, workload identity federation, and key-less signing on Google Cloud, replacing the practice of distributing long-lived service-account JSON keys.

Use Cases

Patterns agents use IAM Service Account Credentials API API for, with concrete tasks.

★ Key-less Service Account Impersonation

Platform teams remove long-lived service-account JSON keys by giving callers iam.serviceAccountTokenCreator on a target service account and using POST :generateAccessToken to mint a 1-hour OAuth token at call time. The caller uses the token for the immediate Google API call, then discards it. This dramatically reduces the blast radius of credential leaks compared with distributing JSON keys.

Call POST /v1/projects/-/serviceAccounts/etl-runner@my-project.iam.gserviceaccount.com:generateAccessToken with a 1-hour lifetime and the cloud-platform scope, and return the resulting accessToken.

ID Token for Cloud Run-to-Cloud Run Auth

When one Cloud Run service calls another, it mints an OIDC ID token via :generateIdToken with the target service URL as audience and presents it on the outbound request. The receiving service validates the token's audience and issuer. This pattern works identically across Cloud Run, Cloud Functions, and IAP-protected backends.

Call POST /v1/projects/-/serviceAccounts/svc@p.iam.gserviceaccount.com:generateIdToken with audience https://api.example.run.app and includeEmail true, and return the idToken.

Signed JWT for Third-Party Services

Integrations that need to authenticate to a third-party service via signed JWT (e.g. AWS STS AssumeRoleWithWebIdentity, third-party APIs that accept Google service-account tokens) use :signJwt to sign a payload with the service account's private key. The API never returns the key, only the signed JWT, which is rotated automatically by Google.

Call POST /v1/projects/-/serviceAccounts/federated@p.iam.gserviceaccount.com:signJwt with a payload containing iss, sub, aud, and exp, and return the signedJwt.

AI Agent Just-in-Time Credentials

An AI agent acting on Google Cloud uses Jentic to call :generateAccessToken whenever it needs to access a downstream Google API. The agent never holds a long-lived service-account key; instead, it requests a 1-hour token in the identity of the right service account for the task. Jentic enforces who the agent is allowed to impersonate via vault scoping.

On behalf of agent role data-reader, call :generateAccessToken on bigquery-reader@p.iam.gserviceaccount.com with the bigquery.readonly scope and a 30-minute lifetime, then use that token to call BigQuery.

Key Endpoints

5 endpoints — the iam service account credentials api mints short-lived credentials for google cloud service accounts.

METHOD

PATH

DESCRIPTION

POST

/v1/{+name}:generateAccessToken

Mint a short-lived OAuth 2.0 access token in the identity of the service account

POST

/v1/{+name}:generateIdToken

Mint an OpenID Connect ID token with a custom audience

POST

/v1/{+name}:signBlob

Sign a binary blob using the service account's private key

POST

/v1/{+name}:signJwt

Sign a JWT payload as the service account

GET

/v1/{+name}/allowedLocations

List allowed locations for the service account

POST

/v1/{+name}:generateAccessToken

Mint a short-lived OAuth 2.0 access token in the identity of the service account

POST

/v1/{+name}:generateIdToken

Mint an OpenID Connect ID token with a custom audience

POST

/v1/{+name}:signBlob

Sign a binary blob using the service account's private key

POST

/v1/{+name}:signJwt

Sign a JWT payload as the service account

GET

/v1/{+name}/allowedLocations

List allowed locations for the service account

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

The calling principal's OAuth credential lives in the Jentic vault. IAM Credentials calls mint short-lived target-service-account tokens at execution, so neither the caller's credentials nor the target service account's private key reach the agent runtime.

Intent-based discovery

Agents search 'mint service account access token' or 'sign jwt as service account' and Jentic returns the matching operation with its full request body schema, so the agent picks the right :generate* method without reading docs.

Time to first call

Direct integration: 0.5-1 day to wire IAM roles, OAuth client, and impersonation logic. Through Jentic: under 30 minutes — search, load, execute the right :generate* call.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Identity and Access Management (IAM) API

IAM grants the iam.serviceAccountTokenCreator role that authorises calls to this API.

Use IAM to grant the role that lets the calling principal impersonate the target service account, then call IAM Credentials to mint the token.

Complementary

Cloud Identity-Aware Proxy API

IAP-protected services accept the OIDC ID tokens minted by this API as authentication.

Use IAM Credentials :generateIdToken to mint the ID token, then present it on the request to an IAP-protected backend.

Alternative

Cloud KMS API

Cloud KMS signs blobs using customer-managed keys; IAM Credentials signs as the service account's identity.

Use Cloud KMS when the signing key must be customer-managed; use IAM Credentials :signBlob/:signJwt when the signature should bind to a service-account identity.

FAQs

Specific to using IAM Service Account Credentials API API through Jentic.

What authentication does the IAM Credentials API use?

Google OAuth 2.0 with the cloud-platform scope. The calling principal must hold iam.serviceAccountTokenCreator on the target service account. Through Jentic the calling credential is stored encrypted and exchanged for a scoped access token at call time.

Can I generate a token without a service-account JSON key?

Yes. POST /v1/{+name}:generateAccessToken returns a 1-hour OAuth token issued in the target service account's identity, given that the caller has iam.serviceAccountTokenCreator. This is the recommended replacement for downloaded JSON keys.

What are the rate limits for the IAM Credentials API?

Google enforces per-project quotas on credential-generation endpoints. generateAccessToken and generateIdToken default to thousands of QPS but vary by region; signJwt and signBlob have separate quotas. Exact values are visible in Cloud Console quotas for the IAM Credentials API.

How do I impersonate a service account for one API call through Jentic?

Search Jentic with 'mint service account access token', load the POST /v1/{+name}:generateAccessToken operation, and execute with name set to projects/-/serviceAccounts/{email} and a body specifying scope and lifetime. Jentic returns an access token the agent can use immediately.

What is the difference between generateAccessToken and generateIdToken?

generateAccessToken returns an OAuth 2.0 access token used as the Authorization bearer to call Google APIs. generateIdToken returns an OIDC ID token used to authenticate to receivers like Cloud Run, Cloud Functions, or IAP, where the audience claim is checked against the target service URL.