Discover
Get started
Create buckets
Access and manage buckets
Upload and download objects
Access and manage objects
Get insights on your stored data
Cache objects
Control data lifecycles
Make requests
Secure data
Monitor data and usage
Protection, backup, and recovery
Mount buckets with Cloud Storage FUSE
Work across products, Clouds, and platforms
Troubleshoot
Stay organized with collections Save and categorize content based on your preferences.
This page shows you how to create, disable, and delete Hash-based Message Authentication Code (HMAC) keys associated with service accounts in your project.
Before you beginBefore using this feature in Cloud Storage, you must meet the following requirements:
Have sufficient permission to work with HMAC keys in the selected project:
If you own the project, you most likely have the necessary permissions.
You should have the IAM permissions that are prefixed with storage.hmacKeys for the project. See Using IAM Permissions for instructions on how to get a role, such as Storage HMAC Key Admin, that has these permissions.
Have a service account in your project that you intend to create HMAC keys for. See Creating a service account if you don't currently have one.
Make sure the following organization policy constraints are disabled:
constraints/storage.restrictAuthTypes (must be disabled for HMAC key authentication)
See Creating and managing organization policies for instructions on how to check and disable constraints.
To create an HMAC key for a service account:
ConsoleSelect the Interoperability tab.
Click add_box Create a key for a service account.
Select the service account you want the HMAC key to be associated with.
Click Create key.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command lineUse the hmac create command:
gcloud storage hmac create SERVICE_ACCOUNT_EMAIL
Where SERVICE_ACCOUNT_EMAIL is the email address associated with your service account. For example, example-service-account@my-pet-project.iam.gserviceaccount.com.
If successful, the response contains an HMAC key resource, including values for the accessId and secret.
For more information, see the Cloud Storage C++ API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
C#For more information, see the Cloud Storage C# API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
GoFor more information, see the Cloud Storage Go API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
JavaFor more information, see the Cloud Storage Java API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Node.jsFor more information, see the Cloud Storage Node.js API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
PHPFor more information, see the Cloud Storage PHP API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
PythonFor more information, see the Cloud Storage Python API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
RubyFor more information, see the Cloud Storage Ruby API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
TerraformYou can use a Terraform resource to create an HMAC key. This sample also includes a resource to create a service account.
REST APIs JSON APIHave gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.
Use cURL to call the JSON API with a POST hmacKeys request:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://storage.googleapis.com/storage/v1/projects/PROJECT_IDENTIFIER/hmacKeys?serviceAccountEmail=SERVICE_ACCOUNT_EMAIL"
Where:
PROJECT_IDENTIFIER is the ID or number for the project associated with the key you want to create. For example, my-pet-project.SERVICE_ACCOUNT_EMAIL is the email address associated with your service account. For example, example-service-account@my-pet-project.iam.gserviceaccount.com.Have gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.
Use cURL to call the XML API with a POST HMAC Key request:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://storage.googleapis.com/?Action=CreateAccessKey&UserName=SERVICE_ACCOUNT_EMAIL"
Where SERVICE_ACCOUNT_EMAIL is the email address associated with your service account. For example, example-service-account@my-pet-project.iam.gserviceaccount.com.
To list the HMAC keys for a project, and get information about the keys:
ConsoleSelect the Interoperability tab.
Service accounts that have HMAC keys associated with them appear in the Access keys for service accounts subsection of the Service account HMAC section.
Click the name of a specific service account to see the HMAC keys associated with it and the status of those keys.
Use the hmac list command to list hmac keys in your project:
gcloud storage hmac list
If successful, the command returns a list of hmac key access IDs, along with the state of each key and the service account associated with each key.
Use the hmac describe command to retrieve metadata for a specific key:
gcloud storage hmac describe KEY_ACCESS_ID
Where KEY_ACCESS_ID is the access ID for the desired key.
For more information, see the Cloud Storage C++ API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample retrieves a list of HMAC keys associated with a project:
The following sample retrieves information for a specific HMAC key:
C#For more information, see the Cloud Storage C# API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample retrieves a list of HMAC keys associated with a project:
The following sample retrieves information for a specific HMAC key:
GoFor more information, see the Cloud Storage Go API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample retrieves a list of HMAC keys associated with a project:
The following sample retrieves information for a specific HMAC key:
JavaFor more information, see the Cloud Storage Java API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample retrieves a list of HMAC keys associated with a project:
The following sample retrieves information for a specific HMAC key:
Node.jsFor more information, see the Cloud Storage Node.js API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample retrieves a list of HMAC keys associated with a project:
The following sample retrieves information for a specific HMAC key:
PHPFor more information, see the Cloud Storage PHP API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample retrieves a list of HMAC keys associated with a project:
The following sample retrieves information for a specific HMAC key:
PythonFor more information, see the Cloud Storage Python API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample retrieves a list of HMAC keys associated with a project:
The following sample retrieves information for a specific HMAC key:
RubyFor more information, see the Cloud Storage Ruby API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample retrieves a list of HMAC keys associated with a project:
The following sample retrieves information for a specific HMAC key:
REST APIs Update the state of an HMAC keyTo switch an HMAC key between being active and inactive:
ConsoleSelect the Interoperability tab.
In the Access keys for service accounts subsection, click the name of the service account associated with the HMAC key whose status you want to update.
Click the status of the key you want to update.
If you are changing the key's state from Inactive to Active, click Deactivate in the window that appears.
If you are changing the key's state from Active to Inactive, no additional steps are required.
Use the hmac update command:
gcloud storage hmac update ACCESS_KEY_ID STATE
Where:
ACCESS_KEY_ID is the access ID associated with the key you are updating.STATE is either --activate or --deactivate.If successful, the command returns the updated metadata of the HMAC key.
Client libraries C++For more information, see the Cloud Storage C++ API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample deactivates an HMAC key:
The following sample activates an HMAC key:
C#For more information, see the Cloud Storage C# API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample deactivates an HMAC key:
The following sample activates an HMAC key:
GoFor more information, see the Cloud Storage Go API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample deactivates an HMAC key:
The following sample activates an HMAC key:
JavaFor more information, see the Cloud Storage Java API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample deactivates an HMAC key:
The following sample activates an HMAC key:
Node.jsFor more information, see the Cloud Storage Node.js API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample deactivates an HMAC key:
The following sample activates an HMAC key:
PHPFor more information, see the Cloud Storage PHP API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample deactivates an HMAC key:
The following sample activates an HMAC key:
PythonFor more information, see the Cloud Storage Python API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample deactivates an HMAC key:
The following sample activates an HMAC key:
RubyFor more information, see the Cloud Storage Ruby API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample deactivates an HMAC key:
The following sample activates an HMAC key:
REST APIsWhen you change the state of an HMAC key, it takes up to 3 minutes for the state change to propagate through the Cloud Storage system. For this reason, you should wait at least 3 minutes between making an HMAC key inactive and deleting the key.
Delete an HMAC key Caution: HMAC keys cannot be recovered once you delete them. If you want to keep an HMAC key but prevent it from being used, set its state toINACTIVE.
An HMAC key must be in an inactive state in order to delete it. To delete an inactive HMAC key:
ConsoleSelect the Interoperability tab.
In the Access keys for service accounts subsection, click the name of the service account associated with the HMAC key you want to delete.
Click the Trash icon associated with the key you want to delete.
In the dialog that appears, enter the first 10 characters of the access key ID as they are given in the window.
Click Delete.
Use the hmac delete command:
gcloud storage hmac delete ACCESS_KEY_ID
Where ACCESS_KEY_ID is the access ID associated with the key you are deleting.
If successful, the command does not return a response.
Client libraries C++For more information, see the Cloud Storage C++ API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
C#For more information, see the Cloud Storage C# API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
GoFor more information, see the Cloud Storage Go API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
JavaFor more information, see the Cloud Storage Java API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Node.jsFor more information, see the Cloud Storage Node.js API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
PHPFor more information, see the Cloud Storage PHP API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
PythonFor more information, see the Cloud Storage Python API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
RubyFor more information, see the Cloud Storage Ruby API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
REST APIs What's nextExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-10-02 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.5