Stay organized with collections Save and categorize content based on your preferences.
This page shows you how to use the Google Cloud signBlob method to create a signature from a string-to-sign or policy document. Signatures are used as credentials in certains requests, such as signed URLs. This guide uses RSA keys for creating signatures.
signBlob method are rotated regularly. If you set an expiration time for a signature that is greater than 12 hours and generate the signature using the signBlob method, the signature is usable for at least 12 hours, but might stop working prior to the expiration time due to key rotation. Signatures generated using the signBlob method are best used for short-lived access to resources. Before you begin
Enable the Service Account Credentials API.
You must have the iam.serviceAccounts.signBlob permission for the service account that you use in this guide. The iam.serviceAccounts.signBlob permission is included in the roles/iam.serviceAccountTokenCreator role.
The service account that you use in this guide must have permission to perform the request encoded within the signature. For example, if the signature will be used to read object data from a bucket, the service account must have permission to read the object data.
Have gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.
Create a JSON file that contains the following information:
{
"payload": "REQUEST_INFORMATION"
}
Where:
REQUEST_INFORMATION is a string-to-sign or a policy document. For both, content must be base64-encoded.Use cURL to call the IAM API with a signBlob request:
curl -X POST --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_EMAIL:signBlob"
Where:
JSON_FILE_NAME is the name of the file you created in Step 2.
SERVICE_ACCOUNT_EMAIL is the email address of the service account you want to use to create the signature. For example, service-7550275089395@my-pet-project.iam.gserviceaccount.com.
If successful, a message digest is returned in the signedBlob field in the response, which is base64 encoded.
To complete the signature, ensure the message digest is base64 decoded, and then hex-encode the message digest.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4