GCP IAM REST API Service account key issue

Question

I have been struggling with this particular issue in GCP. I am trying to generate service account keys using Rest API calls outside of GCP. Below is screenshot of the service account along with the roles.

The as far as i can tell the Service account "Service account admin key" is the parent to create, list, etc child permissions.

So when invoking the Rest API call to generate key using this documentation:2 I get the below error

{
"error": {
    "code": 403,
    "message": "Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/XXXYYYZZZZZZ/serviceAccounts/XXXYYYYZZZZZZ.iam.gserviceaccount.com.",
    "status": "PERMISSION_DENIED"
}

}

What am I missing?!

Updated: Adding additional screenshots of how i setup authorization and testing of Rest API call.

Answer 1

Following your steps, I was able to replicate it without any errors. As an alternative you can generate an access token instead as authentication.

1. Add an Auth Header. Generate a Bearer Token by using the command below:

gcloud auth application-default print-access-token

2. Remove the API Key to your URL. This sample URL retrieves:

https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com/keys

3. Add keyTypes

USER_MANAGED

4. Add access token from the gcloud results above.

See sample screenshots below:

You can also refer to this if you want to generate service account keys, just make sure you update your URL, add a JSON body with keyAlgorithm, and use POST instead of GET. For more info, follow this guide.