IAM Signblob and Service Accounts

A Google Cloud Service Account contains an RSA key pair. When Google Cloud creates a service account an RSA key pair managed by Google Cloud is created. When you create a service account key, another RSA key pair is created. You can see the RSA public key in a web browser.

Let’s create a service account with no permissions and no keys.

The name format for a service account is:

Now, display the details of the new service account. Assuming the NAME is signblob-1 and the Project ID is development-123456:

This generates output similar to:

Let’s view the RSA public key for the Google Cloud managed RSA key pair in a web browser. The URL is built from a base URL plus the service account email address.

The base URL is:

The service account email address.

Open the combined URL in a web browser.

The browser will display the Google Cloud managed service account key ID and the RSA public key:

Remember, we have not yet created or downloaded a service account key.

Additional formats are RAW and JWK:

Let’s now use the service account to sign some data. Create a file named data.in. Enter the following text in the file:

My text editor appends \r\n at the end of the line.

Sign the data:

Which outputs:

Notice the value for using key

That is the same key ID as the Google Cloud managed service account key ID.

The signature is written to data.out as binary data.

Base-64 encode the contents of data.out:

Which outputs:

The signature can be verified with openssl provided we have the RSA public key:

The public key is extracted from the certificate URL above. Let’s write some code to fetch the RSA public certificate.

Key points in the following code:

  • Line 1 specifies the service account key ID discussed above. Replace with the value from your service account.
  • Line 2 specifies the service account email address discussed above. Replace with the value from your service account.
  • Lines 10-14 build the URL where Google stores the service account RSA public certificates.
  • Lines 39 compares the $key_id with the $key to locate the certificate.

The above code locates the Google Cloud managed service account key and returns the public certificate. Now, let’s extract the RSA public key so that the openssl example can verify the signature. This function writes the RSA public key to public_key.pem.

Verify the signature written to data.out for the file data.in:

The PHP code to perform the same signature validation as openssl:

Combine the above code fragments into a complete program to verify data blob signature created with Google Cloud IAM Signblob:

The next step is to sign a data blob in PHP. This is very easy to do. This method does not use delegates, which I will cover in this article as well.

Review this Google Cloud CLI command:

The equivalent command written in PHP calling the REST API. The difference is the specification of a service account file, /config/service-account.json.

The CLI uses the same REST API. However, this API is now deprecated. [documentation] The replacement API includes parameters for delegates. [documentation] This example uses the deprecated API. After this example, I show how to use the new API.


This version uses the new REST API [documentation]


This example signs data using a service account’s own private key. The service account requires no permissions or roles.  This example uses the ServiceAccountCredentials::signBlob method. [source code link] [documentation]


Important Facts

  • A service account requires no roles/permissions to sign data using its own private key.
  • A user identity or a service account can sign data using another service account.
    • The permission iam.serviceAccounts.signBlob is required.
    • That permission is contained in the role Service Account Token Creator (roles/iam.serviceAccountTokenCreator).
  • For the previous point, the requestor using another service account for signing is called a delegate. The action is called a delegated request. [documentation]
  • A service account has a Google Cloud managed private key that is used by Google Cloud when signing with another service account.
  • Google Cloud publishes the public certificate for each service account private key including the managed private key.


We discussed a number of advanced concepts. Some of these items are not documented but are easily discernable if you understand PKI, certificates, and signing data.

  • How to sign a data blob with the Google Cloud CLI.
  • How to sign a data blob in PHP.
  • How to verify the signature with openssl.
  • How to verify the signature in PHP.
  • Discussed concepts related to service account key IDs, certificates, and where they are stored.

Photography Credits

Heidi Mustonen just started a new photography company in Seattle, WA. Her company in-TENSE Photography has some amazing pictures. I asked her for some images to include with my new articles. Check out her new website.