Granting Service Account Token Creator Role

What will you learn?

In this comprehensive tutorial, you will master the process of assigning the iam.serviceAccounts.getAccessToken permission to a service account in Python. You’ll understand the significance of generating access tokens for seamless authentication and interaction with Google Cloud services programmatically.

Introduction to Problem and Solution

When dealing with Google Cloud Platform (GCP), certain operations necessitate authenticated access, which is facilitated through access tokens. These tokens serve as credentials for verifying identity and permissions when a service account performs operations. However, not all service accounts have the default capability to generate these crucial tokens. To address this limitation, we must grant the “Service Account Token Creator” role (roles/iam.serviceAccountTokenCreator) or specifically provide the iam.serviceAccounts.getAccessToken permission to our target service account.

The solution lies in leveraging GCP’s Identity and Access Management (IAM) tools via the console, gcloud command-line tool, or programmatically using Python. By updating our service account’s IAM policy, we enable it to generate access tokens efficiently. This guide focuses on implementing this solution through Python by utilizing Google’s Client Libraries.


from google.oauth2 import service_account
import googleapiclient.discovery

def grant_service_account_token_creator_role(service_account_email):
    """Grants 'Service Account Token Creator' role to a specified service account."""

    # Define the required scope for IAM API.
    scopes = [""]

    # Authenticate using your own Google Cloud Service Account Key file.
    credentials = service_account.Credentials.from_service_account_file(
        "YOUR_SERVICE_ACCOUNT_KEY.json", scopes=scopes)

    # Build the IAM Service object.
    iam_service ='iam', 'v1', credentials=credentials)

    # Define resource name of the target project where you want 
    #to grant access ('projects/{project_id}').
    resource_name = "projects/YOUR_PROJECT_ID"

    # Get current IAM Policy for your project.
    policy = iam_service.projects().getIamPolicy(resource=resource_name).execute()

    # Construct role binding for 'Service Account Token Creator' Role.
    new_binding = {
        "role": "roles/iam.serviceAccountTokenCreator",
        "members": [f"serviceAccount:{service_account_email}"]

# Add new bindings if it doesn't exist already.
if new_binding not in policy['bindings']:

# Set updated policy back on the resource(project).

# Copyright PHD


This script executes several pivotal actions: – Authenticates against Google Cloud API using credentials from a key file linked to your GCP Service Account with adequate permissions like Project Owner or Editor. – Creates an IAM Service client object to interact programmatically with GCP’s IAM system. – Retrieves the current IAM Policy of your GCP project requiring modifications. – Generates a new IAM Policy Binding, assigning the roles/iam.serviceAccountTokenCreator role to our chosen service account. This step empowers the specific service account to create necessary access tokens effectively. – If this binding is absent in our project’s policy document, it gets appended before updating the modified policy onto our project, thereby enhancing its permission configuration.

This approach encompasses granting targeted permission (iam.serviceAccounts.getAccessToken) indirectly by assigning an overarching role capable of various actions including token generation.

  1. How do I find my GCP Project ID?

  2. Your Project ID is displayed on your Google Cloud Console dashboard alongside other project details.

  3. Where do I obtain a Service Account Key file?

  4. Create one in the �IAM & Admin� section under �Service Accounts� within your Google Cloud Console. After creating a new key, download its JSON file.

  5. What permissions does my own Service Account require?

  6. To modify roles or permissions of other accounts, it needs roles such as Project Owner or Editor at minimum.

  7. Can I revert these changes?

  8. Yes! You can reverse specific bindings from your project�s IAM Policy programmatically or through console/gcloud CLI methods.

  9. Does applying these settings impact running services immediately?

  10. There is no immediate effect on running services; however, future interactions requiring authentication may be influenced based on granted or revoked permissions.

  11. Is there any cost associated with making these API calls?

  12. Standard charges for Google Cloud Services apply beyond free tier limits when utilizing APIs.

  13. Can I define custom roles instead of predefined ones like roles/iam.serviceAccountTokenCreator?

  14. Absolutely! Custom roles can be created and utilized if they encompass requisite permissions.

  15. How long does a token generated by these enabled accounts last?

  16. Access Tokens typically expire after 1 hour but are refreshable based on configuration.

  17. Are there restrictions on how often I can modify my projects� policies?

  18. While no strict limit exists for modifications themselves; practical constraints regarding usage quotas and rate limiting may apply.

  19. What happens if an incorrect email format is provided during member addition in binding creation?

  20. The operation will fail due to an invalid member specification error; ensure accurate formatting especially prefix �serviceAccount:�


By following this detailed walkthrough, you’ve acquired insights into enhancing a specific GCP service account’s capabilities enabling operational independence such as generating authentication tokens seamlessly when securely interacting with other cloud resources. Always review existing policies before updates to minimize disruptions and uphold security compliance within projects.

Leave a Comment