Google cloud service account keys console vs api

Question

When I create a service account key through the console https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-console it generates a key that looks like

{
  "type": "service_account",
  "project_id": "...",
  "private_key_id": "...",
  "private_key": "-----BEGIN PRIVATE KEY-----abc1234\n-----END PRIVATE KEY-----\n",
  "client_email": "...",
  "client_id": "...",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "..."
}

but using the node.js library through the api https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys/create using a set of oauth2 credentials it generates a key that looks like

{
  "name": "...",
  "keyType": "USER_MANAGED",
  "keyOrigin": "GOOGLE_PROVIDED",
  "keyAlgorithm": "KEY_ALG_RSA_2048",
  "privateKeyData": "...",
  "privateKeyType": "TYPE_GOOGLE_CREDENTIALS_FILE",
  "validAfterTime": "2021-12-09T10:32:14Z",
  "validBeforeTime": "9999-12-31T23:59:59Z"
}

The first one works with GOOGLE_APPLICATION_CREDENTIALS but the later does not.

Answer 1

Yes, it's normal. You present the answer of the API call. In that API call, the JSON key file if provided in the attribute privateKeyData. Base64 decode the content, and Voilà!

Answer 2

The response contains a key for your service account. The returned key has the following format, where ENCODED_PRIVATE_KEY is the private portion of the public/private key pair, encoded in base64.

So you just need to decode privateKeyData from base64 into asci and you are away.

See https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-rest