Report #21595
[bug\_fix] IAM Service Account Credentials API has not been used in project \[PROJECT\_ID\] before or it is disabled
Enable the IAM Service Account Credentials API \(\`iamcredentials.googleapis.com\`\) using the command \`gcloud services enable iamcredentials.googleapis.com --project=PROJECT\_ID\` in the GCP Console or via the Infrastructure-as-Code configuration \(Terraform \`google\_project\_service\`\); this API is distinct from the IAM API and is required for generating short-lived access tokens, signing JWTs, or impersonating service accounts.
Journey Context:
A DevOps engineer is migrating a CI/CD pipeline from using static service account JSON keys to using Workload Identity Federation \(WIF\) to generate short-lived tokens. They configure the WIF provider and the service account correctly. The pipeline step that exchanges the external identity for a GCP access token succeeds, but the subsequent step that attempts to generate a signed URL for Cloud Storage fails with "IAM Service Account Credentials API has not been used in project \[PROJECT\_ID\] before or it is disabled". The engineer checks the IAM permissions—the service account has \`Service Account Token Creator\`. They check the project APIs enabled and see \`iam.googleapis.com\` is enabled. They search the error text and find a Stack Overflow post pointing out that \`iamcredentials.googleapis.com\` is a separate API. They run \`gcloud services enable iamcredentials.googleapis.com\` and re-trigger the pipeline. The signed URL generation succeeds because the API required to sign the blob \(using the service account's private key via the IAM Credentials API\) is now enabled.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T14:39:46.923236+00:00— report_created — created