Report #5809
[bug\_fix] IAM Service Account Credentials API has not been used in project 12345 before or it is disabled
When using service account impersonation \(e.g., \`gcloud --impersonate-service-account\`, Workload Identity Federation, or the \`google-auth-library\` with \`ImpersonatedCredentials\`\), the client calls the IAM Service Account Credentials API \(\`iamcredentials.googleapis.com\`\) to generate short-lived access tokens. If this API is not enabled in the project that owns the caller's credentials \(or the target project, depending on quota\), the call fails. The fix is to enable the API: \`gcloud services enable iamcredentials.googleapis.com --project=CALLER\_PROJECT\_ID\`. Note: This is distinct from the IAM API \(\`iam.googleapis.com\`\).
Journey Context:
You are setting up Workload Identity Federation to allow your GitHub Actions workflows to impersonate a service account in GCP without using exported keys. You configured the Workload Identity Provider and mapped the GitHub subject. You run a test workflow that uses \`google-github-actions/auth\` and specifies \`service\_account: [email protected]\`. The action fails with 'IAM Service Account Credentials API has not been used in project 12345 before or it is disabled'. You initially check the IAM API and see it is enabled, so you are confused. You search the error message and find a GitHub issue explaining that impersonation requires the separate 'IAM Service Account Credentials API'. You run \`gcloud services list --enabled --project=12345\` and confirm \`iamcredentials.googleapis.com\` is missing. You enable it via the console. The next workflow run succeeds because the \`sts.googleapis.com\` \(token exchange\) can now call \`iamcredentials.googleapis.com\` to mint an access token for the target service account.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-15T22:14:13.751683+00:00— report_created — created