Troubleshooting default service accounts

---

To access Google Cloud resources, Compute Engine virtual machine (VM) instances use service accounts. If you accidentally delete the Compute Engine default service account, applications that run on your VMs might not be able to make calls to Google Cloud APIs.

This document explains how to recover the Compute Engine default service account after it is deleted.

Recover the Compute Engine default service account

When you delete a service account, Identity and Access Management (IAM) permanently removes the service account after 30 days. If you accidentally delete the Compute Engine default service account, Google Cloud cannot recover the service account after it is permanently removed and then the VMs will no longer have access to resources in the project. In such cases, if you want to assign a Compute Engine default service account for the VM, create a service account and set it as the default service account.

To get the permissions that you need to perform this task, ask your administrator to grant you the following IAM roles on project:

• Compute Admin (roles/compute.admin)
• Logs Viewer (roles/logging.viewer)

For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

To recover a deleted Compute Engine default service account, do the following:

1. In the Google Cloud console, go to the Logs Explorer page.

   Go to Logs Explorer

   Use the following query to validate when the Compute Engine default service account was deleted:

   resource.type="service_account"
   protoPayload.methodName="google.iam.admin.v1.DeleteServiceAccount"
   "PROJECT_NUMBER-compute@developer.gserviceaccount.com"
   

   Replace PROJECT_NUMBER with the project number of your project.

   If the default service account was deleted less than 30 days ago:

   Use the undelete command to recover the service account. For more information, see Undelete a service account.

   If the default service account was deleted more than 30 days ago:

   1. Create a service account or select an existing service account to set as the new Compute Engine default service account.

2. If you want VMs to use the newly created default service account, follow these steps:

   1. Go to the VM instances page.

      Go to VM instances

   2. Click the VM instance name for which you want to use the service account.

   3. If the instance is not stopped, click Stop. Wait for the instance to be stopped.

   4. Next, click Edit.

   5. Scroll down to the Service Account section.

   6. From the drop-down list, select the service account to assign to the instance.