This page explains how to create and manage service accounts using the
Identity and Access Management (IAM) API, the Google Cloud console, and the gcloud
command-
line tool.
By default, each project can have up to 100 service accounts that control access to your resources. You can request a quota increase if necessary. Learn more about quotas and limits.
Before you begin
Enable the IAM API.
Understand IAM service accounts
Install the Google Cloud CLI
Required roles
To get the permissions that you need to manage service accounts, ask your administrator to grant you the following IAM roles on the project:
-
To view service accounts and service account metadata:
View Service Accounts (
roles/iam.serviceAccountViewer
) -
To view and create service accounts:
Create Service Accounts (
roles/iam.serviceAccountCreator
) -
To view and delete service accounts:
Delete Service Accounts (
roles/iam.serviceAccountDeleter
) -
To fully manage (view, create, update, disable, enable, delete, undelete, and manage access to) service accounts:
Service Account Admin (
roles/iam.serviceAccountAdmin
)
For more information about granting roles, see Manage access.
To learn more about these roles, see Service Accounts roles.
IAM basic roles also contain permissions to manage service accounts. You should not grant basic roles in a production environment, but you can grant them in a development or test environment.
Creating a service account
When you create a service account, you must provide an alphanumeric ID
(SA_NAME
in the samples below), such as
my-service-account
. The ID must be between 6 and 30 characters, and can
contain lowercase alphanumeric characters and dashes. After you create a service
account, you cannot change its name.
The service account's name appears in the email address that is provisioned
during creation, in the format
SA_NAME@PROJECT_ID.iam.gserviceaccount.com
.
Each service account also has a permanent, unique numeric ID, which is generated automatically.
You also provide the following information when you create a service account:
SA_DESCRIPTION
is an optional description for the service account.SA_DISPLAY_NAME
is a friendly name for the service account.PROJECT_ID
is the ID of your Google Cloud project.
After you create a service account, you might need to wait for 60 seconds or more before you use the service account. This behavior occurs because read operations are eventually consistent; it can take time for the new service account to become visible. If you try to read or use a service account immediately after you create it, and you receive an error, you can retry the request with exponential backoff.
Console
- In the Google Cloud console, go to the Create service account page.
Go to Create service account
The remaining steps will appear automatically in the Google Cloud console. - Select a Cloud project.
- Enter a service account name to display in the Google Cloud console.
The Google Cloud console generates a service account ID based on this name. Edit the ID if necessary. You cannot change the ID later.
- Optional: Enter a description of the service account.
- If you don't want to set access controls now, click Done to finish creating the service account. To set access controls now, click Create and continue and continue to the next step.
- Optional: Choose one or more IAM roles to grant to the service account on the project.
- When you are done adding roles, click Continue.
- Optional: In the Service account users role field, add members that can impersonate the service account.
- Optional: In the Service account admins role field, add members that can manage the service account.
- Click Done to finish creating the service account.
gcloud CLI
To create the service account, run the
gcloud iam service-accounts create
command:gcloud iam service-accounts create SA_NAME \ --description="DESCRIPTION" \ --display-name="DISPLAY_NAME"
Replace the following values:
SA_NAME
: the name of the service accountDESCRIPTION
: an optional description of the service accountDISPLAY_NAME
: a service account name to display in the Google Cloud console
Optional: To grant your service account an IAM role on your project, run the
gcloud projects add-iam-policy-binding
command:gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:SA_NAME@PROJECT_ID.iam.gserviceaccount.com" \ --role="ROLE_NAME"
Replace the following values:
PROJECT_ID
: the project IDSA_NAME
: the name of the service accountROLE_NAME
: a role name, such asroles/compute.osLogin
Optional: To allow users to impersonate the service account, run the
gcloud iam service-accounts add-iam-policy-binding
command to grant a user the Service Account User role (roles/iam.serviceAccountUser
) on the service account:gcloud iam service-accounts add-iam-policy-binding \ SA_NAME@PROJECT_ID.iam.gserviceaccount.com \ --member="user:USER_EMAIL" \ --role="roles/iam.serviceAccountUser"
Replace the following values:
PROJECT_ID
: the project IDSA_NAME
: the name of the service accountUSER_EMAIL
: the email address for the user
REST
The
serviceAccounts.create
method creates a service account.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_NAME
: The alphanumeric ID of your service account. This name must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes.SA_DESCRIPTION
: Optional. A description for the service account.SA_DISPLAY_NAME
: A human-readable name for the service account.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts
Request JSON body:
{ "accountId": "SA_NAME", "serviceAccount": { "description": "SA_DESCRIPTION", "displayName": "SA_DISPLAY_NAME" } }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com", "projectId": "my-project", "uniqueId": "123456789012345678901", "email": "my-service-account@my-project.iam.gserviceaccount.com", "displayName": "My service account", "etag": "BwUp3rVlzes=", "description": "A service account for running jobs in my project", "oauth2ClientId": "987654321098765432109" }
C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
After you create a service account, grant one or more roles to the service account so that it can act on your behalf.
Also, if the service account needs to access resources in other projects, you usually must enable the APIs for those resources in the project where you created the service account.
Listing service accounts
You can list the user-managed service accounts in a project to help you audit service accounts and keys, or as part of a custom tool for managing service accounts.
You can't list the service agents or other Google-managed service accounts that might appear in your project's allow policy and audit logs. Google-managed service accounts aren't located in your project, and you can't access them directly.
Console
In the Google Cloud console, go to the Service accounts page.
Select a project.
The Service accounts page lists all of the user-managed service accounts in the project you selected.
gcloud CLI
Execute the gcloud iam service-accounts list
command to list all user-managed service accounts in a project.
Command:
gcloud iam service-accounts list
The output is the list of all user-managed service accounts in the project:
NAME EMAIL SA_DISPLAY_NAME_1 SA_NAME_1@PROJECT_ID.iam.gserviceaccount.com SA_DISPLAY_NAME_2 SA_NAME_2@PROJECT_ID.iam.gserviceaccount.com
REST
The
serviceAccounts.list
method lists every user-managed service account in your project.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.
HTTP method and URL:
GET https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "accounts": [ { "name": "projects/my-project/serviceAccounts/sa-1@my-project.iam.gserviceaccount.com", "projectId": "my-project", "uniqueId": "123456789012345678901", "email": "sa-1@my-project.iam.gserviceaccount.com", "description": "My first service account", "displayName": "Service account 1", "etag": "BwUpTsLVUkQ=", "oauth2ClientId": "987654321098765432109" }, { "name": "projects/my-project/serviceAccounts/sa-2@my-project.iam.gserviceaccount.com", "projectId": "my-project", "uniqueId": "234567890123456789012", "email": "sa-2@my-project.iam.gserviceaccount.com", "description": "My second service account", "displayName": "Service account 2", "etag": "UkQpTwBVUsL=", "oauth2ClientId": "876543210987654321098" } ] }
C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
Updating a service account
The display name (friendly name) and description of a service account are commonly used to capture additional information about the service account, such as the purpose of the service account or a contact person for the account.
Console
In the Google Cloud console, go to the Service accounts page.
Select a project.
Click the email address of the service account that you want to rename.
Enter the new name in the Name box, then click Save.
gcloud CLI
Execute the gcloud iam service-accounts update
command to update a service account.
Command:
gcloud iam service-accounts update \ SA_NAME@PROJECT_ID.iam.gserviceaccount.com \ --description="UPDATED_SA_DESCRIPTION" \ --display-name="UPDATED_DISPLAY_NAME"
The output is the renamed service account:
description: UPDATED_SA_DESCRIPTION displayName: UPDATED_DISPLAY_NAME name: projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com
REST
The
serviceAccounts.patch
method updates a service account.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_ID
: The ID of your service account. This can either be the service account's email address in the formSA_NAME@PROJECT_ID.iam.gserviceaccount.com
, or the service account's unique numeric ID.SA_NAME
: The alphanumeric ID of your service account. This name must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes.- Replace at least one of the following:
UPDATED_DISPLAY_NAME
: A new display name for your service account.UPDATED_DESCRIPTION
: A new description for your service account.
HTTP method and URL:
PATCH https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID
Request JSON body:
{ "serviceAccount": { "email": "SA_NAME@PROJECT_ID.iam.gserviceaccount.com", "displayName": "UPDATED_DISPLAY_NAME", "description": "UPDATED_DESCRIPTION" }, "updateMask": "displayName,description" }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
{ "name": "projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com", "displayName": "My updated service account", "description": "An updated description of my service account" }
C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
Disabling a service account
Similar to deleting a service account, when you disable a service account, applications will no longer have access to Google Cloud resources through that service account. If you disable the default App Engine and Compute Engine service accounts, the instances will no longer have access to resources in the project. If you attempt to disable an already disabled service account, it will have no effect.
Unlike deleting a service account, disabled service accounts can easily be re-enabled as necessary. We recommend disabling a service account before deleting it to make sure no critical applications are using the service account.
Console
In the Google Cloud console, go to the Service accounts page.
Select a project.
Click the name of the service account that you want to disable.
Under Service account status, click Disable service account, then click Disable to confirm the change.
gcloud CLI
Execute the gcloud iam service-accounts disable
command to disable a service account.
Command:
gcloud iam service-accounts disable SA_NAME@PROJECT_ID.iam.gserviceaccount.com
Output:
Disabled service account SA_NAME@PROJECT_ID.iam.gserviceaccount.com
REST
The
serviceAccounts.disable
method immediately disables a service account.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_ID
: The ID of your service account. This can either be the service account's email address in the formSA_NAME@PROJECT_ID.iam.gserviceaccount.com
, or the service account's unique numeric ID.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID:disable
To send your request, expand one of these options:
If successful, the response body will be empty.
C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
Enabling a service account
After enabling a disabled service account, applications will regain access to Google Cloud resources through that service account.
You can enable a disabled service account whenever you need to. If you attempt to enable an already enabled service account, it will have no effect.
Console
In the Google Cloud console, go to the Service accounts page.
Select a project.
Click the name of the service account that you want to enable.
Under Service account status, click Enable service account, then click Enable to confirm the change.
gcloud CLI
Execute the gcloud iam service-accounts enable
command to enable a service account.
Command:
gcloud iam service-accounts enable SA_NAME@PROJECT_ID.iam.gserviceaccount.com
Output:
Enabled service account SA_NAME@PROJECT_ID.iam.gserviceaccount.com
REST
The
serviceAccounts.enable
method enables a previously disabled service account.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_ID
: The ID of your service account. This can either be the service account's email address in the formSA_NAME@PROJECT_ID.iam.gserviceaccount.com
, or the service account's unique numeric ID.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID:enable
To send your request, expand one of these options:
If successful, the response body will be empty.
C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
Deleting a service account
When you delete a service account, applications will no longer have access to Google Cloud resources through that service account. If you delete the default App Engine and Compute Engine service accounts, the instances will no longer have access to resources in the project.
Delete with caution; make sure your critical applications are no longer using a service account before deleting it. If you're not sure whether a service account is being used, we recommend disabling the service account before deleting it. Disabled service accounts can be easily re-enabled if they are still in use.
If you delete a service account, then create a new service account with the same name, the new service account is treated as a separate identity; it does not inherit the roles granted to the deleted service account. In contrast, when you delete a service account, then undelete it, the service account's identity does not change, and the service account retains its roles.
When a service account is deleted, its role bindings are not immediately
removed; they are automatically purged from the system after a maximum of 60
days. Until that time, the service account appears in role bindings with a
deleted:
prefix and a ?uid=NUMERIC_ID
suffix, where
NUMERIC_ID
is a unique numeric ID for the service
account.
Deleted service accounts do not count towards your service account quota.
Console
In the Google Cloud console, go to the Service accounts page.
Select a project.
Select the service account you want to delete, and then click Delete
.
gcloud CLI
Execute the gcloud iam service-accounts delete
command to delete a service account.
Command:
gcloud iam service-accounts delete \ SA_NAME@PROJECT_ID.iam.gserviceaccount.com
Output:
Deleted service account SA_NAME@PROJECT_ID.iam.gserviceaccount.com
REST
The
serviceAccounts.delete
method deletes a service account.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_ID
: The ID of your service account. This can either be the service account's email address in the formSA_NAME@PROJECT_ID.iam.gserviceaccount.com
, or the service account's unique numeric ID.
HTTP method and URL:
DELETE https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID
To send your request, expand one of these options:
If successful, the response body will be empty.
C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
Undeleting a service account
In some cases, you can use the undelete
command to undelete a deleted service
account. You can usually undelete a deleted service account if it meets these
criteria:
The service account was deleted less than 30 days ago.
After 30 days, IAM permanently removes the service account. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.
There is no existing service account with the same name as the deleted service account.
For example, suppose that you accidentally delete the service account
my-service-account@project-id.iam.gserviceaccount.com
. You still need a service account with that name, so you create a new service account with the same name,my-service-account@project-id.iam.gserviceaccount.com
.The new service account does not inherit the permissions of the deleted service account. In effect, it is completely separate from the deleted service account. However, you cannot undelete the original service account, because the new service account has the same name.
To address this issue, delete the new service account, then try to undelete the original service account.
If you are not able to undelete the service account, you can create a new service account with the same name; revoke all of the roles from the deleted service account; and grant the same roles to the new service account. For details, see Policies with deleted principals.
Finding a deleted service account's numeric ID
When you undelete a service account, you must provide its numeric ID. The
numeric ID is a 21-digit number, such as 123456789012345678901
, that uniquely
identifies the service account. For example, if you delete a service account,
then create a new service account with the same name, the original service
account and the new service account will have different numeric IDs.
If you know that a binding in an allow policy includes the deleted service
account, you can get the allow policy, then find the numeric ID
in the allow policy. The numeric ID is appended to the name of the deleted
service account. For example, in this allow policy, the numeric ID for the
deleted service account is 123456789012345678901
:
{ "version": 1, "etag": "BwUjMhCsNvY=", "bindings": [ { "members": [ "deleted:serviceAccount:my-service-account@project-id.iam.gserviceaccount.com?uid=123456789012345678901" ], "role": "roles/iam.serviceAccountUser" }, ] }
Numeric IDs are only appended to the names of deleted principals.
Alternatively, you can search your audit logs for the DeleteServiceAccount
operation that deleted the service account:
In the Google Cloud console, go to the Logs explorer page.
In the query editor, enter the following query, replacing
SERVICE_ACCOUNT_EMAIL
with the email address of your service account (for example,my-service-account@project-id.iam.gserviceaccount.com
):resource.type="service_account" resource.labels.email_id="SERVICE_ACCOUNT_EMAIL" "DeleteServiceAccount"
If the service account was deleted more than an hour ago, click
Last 1 hour, select a longer period of time from the drop-down list, then click Apply.Click Run query. The Logs Explorer displays the
DeleteServiceAccount
operations that affected service accounts with the name you specified.Find and note the numeric ID of the deleted service account by doing one of the following:
If the search results include only one
DeleteServiceAccount
operation, find the numeric ID in the Unique ID field of the Log fields pane.If the search results show more than one log, do the following:
Find the correct log entry. To find the correct log entry, click the
expander arrow next to a log entry. Review the details of the log entry and determine whether the log entry shows the operation that you want to undo. Repeat this process until you find the correct log entry.In the correct log entry, locate the service account's numeric ID. To locate the numeric ID, expand the log entry's
protoPayload
field, then find theresourceName
field.The numeric ID is everything after
serviceAccounts
in theresourceName
field.
Undeleting the service account by numeric ID
After you find the numeric ID for the deleted service account, you can try to undelete the service account.
gcloud CLI
Execute the gcloud beta iam service-accounts undelete
command to undelete a service account.
Command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
Output:
restoredAccount: email: SA_NAME@PROJECT_ID.iam.gserviceaccount.com etag: BwWWE7zpApg= name: projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com oauth2ClientId: '123456789012345678901' projectId: PROJECT_ID uniqueId: 'ACCOUNT_ID'
REST
The
serviceAccounts.undelete
method restores a deleted service account.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_NUMERIC_ID
: The unique numeric ID of the service account.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NUMERIC_ID:undelete
To send your request, expand one of these options:
If the account can be undeleted, you receive a 200 OK
response
code with details about the restored service account, like the following:
{ "restoredAccount": { "name": "projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com", "projectId": "my-project", "uniqueId": "123456789012345678901", "email": "my-service-account@my-project.iam.gserviceaccount.com", "displayName": "My service account", "etag": "BwUp3rVlzes=", "description": "A service account for running jobs in my project", "oauth2ClientId": "987654321098765432109" } }
What's next
- Review the process for granting IAM roles to all types of principals, including service accounts.
- Explore how you can use role recommendations to downscope permissions for all principals, including service accounts.
- Understand how to allow principals to impersonate service accounts.
- Learn how to create and manage service account keys.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for free