This page explains how to create and manage service accounts using the
Google Cloud Identity and Access Management API, the Google Cloud Platform Console, and the gcloud command-line tool.
When you create a new Cloud project, Google Cloud Platform automatically creates one Compute Engine service account and one App Engine service account under that project. You can create up to 98 additional service accounts to your project to control access to your resources.
Before you begin
- Understand IAM service accounts
- Install the
gcloudcommand-line tool
Creating a service account
Creating a service account is similar to adding a member to your project, but the service account belongs to your applications rather than an individual end user.
gcloud
To create a service account, run the following command:
gcloud iam service-accounts create my-sa-123 --display-name "my service account"
The output of this command is the service account, which will look similar to the following:
Created service account [my-sa-123].
API
The following code snippet creates a new service account named my
service account under the project my-project-123 using the
serviceAccounts.create()
method.
In the API, make a POST request to:
https://iam.googleapis.com/v1/projects/my-project-123/serviceAccounts
The request body should contain the properties to create a new service account; supply an ID and a display name for the new service account. The ID will be used to create the service account email address. You can modify the display name of the service account in the future, but once created, you cannot modify the service account ID.
{
"accountId": "my-sa-123",
"serviceAccount": {
"displayName": "my service account",
}
}
Response:
{
"name": "projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com",
"projectId": "my-project-123",
"uniqueId": "113948692397867021414",
"email": "my-sa-123@my-project-123.iam.gserviceaccount.com",
"displayName": "my service account",
"etag": "BwUp3rVlzes=",
"oauth2ClientId": "117249000288840666939"
}
Console
Open the Service Accounts page in the GCP Console.
Click Select a project.
- Select your project and click Open.
- Click Create Service Account.
- Enter a service account name, select a role you wish to grant to the service account and click Create.
After you create a service account, grant one or more roles to the service account so that it can act on your behalf.
Listing service accounts
When listing service accounts, you can specify parameters to limit the number of
service accounts to include in the response. You can then use
ListServiceAccountsResponse.next_page_token in a subsequent request to list
the remaining service accounts.
Use this method to audit service accounts and keys, or to build custom tools for managing service accounts.
gcloud
To list service accounts, run the following command:
gcloud iam service-accounts list
The output of this command is the list of all service accounts in the project, which will look similar to the following:
NAME EMAIL
my service account 1 my-sa-1@my-project-123.iam.gserviceaccount.com
my service account 2 my-sa-2@my-project-123.iam.gserviceaccount.com
. . .
API
The following code lists all service accounts under my-project-123:
Request:
GET https://iam.googleapis.com/v1/projects/my-project-123/serviceAccounts
Response:
{
"accounts": [
{
"name": "projects/my-project-123/serviceAccounts/sa-1@my-project-123.iam.gserviceaccount.com",
"projectId": "my-project-123",
"uniqueId": "108979773878059201436",
"email": "sa-1@my-project-123.iam.gserviceaccount.com",
"displayName": "service account 1",
"etag": "BwUpTsLVUkQ=",
"oauth2ClientId": "102240834887833340852"
},
{
"name": "projects/my-project-123/serviceAccounts/835469197146-compute@developer.gserviceaccount.com",
"projectId": "my-project-123",
"uniqueId": "117077288574069305058",
"email": "835469197146-compute@developer.gserviceaccount.com",
"displayName": "Compute Engine Default Service Account",
"etag": "BwUomgwvClk=",
"oauth2ClientId": "101236303957024449895"
},
{
"name": "projects/my-project-123/serviceAccounts/sa-2@my-project-123.iam.gserviceaccount.com",
"projectId": "my-project-123",
"uniqueId": "109687856497850065438",
"email": "sa-2@my-project-123.iam.gserviceaccount.com",
"displayName": "service account 2",
"etag": "BwUqKUzcGRM=",
"oauth2ClientId": "105236325228757713905"
},
. . .
]
}
Console
Open the Service Accounts page in the GCP Console.
Click Select a project.
- Select your project and click Open. All service accounts are listed in the Service Accounts page.
Renaming a service account
The display name of a service account is commonly used to capture additional information about the service account, such as the purpose of the service account or a contact person for the account.
gcloud
To rename a service account:
gcloud iam service-accounts update \
my-sa-123@my-project-123.iam.gserviceaccount.com \
--display-name "updated service account"
The output of this command is the renamed service account, which will look similar to the following:
displayName: updated service account
email: my-sa-123@my-project-123.iam.gserviceaccount.com
etag: BwUqQpHDCw8=
name: projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com
oauth2ClientId: '112984177383228986143'
projectId: my-project-123
uniqueId: '112984177383228986143'
API
Modify the display name of an existing service account using the
serviceAccounts.update()
method.
Request:
PUT https://iam.googleapis.com/v1/projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com
The request body must contain the new display name, the project ID, the unique ID of the service account, and the service account email.
{
"displayName":"my service account",
"etag":"BwUpVKjgNtE=",
"projectId":"my-project-123",
"uniqueId":"107522985251862639552",
"email":"my-sa-123@my-project-123.iam.gserviceaccount.com",
}
Response:
{
"name": "projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com",
"projectId": "my-project-123",
"uniqueId": "107522985251862639552",
"email": "my-sa-123@my-project-123.iam.gserviceaccount.com",
"displayName": "my service account",
"etag": "BwUqLK4bL9U=",
"oauth2ClientId": "105236325228757713905"
}
Console
- Open the Service Accounts page in the GCP Console.
- Click Select a project.
- Select your project and click Open.
- Look for the service account you wish to rename, click the vertical ellipses button in that row, and click Edit.
- Enter the new name and click Save.
Deleting a service account
When you delete a service account, applications will no longer have access to Google Cloud Platform resources through that service account. Deleting the default App Engine and Compute Engine service accounts will result in the instances no longer having access to resources in the project. Therefore deletion should be done with caution. You must make sure that your critical applications no longer use a service account before deleting it.
gcloud
To delete a service account, run the following command:
gcloud iam service-accounts delete \
my-sa-123@my-project-123.iam.gserviceaccount.com
The output of this command will be a message similar to the following:
deleted service account [my-sa-123@my-project-123.iam.gserviceaccount.com]
API
You can delete an existing service account using the
serviceAccounts.delete()
method.
The following request deletes the service account my-sa-123 in the project
my-project-123:
DELETE https://iam.googleapis.com/v1/projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com
Console
Open the Service Accounts page in the GCP Console.
Click Select a project.
- Select your project and click Open.
- Select the service account(s) you wish to delete, and click Delete.
Next steps
- Learn how to create and manage service account keys.
- Learn how to grant IAM roles to service accounts.
