Creating and Managing Service Accounts

This page explains how to create and manage service accounts using the Google Cloud Identity and Access Management API, the Google Cloud Platform Console, and the gcloud command-line tool.

When you create a new Cloud project, Google Cloud Platform automatically creates one Compute Engine service account and one App Engine service account under that project. You can create up to 98 additional service accounts to your project to control access to your resources.

Before you begin

Creating a service account

Creating a service account is similar to adding a member to your project, but the service account belongs to your applications rather than an individual end user.

API

The following code snippet creates a new service account named my service account under the project my-project-123 using the serviceAccounts.create() method.

In the API, make a POST request to:

https://iam.googleapis.com/v1/projects/my-project-123/serviceAccounts

The request body should contain the properties to create a new service account; supply an ID and a display name for the new service account. The ID will be used to create the service account email address. You can modify the display name of the service account in the future, but once created, you cannot modify the service account ID.

{
    "accountId": "my-sa-123",
    "serviceAccount": {
        "displayName": "my service account",
    }
}

Response:

{
    "name": "projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com",
    "projectId": "my-project-123",
    "uniqueId": "113948692397867021414",
    "email": "my-sa-123@my-project-123.iam.gserviceaccount.com",
    "displayName": "my service account",
    "etag": "BwUp3rVlzes=",
    "oauth2ClientId": "117249000288840666939"
}

Console

  1. Open the Service Accounts page in the Cloud Platform Console.

    Open the Service Accounts page

  2. Click Select a project.

  3. Select your project and click Open.
  4. Click Create Service Account.
  5. Enter a service account name, select a role you wish to grant to the service account and click Create.

gcloud

To create a service account, run the following command:

gcloud iam service-accounts create my-sa-123 --display-name "my service account"

The output of this command is the service account, which will look similar to the following:

displayName: my service account
email: my-sa-123@my-project-123.iam.gserviceaccount.com
etag: BwUqQpHDCw8=
name: projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com
oauth2ClientId: '112984177383228986143'
projectId: my-project-123
uniqueId: '112984177383228986143'

After you create a service account, grant one or more roles to the service account so that it can act on your behalf.

Listing service accounts

When listing service accounts, you can specify parameters to limit the number of service accounts to include in the response. You can then use ListServiceAccountsResponse.next_page_token in a subsequent request to list the remaining service accounts.

Use this method to audit service accounts and keys, or to build custom tools for managing service accounts.

API

The following code lists all service accounts under my-project-123:

Request:

GET https://iam.googleapis.com/v1/projects/my-project-123/serviceAccounts

Response:

{
    "accounts": [
    {
        "name": "projects/my-project-123/serviceAccounts/sa-1@my-project-123.iam.gserviceaccount.com",
        "projectId": "my-project-123",
        "uniqueId": "108979773878059201436",
        "email": "sa-1@my-project-123.iam.gserviceaccount.com",
        "displayName": "service account 1",
        "etag": "BwUpTsLVUkQ=",
        "oauth2ClientId": "102240834887833340852"
    },
    {
        "name": "projects/my-project-123/serviceAccounts/835469197146-compute@developer.gserviceaccount.com",
        "projectId": "my-project-123",
        "uniqueId": "117077288574069305058",
        "email": "835469197146-compute@developer.gserviceaccount.com",
        "displayName": "Compute Engine Default Service Account",
        "etag": "BwUomgwvClk=",
        "oauth2ClientId": "101236303957024449895"
    },
    {
        "name": "projects/my-project-123/serviceAccounts/sa-2@my-project-123.iam.gserviceaccount.com",
        "projectId": "my-project-123",
        "uniqueId": "109687856497850065438",
        "email": "sa-2@my-project-123.iam.gserviceaccount.com",
        "displayName": "service account 2",
        "etag": "BwUqKUzcGRM=",
        "oauth2ClientId": "105236325228757713905"
    },

    . . .

    ]
}

Console

  1. Open the Service Accounts page in the Cloud Platform Console.

    Open the Service Accounts page

  2. Click Select a project.

  3. Select your project and click Open. All service accounts are listed in the Service Accounts page.

gcloud

To list service accounts, run the following command:

gcloud iam service-accounts list

The output of this command is the list of all service accounts in the project, which will look similar to the following:

NAME                                    EMAIL
my service account 1                    my-sa-1@my-project-123.iam.gserviceaccount.com
my service account 2                    my-sa-2@my-project-123.iam.gserviceaccount.com
. . .

Renaming a service account

The display name of a service account is commonly used to capture additional information about the service account, such as the purpose of the service account or a contact person for the account.

API

Modify the display name of an existing service account using the serviceAccounts.update() method.

Request:

PUT https://iam.googleapis.com/v1/projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com

The request body must contain the new display name, the project ID, the unique ID of the service account, and the service account email.

{
    "displayName":"my service account",
    "etag":"BwUpVKjgNtE=",
    "projectId":"my-project-123",
    "uniqueId":"107522985251862639552",
    "email":"my-sa-123@my-project-123.iam.gserviceaccount.com",
}

Response:

{
    "name": "projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com",
    "projectId": "my-project-123",
    "uniqueId": "107522985251862639552",
    "email": "my-sa-123@my-project-123.iam.gserviceaccount.com",
    "displayName": "my service account",
    "etag": "BwUqLK4bL9U=",
    "oauth2ClientId": "105236325228757713905"
}

Console

  1. Open the Service Accounts page in the Cloud Platform Console.

    Open the Service Accounts page

  2. Click Select a project.
  3. Select your project and click Open.
  4. Look for the service account you wish to rename, click the vertical ellipses button in that row, and click Edit.
  5. Enter the new name and click Save.

gcloud

To rename a service account:

gcloud iam service-accounts update \
    my-sa-123@my-project-123.iam.gserviceaccount.com \
    --display-name "updated service account"

The output of this command is the renamed service account, which will look similar to the following:

displayName: updated service account
email: my-sa-123@my-project-123.iam.gserviceaccount.com
etag: BwUqQpHDCw8=
name: projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com
oauth2ClientId: '112984177383228986143'
projectId: my-project-123
uniqueId: '112984177383228986143'

Deleting a service account

When you delete a service account, applications will no longer have access to Google Cloud Platform resources through that service account. Deleting the default App Engine and Compute Engine service accounts will result in the instances no longer having access to resources in the project. Therefore deletion should be done with caution. You must make sure that your critical applications no longer use a service account before deleting it.

API

You can delete an existing service account using the serviceAccounts.delete() method.

The following request deletes the service account my-sa-123 in the project my-project-123:

DELETE https://iam.googleapis.com/v1/projects/my-project-123/serviceAccounts/my-sa-123@my-project-123.iam.gserviceaccount.com

Console

  1. Open the Service Accounts page in the Cloud Platform Console.

    Open the Service Accounts page

  2. Click Select a project.

  3. Select your project and click Open.
  4. Select the service account(s) you wish to delete, and click Delete.

gcloud

To delete a service account, run the following command:

gcloud iam service-accounts delete \
    my-sa-123@my-project-123.iam.gserviceaccount.com

The output of this command will be a message similar to the following:

deleted service account [my-sa-123@my-project-123.iam.gserviceaccount.com]

Next steps

Send feedback about...

This page
Documentation feedback
Cloud Identity and Access Management Documentation
Product feedback