Creating and Managing Service Accounts

This page explains how to create and manage service accounts using the Google Cloud Identity and Access Management API, the Google Cloud Platform Console, and the gcloud command-line tool.

When you create a new Cloud project, Google Cloud Platform (GCP) automatically creates one Compute Engine service account and one App Engine service account under that project. You can create up to 98 additional service accounts to your project to control access to your resources.

Before you begin

Required permissions

To allow a user to manage service accounts, grant one of the following roles:

  • Service Account User (roles/iam.serviceAccountUser): Grants permissions to get, list, or impersonate a service account.
  • Service Account Admin (roles/iam.serviceAccountAdmin): Includes Service Account User permissions and also grants permissions to create, update, delete, and set or get the Cloud IAM policy on a service account.

Cloud IAM primitive roles also contain permissions to manage service accounts. However, we recommend granting one of the predefined roles above to prevent unnecessary access to other GCP resources.

See the Service Account Roles topic for more information about roles related to service accounts.

Creating a service account

Creating a service account is similar to adding a member to your project, but the service account belongs to your applications rather than an individual end user.

In the examples below, SA-NAME is the name of the service account. This is a unique identifier; it will appear in the service account's email address, and you'll use it to update the service account with other APIs. SA-DISPLAY-NAME is a friendly name for the service account. PROJECT-ID is the ID of your Google Cloud Platform project.

To create a service account, at minimum the user must be granted the Service Account Admin role (roles/iam.serviceAccountAdmin) or the Editor primitive role (roles/editor).

gcloud

To create a service account, run the following command:

gcloud iam service-accounts create SA-NAME \
    --display-name "SA-DISPLAY-NAME"

The output of this command is the service account, which will look similar to the following:

Created service account SA-NAME.

API

Call the serviceAccounts.create() method to create a service account.

POST https://iam.googleapis.com/v1/projects/PROJECT-ID/serviceAccounts

The request body should contain the properties to create a new service account; supply an ID and a display name for the new service account. The ID will be used to create the service account email address. You can modify the display name of the service account in the future, but once created, you cannot modify the service account ID.

    {
        "accountId": "SA-NAME",
        "serviceAccount": {
            "displayName": "SA-DISPLAY-NAME",
        }
    }

Response:

    {
        "name": "projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com",
        "projectId": "PROJECT-ID",
        "uniqueId": "113948692397867021414",
        "email": "SA-NAME@PROJECT-ID.iam.gserviceaccount.com",
        "displayName": "SA-DISPLAY-NAME",
        "etag": "BwUp3rVlzes=",
        "oauth2ClientId": "117249000288840666939"
    }

Console

  1. Open the Service Accounts page in the GCP Console.

    Open the Service Accounts page

  2. Click Select a project.

  3. Select your project and click Open.
  4. Click Create Service Account.
  5. Enter a service account name, select a role you wish to grant to the service account and click Create.

After you create a service account, grant one or more roles to the service account so that it can act on your behalf.

Listing service accounts

When listing service accounts, you can specify parameters to limit the number of service accounts to include in the response. You can then use ListServiceAccountsResponse.next_page_token in a subsequent request to list the remaining service accounts.

Use this method to audit service accounts and keys, or to build custom tools for managing service accounts.

To list service accounts, at minimum the user must be granted the Service Account User role (roles/iam.serviceAccountUser) or the Viewer primitive role (roles/viewer).

gcloud

To list service accounts, run the following command:

gcloud iam service-accounts list

The output of this command is the list of all service accounts in the project, which will look similar to the following:

NAME                    EMAIL
SA-DISPLAY-NAME-1       SA-NAME-1@PROJECT-ID.iam.gserviceaccount.com
SA-DISPLAY-NAME-2       SA-NAME-2@PROJECT-ID.iam.gserviceaccount.com

API

List all of the service accounts under a given project using the serviceAccounts.list() method. You can also get the details about a single service account by using the serviceAccounts.get() method.

Request:

GET https://iam.googleapis.com/v1/projects/PROJECT-ID/serviceAccounts

Response:

{
    "accounts": [
    {
        "name": "projects/PROJECT-ID/serviceAccounts/SA-NAME-1@PROJECT-ID.iam.gserviceaccount.com",
        "projectId": "PROJECT-ID",
        "uniqueId": "108979773878059201436",
        "email": "SA-NAME-1@PROJECT-ID.iam.gserviceaccount.com",
        "displayName": "SA-DISPLAY-NAME-1",
        "etag": "BwUpTsLVUkQ=",
        "oauth2ClientId": "102240834887833340852"
    },
    {
        "name": "projects/PROJECT-ID/serviceAccounts/SA-NAME-2@PROJECT-ID.iam.gserviceaccount.com",
        "projectId": "PROJECT-ID",
        "uniqueId": "108979773878059201436",
        "email": "SA-NAME-2@PROJECT-ID.iam.gserviceaccount.com",
        "displayName": "SA-DISPLAY-NAME-2",
        "etag": "BwUpTsLVUkQ=",
        "oauth2ClientId": "102240834887833340852"
    }]
}

Console

  1. Open the Service Accounts page in the GCP Console.

    Open the Service Accounts page

  2. Click Select a project.

  3. Select your project and click Open. All service accounts are listed in the Service Accounts page.

Renaming a service account

The display name of a service account is commonly used to capture additional information about the service account, such as the purpose of the service account or a contact person for the account.

To rename a service account, at minimum the user must be granted the Service Account Admin role (roles/iam.serviceAccountAdmin) or the Editor primitive role (roles/editor).

gcloud

To rename a service account:

gcloud iam service-accounts update \
    SA-NAME@PROJECT-ID.iam.gserviceaccount.com \
    --display-name "Updated display name"

The output of this command is the renamed service account, which will look similar to the following:

    displayName: Updated display name
    email: SA-NAME@PROJECT-ID.iam.gserviceaccount.com
    etag: BwUqQpHDCw8=
    name: projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com
    oauth2ClientId: '112984177383228986143'
    projectId: PROJECT-ID
    uniqueId: '112984177383228986143'

API

Modify the display name of an existing service account using the serviceAccounts.update() method.

Request:

PUT https://iam.googleapis.com/v1/projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com

The request body must contain the new display name, the project ID, the unique ID of the service account, and the service account email.

{
    "displayName":"Updated display name",
    "etag":"BwUpVKjgNtE=",
    "projectId":"PROJECT-ID",
    "uniqueId":"107522985251862639552",
    "email":"SA-NAME@PROJECT-ID.iam.gserviceaccount.com",
}

Response:

{
    "name": "projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com",
    "projectId": "PROJECT-ID",
    "uniqueId": "107522985251862639552",
    "email": "SA-NAME@PROJECT-ID.iam.gserviceaccount.com",
    "displayName": "Updated display name",
    "etag": "BwUqLK4bL9U=",
    "oauth2ClientId": "105236325228757713905"
}

Console

  1. Open the Service Accounts page in the GCP Console.

    Open the Service Accounts page

  2. Click Select a project.
  3. Select your project and click Open.
  4. Look for the service account you wish to rename, click the vertical ellipses button in that row, and click Edit.
  5. Enter the new name and click Save.

Deleting a service account

When you delete a service account, applications will no longer have access to Google Cloud Platform resources through that service account. If you delete the default App Engine and Compute Engine service accounts, the instances will no longer have access to resources in the project. Delete with caution; make sure your critical applications no longer use a service account before deleting it.

To delete a service account, at minimum the user must be granted the Service Account Admin role (roles/iam.serviceAccountAdmin) or the Editor primitive role (roles/editor).

gcloud

To delete a service account, run the following command:

gcloud iam service-accounts delete \
    SA-NAME@PROJECT-ID.iam.gserviceaccount.com

The output of this command will be a message similar to the following:

deleted service account SA-NAME@PROJECT-ID.iam.gserviceaccount.com

API

You can delete an existing service account using the serviceAccounts.delete() method.

DELETE https://iam.googleapis.com/v1/projects/PROJECT-ID/serviceAccounts/SA-NAME@PROJECT-ID.iam.gserviceaccount.com

Console

  1. Open the Service Accounts page in the GCP Console.

    Open the Service Accounts page

  2. Click Select a project.

  3. Select your project and click Open.
  4. Select the service account(s) you wish to delete, and click Delete.

Next steps

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Identity and Access Management Documentation