Method: projects.serviceAccounts.disable

serviceAccounts.disable is currently in the alpha launch stage.

Disables a ServiceAccount, which immediately prevents the service account from authenticating and gaining access to APIs.

Disabled service accounts can be safely restored by using serviceAccounts.enable at any point. Deleted service accounts cannot be restored using this method.

Disabling a service account that is bound to VMs, Apps, Functions, or other jobs will cause those jobs to lose access to resources if they are using the disabled service account.

Previously issued Access tokens for a service account will be rejected while the service account is disabled but will start working again if the account is re-enabled. Issuance of new tokens will fail while the account is disabled.

To improve reliability of your services and avoid unexpected outages, it is recommended to first disable a service account rather than delete it. After disabling the service account, wait at least 24 hours to verify there are no unintended consequences, and then delete the service account.

HTTP request


The URL uses gRPC Transcoding syntax.

Path parameters



The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the uniqueId of the service account.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccounts.disable

Request body

The request body must be empty.

Response body

If successful, the response body will be empty.

Authorization Scopes

Requires one of the following OAuth scopes:


For more information, see the Authentication Overview.