This page explains how to delete and undelete service accounts using the
Identity and Access Management (IAM) API, the Google Cloud console, and the gcloud
command-
line tool.
Before you begin
Enable the IAM API.
Set up authentication.
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
C#
To use the .NET samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
C++
To use the C++ samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Go
To use the Go samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Java
To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Python
To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
Understand IAM service accounts
Required roles
To get the permissions that you need to delete and undelete service accounts, ask your administrator to grant you the following IAM roles on the project:
-
To delete service accounts:
Delete Service Accounts (
roles/iam.serviceAccountDeleter
) -
To delete and undelete service accounts:
Service Account Admin (
roles/iam.serviceAccountAdmin
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
To learn more about these roles, see Service Accounts roles.
IAM basic roles also contain permissions to manage service accounts. You should not grant basic roles in a production environment, but you can grant them in a development or test environment.
Delete a service account
When you delete a service account, applications will no longer have access to Google Cloud resources through that service account. If you delete the default App Engine and Compute Engine service accounts, then the App Engine apps and Compute Engine VM instances that use those service accounts will no longer have access to resources in the project.
Delete service accounts with caution. Make sure your critical applications are no longer using a service account before deleting it. If you're not sure whether a service account is being used, Google recommends disabling the service account instead of deleting it. Disabled service accounts can be re-enabled if they are still needed.
If you want to restore a deleted service account, you can undelete it, if it's been 30 days or less since you deleted the service account. After 30 days, IAM permanently removes the service account. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.
To further reduce the risk of deleting a necessary service account, you can also enable change risk recommendations. Change risk recommendations generate warnings when you try to delete service accounts that Google Cloud has identified as important.
If you delete a service account, then create a new service account with the same name, the new service account is treated as a separate identity; it does not inherit the roles granted to the deleted service account. In contrast, when you delete a service account, then undelete it, the service account's identity does not change, and the service account retains its roles.
When a service account is deleted, its role bindings are not immediately
removed; they are automatically purged from the system after a maximum of
60 days. Until that time, the service account appears in
role bindings with a deleted:
prefix and a
?uid=NUMERIC_ID
suffix, where
NUMERIC_ID
is a unique numeric ID for the service
account.
Deleted service accounts do not count towards your service account quota.
Console
In the Google Cloud console, go to the Service accounts page.
Select a project.
Select the service account you want to delete, and then click Delete
.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
-
Execute the
gcloud iam service-accounts delete
command to delete a service account.Command:
gcloud iam service-accounts delete \ SA_NAME@PROJECT_ID.iam.gserviceaccount.com
Output:
Deleted service account SA_NAME@PROJECT_ID.iam.gserviceaccount.com
C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
REST
The
serviceAccounts.delete
method deletes a service account.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_ID
: The ID of your service account. This can either be the service account's email address in the formSA_NAME@PROJECT_ID.iam.gserviceaccount.com
, or the service account's unique numeric ID.
HTTP method and URL:
DELETE https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID
To send your request, expand one of these options:
If successful, the response body will be empty.
Undelete a service account
In some cases, you can use the undelete
command to undelete a deleted service
account. You can usually undelete a deleted service account if it meets these
criteria:
The service account was deleted less than 30 days ago.
After 30 days, IAM permanently removes the service account. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.
There is no existing service account with the same name as the deleted service account.
For example, suppose that you accidentally delete the service account
my-service-account@project-id.iam.gserviceaccount.com
. You still need a service account with that name, so you create a new service account with the same name,my-service-account@project-id.iam.gserviceaccount.com
.The new service account does not inherit the permissions of the deleted service account. In effect, it is completely separate from the deleted service account. However, you cannot undelete the original service account, because the new service account has the same name.
To address this issue, delete the new service account, then try to undelete the original service account.
If you are not able to undelete the service account, you can create a new service account with the same name; revoke all of the roles from the deleted service account; and grant the same roles to the new service account. For details, see Policies with deleted principals.
Find a deleted service account's numeric ID
When you undelete a service account, you must provide its numeric ID. The
numeric ID is a 21-digit number, such as 123456789012345678901
, that uniquely
identifies the service account. For example, if you delete a service account,
then create a new service account with the same name, the original service
account and the new service account will have different numeric IDs.
If you know that a binding in an allow policy includes the deleted service
account, you can get the allow policy, then find the numeric ID
in the allow policy. The numeric ID is appended to the name of the deleted
service account. For example, in this allow policy, the numeric ID for the
deleted service account is 123456789012345678901
:
{ "version": 1, "etag": "BwUjMhCsNvY=", "bindings": [ { "members": [ "deleted:serviceAccount:my-service-account@project-id.iam.gserviceaccount.com?uid=123456789012345678901" ], "role": "roles/iam.serviceAccountUser" }, ] }
Numeric IDs are only appended to the names of deleted principals.
Alternatively, you can search your audit logs for the DeleteServiceAccount
operation that deleted the service account:
In the Google Cloud console, go to the Logs explorer page.
In the query editor, enter the following query, replacing
SERVICE_ACCOUNT_EMAIL
with the email address of your service account (for example,my-service-account@project-id.iam.gserviceaccount.com
):resource.type="service_account" resource.labels.email_id="SERVICE_ACCOUNT_EMAIL" "DeleteServiceAccount"
If the service account was deleted more than an hour ago, click
Last 1 hour, select a longer period of time from the drop-down list, then click Apply.Click Run query. The Logs Explorer displays the
DeleteServiceAccount
operations that affected service accounts with the name you specified.Find and note the numeric ID of the deleted service account by doing one of the following:
- If the search results include only one
DeleteServiceAccount
operation, find the numeric ID in the Unique ID field of the Log fields pane.
If the search results show more than one log, do the following:
Find the correct log entry. To find the correct log entry, click the
expander arrow next to a log entry. Review the details of the log entry and determine whether the log entry shows the operation that you want to undo. Repeat this process until you find the correct log entry.In the correct log entry, locate the service account's numeric ID. To locate the numeric ID, expand the log entry's
protoPayload
field, then find theresourceName
field.
The numeric ID is everything after
serviceAccounts
in theresourceName
field.
- If the search results include only one
Undelete the service account by numeric ID
After you find the numeric ID for the deleted service account, you can try to undelete the service account.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
-
Execute the
gcloud beta iam service-accounts undelete
command to undelete a service account.Command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
Output:
restoredAccount: email: SA_NAME@PROJECT_ID.iam.gserviceaccount.com etag: BwWWE7zpApg= name: projects/PROJECT_ID/serviceAccounts/SA_NAME@PROJECT_ID.iam.gserviceaccount.com oauth2ClientId: '123456789012345678901' projectId: PROJECT_ID uniqueId: 'ACCOUNT_ID'
REST
The
serviceAccounts.undelete
method restores a deleted service account.
Before using any of the request data, make the following replacements:
PROJECT_ID
: Your Google Cloud project ID. Project IDs are alphanumeric strings, likemy-project
.SA_NUMERIC_ID
: The unique numeric ID of the service account.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NUMERIC_ID:undelete
To send your request, expand one of these options:
If the account can be undeleted, you receive a 200 OK
response
code with details about the restored service account, like the following:
{ "restoredAccount": { "name": "projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com", "projectId": "my-project", "uniqueId": "123456789012345678901", "email": "my-service-account@my-project.iam.gserviceaccount.com", "displayName": "My service account", "etag": "BwUp3rVlzes=", "description": "A service account for running jobs in my project", "oauth2ClientId": "987654321098765432109" } }
What's next
- Learn how to list and edit service accounts.
- Review the process for granting IAM roles to all types of principals, including service accounts.
- Understand how to attach service accounts to resources.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for free