Problem
Environment
- Deleted and re-created Service Account (or another principal)
Solution
If a user, group or service account was deleted and recreated with the same email, existing policy bindings will continue to reference the deleted account unless they are all deleted and recreated.
- First find the ID for the deleted account.
-
If the deleted account still has policy bindings, then you can do that from IAM & Admin > IAM page in Cloud console and filter for deleted:. All deleted accounts will be prefixed with deleted: for example:
deleted:serviceAccount:<SERVICE_ACCOUNT_NAME>@<PROJECT_NAME>.iam.gserviceaccount.com?uid=<ACCOUNT_ID>
-
Otherwise, you can try searching for the deleted event in Logging > Logs Explorer by using the following filter:
protoPayload.methodName="google.iam.admin.v1.DeleteServiceAccount"
- Under protoPayload.resourceName you can see: projects/-/serviceAccounts/<ACCOUNT_ID>. In either case, take note of the ACCOUNT_ID.
-
- Remove the recreated principal with the same email, for example by going to IAM & Admin > Service Accounts page in Cloud console, finding the service account in question, selecting it and clicking Delete at the top.
-
Undelete the service account by running the following command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
Cause
If you create a new service account with the same email as a recently deleted service account, the old bindings may still exist; however, they will not apply to the new service account even though both accounts have the same email address.
This behavior occurs because service accounts are given a unique ID within Identity and Access Management (IAM) at creation. Internally, all role bindings are granted using these IDs, not the service account's email address. Therefore, any role bindings that existed for a deleted service account do not apply to a new service account that uses the same email address, but has a different Account ID. See more information about deleting and recreating service accounts.