This page explains how to delete and undelete service accounts using the
Identity and Access Management (IAM) API, the Google Cloud console, and the
gcloud
command-
line tool.
Before you begin
Required roles
To get the permissions that you need to delete and undelete service accounts,
ask your administrator to grant you the
following IAM roles on the project:
For more information about granting roles, see
Manage access
.
You might also be able to get
the required permissions through
custom
roles
or other
predefined
roles
.
To learn more about these roles, see
Service Accounts roles
.
IAM basic roles also contain permissions to manage service
accounts.
You should not grant basic roles in a production environment, but you can grant them in a
development or test environment.
Delete a service account
When you delete a service account, applications will no longer have access to
Google Cloud resources through that service account. If you delete the
default App Engine and Compute Engine service accounts, then the
App Engine apps and Compute Engine VM instances that use those
service accounts will no longer have access to resources in the project.
Delete service accounts with caution. Make sure your critical applications are
no longer using a service account before deleting it. If you're not sure whether
a service account is being used, Google recommends
disabling the service account
instead of deleting it. Disabled service accounts can be re-enabled if they are
still needed.
If you want to restore a deleted service account, you can
undelete
it, if it's been 30 days or less
since you deleted the service account. After 30 days,
IAM permanently removes the service account. Google Cloud
cannot recover the service account after it is permanently removed, even if you
file a support request.
To further reduce the risk of deleting a necessary service account, you can
also enable
change risk recommendations
. Change
risk recommendations generate warnings when you try to delete service accounts
that Google Cloud has identified as important.
If you delete a service account, then create a new service account with the same
name, the new service account is treated as a separate identity; it does not
inherit the roles granted to the deleted service account. In contrast, when you
delete a service account, then undelete it, the service account's identity does
not change, and the service account retains its roles.
When a service account is deleted, its role bindings are not immediately
removed; they are automatically purged from the system after a maximum of
60 days. Until that time, the service account appears in
role bindings with a
deleted:
prefix and a
?uid=
NUMERIC_ID
suffix, where
NUMERIC_ID
is a unique numeric ID for the service
account.
Deleted service accounts do not count towards your
service account quota
.
Console
In the Google Cloud console, go to the
Service accounts
page.
Go to Service accounts
Select a project.
Select the service account you want to delete, and then click
Delete
delete
.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, a
Cloud Shell
session starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
-
Execute the
gcloud iam service-accounts delete
command to delete a service account.
Command:
gcloud iam service-accounts delete \
SA_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
Output:
Deleted service account
SA_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
REST
The
serviceAccounts.delete
method deletes a service account.
Before using any of the request data,
make the following replacements:
PROJECT_ID
: Your Google Cloud project
ID. Project IDs are alphanumeric strings, like
my-project
.
SA_ID
: The ID of your service account.
This can either be the service account's email address in the form
SA_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
, or the service
account's unique numeric ID.
HTTP method and URL:
DELETE https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_ID
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X DELETE \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_ID
"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method DELETE `
-Headers $headers `
-Uri "https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_ID
" | Select-Object -Expand Content
APIs Explorer (browser)
Open the
method reference page
.
The APIs Explorer panel opens on the right side of the page.
You can interact with this tool to send requests.
Complete any required fields and click
Execute
.
If successful, the response body will be empty.
Undelete a service account
In some cases, you can use the
undelete
command to undelete a deleted service
account. You can usually undelete a deleted service account if it meets these
criteria:
The service account was deleted less than 30 days
ago.
After 30 days, IAM permanently removes
the service account. Google Cloud cannot recover the service account
after it is permanently removed, even if you file a support request.
There is no existing service account with the same name as the deleted service
account.
For example, suppose that you accidentally delete the service account
my-service-account@project-id.iam.gserviceaccount.com
. You still need a
service account with that name, so you create a new service account with the
same name,
my-service-account@project-id.iam.gserviceaccount.com
.
The new service account does not inherit the permissions of the deleted
service account. In effect, it is completely separate from the deleted
service account. However, you cannot undelete the original service account,
because the new service account has the same name.
To address this issue, delete the new service account, then try to undelete
the original service account.
If you are not able to undelete the service account, you can create a new
service account with the same name; revoke all of the roles from the deleted
service account; and grant the same roles to the new service account. For
details, see
Policies with deleted principals
.
Find a deleted service account's numeric ID
When you undelete a service account, you must provide its numeric ID. The
numeric ID is a 21-digit number, such as
123456789012345678901
, that uniquely
identifies the service account. For example, if you delete a service account,
then create a new service account with the same name, the original service
account and the new service account will have different numeric IDs.
If you know that a binding in an allow policy includes the deleted service
account, you can
get the allow policy
, then find the numeric ID
in the allow policy. The numeric ID is appended to the name of the deleted
service account. For example, in this allow policy, the numeric ID for the
deleted service account is
123456789012345678901
:
{
"version": 1,
"etag": "BwUjMhCsNvY=",
"bindings": [
{
"members": [
"deleted:serviceAccount:my-service-account@project-id.iam.gserviceaccount.com?uid=123456789012345678901"
],
"role": "roles/iam.serviceAccountUser"
},
]
}
Numeric IDs are only appended to the names of deleted principals.
Alternatively, you can search your audit logs for the
DeleteServiceAccount
operation that deleted the service account:
In the Google Cloud console, go to the
Logs explorer
page.
Go to Logs explorer
In the query editor, enter the following query, replacing
SERVICE_ACCOUNT_EMAIL
with the email address of your
service account (for example,
my-service-account@project-id.iam.gserviceaccount.com
):
resource.type="service_account"
resource.labels.email_id="
SERVICE_ACCOUNT_EMAIL
"
"DeleteServiceAccount"
If the service account was deleted more than an hour ago, click
schedule
Last 1 hour
,
select a longer period of time from the drop-down list, then click
Apply
.
Click
Run query
. The Logs Explorer displays the
DeleteServiceAccount
operations that affected service accounts with the name you specified.
Find and note the numeric ID of the deleted service account by doing one of
the following:
If the search results include only one
DeleteServiceAccount
operation,
find the numeric ID in the
Unique ID
field of the
Log fields
pane.
If the search results show more than one log, do the following:
Find the correct log entry. To find the correct log entry, click the
keyboard_arrow_right
expander arrow
next to a log entry. Review the details of the log entry and determine
whether the log entry shows the operation that you want to undo. Repeat
this process until you find the correct log entry.
In the correct log entry, locate the service account's numeric ID. To
locate the numeric ID, expand the log entry's
protoPayload
field,
then find the
resourceName
field.
The numeric ID is everything after
serviceAccounts
in the
resourceName
field.
Undelete the service account by numeric ID
After you find the numeric ID for the deleted service account, you can try to
undelete the service account.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, a
Cloud Shell
session starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
-
Execute the
gcloud beta iam service-accounts undelete
command to undelete a service account.
Command:
gcloud beta iam service-accounts undelete
ACCOUNT_ID
Output:
restoredAccount:
email:
SA_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
etag: BwWWE7zpApg=
name: projects/
PROJECT_ID
/serviceAccounts/
SA_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
oauth2ClientId: '123456789012345678901'
projectId:
PROJECT_ID
uniqueId: '
ACCOUNT_ID
'
REST
The
serviceAccounts.undelete
method restores a deleted service account.
Before using any of the request data,
make the following replacements:
PROJECT_ID
: Your Google Cloud project
ID. Project IDs are alphanumeric strings, like
my-project
.
SA_NUMERIC_ID
: The unique numeric ID of the service account.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_NUMERIC_ID
:undelete
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_NUMERIC_ID
:undelete"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_NUMERIC_ID
:undelete" | Select-Object -Expand Content
APIs Explorer (browser)
Open the
method reference page
.
The APIs Explorer panel opens on the right side of the page.
You can interact with this tool to send requests.
Complete any required fields and click
Execute
.
If the account can be undeleted, you receive a
200 OK
response
code with details about the restored service account, like the following:
{
"restoredAccount": {
"name": "projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com",
"projectId": "my-project",
"uniqueId": "123456789012345678901",
"email": "my-service-account@my-project.iam.gserviceaccount.com",
"displayName": "My service account",
"etag": "BwUp3rVlzes=",
"description": "A service account for running jobs in my project",
"oauth2ClientId": "987654321098765432109"
}
}
What's next
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our
products perform in real-world scenarios. New customers also get $300 in
free credits to run, test, and deploy workloads.
Get started for free