This page explains how to disable and enable service accounts using the
Identity and Access Management (IAM) API, the Google Cloud console, and the
gcloud CLI.
Before you begin
Required roles
To get the permissions that you need to manage service accounts,
ask your administrator to grant you the
Service Account Admin
(
roles/iam.serviceAccountAdmin
) IAM role on the project.
For more information about granting roles, see
Manage access
.
You might also be able to get
the required permissions through
custom
roles
or other
predefined
roles
.
To learn more about this role, see
Service Accounts roles
.
IAM basic roles also contain permissions to manage service
accounts.
You should not grant basic roles in a production environment, but you can grant them in a
development or test environment.
Disable a service account
Similar to deleting a service account, when you disable a service account,
applications will no longer have access to Google Cloud resources
through that service account. If you disable the default App Engine and
Compute Engine service accounts, the instances will no longer have
access to resources in the project. If you attempt to disable an already
disabled service account, it will have no effect.
Unlike deleting a service account, disabled service accounts can easily be
re-enabled as necessary. We recommend disabling a service account before
deleting it to make sure no critical applications are using the service account.
Console
In the Google Cloud console, go to the
Service accounts
page.
Go to Service accounts
Select a project.
Click the name of the service account that you want to disable.
Under
Service account status
, click
Disable service account
, then
click
Disable
to confirm the change.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, a
Cloud Shell
session starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
-
Execute the
gcloud iam service-accounts disable
command to disable a service account.
Command:
gcloud iam service-accounts disable
SA_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
Output:
Disabled service account
SA_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
REST
The
serviceAccounts.disable
method immediately disables a service account.
Before using any of the request data,
make the following replacements:
PROJECT_ID
: Your Google Cloud project
ID. Project IDs are alphanumeric strings, like
my-project
.
SA_ID
: The ID of your service account.
This can either be the service account's email address in the form
SA_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
, or the service
account's unique numeric ID.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_ID
:disable
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_ID
:disable"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_ID
:disable" | Select-Object -Expand Content
APIs Explorer (browser)
Open the
method reference page
.
The APIs Explorer panel opens on the right side of the page.
You can interact with this tool to send requests.
Complete any required fields and click
Execute
.
If successful, the response body will be empty.
Enable a service account
After enabling a disabled service account, applications will regain access to
Google Cloud resources through that service account.
You can enable a disabled service account whenever you need to. If you attempt
to enable an already enabled service account, it will have no effect.
Console
In the Google Cloud console, go to the
Service accounts
page.
Go to Service accounts
Select a project.
Click the name of the service account that you want to enable.
Under
Service account status
, click
Enable service account
, then
click
Enable
to confirm the change.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, a
Cloud Shell
session starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
-
Execute the
gcloud iam service-accounts enable
command to enable a service account.
Command:
gcloud iam service-accounts enable
SA_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
Output:
Enabled service account
SA_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
REST
The
serviceAccounts.enable
method enables a previously disabled service account.
Before using any of the request data,
make the following replacements:
PROJECT_ID
: Your Google Cloud project
ID. Project IDs are alphanumeric strings, like
my-project
.
SA_ID
: The ID of your service account.
This can either be the service account's email address in the form
SA_NAME
@
PROJECT_ID
.iam.gserviceaccount.com
, or the service
account's unique numeric ID.
HTTP method and URL:
POST https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_ID
:enable
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_ID
:enable"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://iam.googleapis.com/v1/projects/
PROJECT_ID
/serviceAccounts/
SA_ID
:enable" | Select-Object -Expand Content
APIs Explorer (browser)
Open the
method reference page
.
The APIs Explorer panel opens on the right side of the page.
You can interact with this tool to send requests.
Complete any required fields and click
Execute
.
If successful, the response body will be empty.
What's next
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our
products perform in real-world scenarios. New customers also get $300 in
free credits to run, test, and deploy workloads.
Get started for free