이 페이지에서는 다음을 사용하여 서비스 계정을 만들고 관리하는 방법을 설명합니다.
ID 및 액세스 관리(IAM) API, Google Cloud Console 및
gcloud 명령-
선 도구

기본적으로 각 프로젝트에는 리소스에 대한 액세스를 제어하는 ​​최대 100개의 서비스 계정이 있을 수 있습니다. 필요한 경우 할당량 증가를 요청할 수 있습니다. 할당량 및 한도에 대해 자세히 알아보기

## 시작하기 전에
IAM API 활성화

IAM 서비스 계정 이해
Google 클라우드 CLI 설치
 필수 역할
서비스 계정을 관리하는 데 필요한 권한을 얻으려면 관리자에게 프로젝트에 대한 다음 IAM 역할을 부여해 달라고 요청하세요.
-
서비스 계정 및 서비스 계정 메타데이터를 보려면 다음 안내를 따르세요.
서비스 계정 보기(
역할/iam.serviceAccountViewer)
-
서비스 계정 보기 및 만들기:
서비스 계정 생성(
역할/iam.serviceAccountCreator)
-
서비스 계정 보기 및 삭제:
서비스 계정 삭제(
역할/iam.serviceAccountDeleter)
-
서비스 계정을 완전히 관리(보기, 생성, 업데이트, 비활성화, 활성화, 삭제, 삭제 취소 및 액세스 관리)하려면:
서비스 계정 관리자(
역할/iam.serviceAccountAdmin)
역할 부여에 대한 자세한 내용은 액세스 관리를 참조하세요.

이러한 역할에 대해 자세히 알아보려면 서비스 계정 역할을 참조하세요.

IAM 기본 역할에는 서비스 계정을 관리할 수 있는 권한도 포함되어 있습니다. 프로덕션 환경에서 기본 역할을 부여하면 안 되지만 개발 또는 테스트 환경에서는 부여할 수 있습니다.

## 서비스 계정 만들기
서비스 계정을 만들 때 영숫자 ID를 제공해야 합니다.
(
아래 샘플에서), 예를 들어
`SA_NAME`
내 서비스 계정. ID는 6~30자 사이여야 하며,
소문자 영숫자와 대시를 포함합니다. 서비스를 만든 후
계정 이름을 변경할 수 없습니다.

프로비저닝된 이메일 주소에 서비스 계정의 이름이 표시됩니다.
생성하는 동안 형식으로


`SA_NAME`@ `PROJECT_ID`.iam.gserviceaccount.com
또한 각 서비스 계정에는 자동으로 생성되는 영구적인 고유 숫자 ID가 있습니다.

또한 서비스 계정을 만들 때 다음 정보를 제공합니다.
서비스 계정에 대한 선택적 설명입니다.

SA_설명
서비스 계정의 친숙한 이름입니다.

SA_DISPLAY_NAME
Google Cloud 프로젝트의 ID입니다.

프로젝트_ID

서비스 계정을 만든 후 서비스 계정을 사용하려면 60초 이상 기다려야 할 수 있습니다. 이 동작은 읽기 작업이 결과적으로 일관성이 있기 때문에 발생합니다. 새 서비스 계정이 표시되려면 시간이 걸릴 수 있습니다. 서비스 계정을 생성한 직후에 서비스 계정을 읽거나 사용하려고 할 때 오류가 발생하면 지수 백오프로 요청을 재시도할 수 있습니다.

 콘솔
Google Cloud Console에서 다음으로 이동합니다.
서비스 계정 만들기페이지

서비스 계정 만들기로 이동
클라우드 프로젝트 선택

Google Cloud Console에 표시할 서비스 계정 이름을 입력하세요.

Google Cloud Console은 이 이름을 기반으로 서비스 계정 ID를 생성합니다. 필요한 경우 ID를 수정하십시오. 나중에 ID를 변경할 수 없습니다.

선택 사항: 서비스 계정에 대한 설명을 입력합니다.

지금 액세스 제어를 설정하지 않으려면
완료하여 서비스 계정 생성을 완료합니다.

지금 액세스 제어를 설정하려면
만들기 및 계속하기다음 단계로 계속하기

선택사항: 프로젝트의 서비스 계정에 부여할 IAM 역할을 하나 이상 선택합니다.

역할 추가를 완료하면
계속하다

선택사항:
서비스 계정 사용자 역할 필드, 서비스 계정을 가장할 수 있는 구성원 추가

선택사항:
서비스 계정 관리자 역할 필드, 서비스 계정을 관리할 수 있는 구성원 추가

딸깍 하는 소리
완료하여 서비스 계정 생성을 완료합니다.

 gcloud CLI
서비스 계정을 만들려면 다음을 실행합니다.
gcloud iam 서비스 계정 createcommand:
gcloud iam 서비스 계정 만들기
SA_NAME\ --description="설명"\ --display-name="DISPLAY_NAME"다음 값을 바꿉니다.
: 서비스 계정의 이름
SA_NAME
: 서비스 계정에 대한 선택적 설명
설명
: Google Cloud Console에 표시할 서비스 계정 이름
이름 표시하기
-
선택사항: 서비스 계정에 프로젝트에 대한 IAM 역할을 부여하려면 다음을 실행합니다.
gcloud 프로젝트 add-iam-policy-binding 명령:
gcloud 프로젝트 추가 iam-policy-binding
PROJECT_ID\ --member="serviceAccount: SA_NAME@ PROJECT_ID.iam.gserviceaccount.com"\ --role="ROLE_NAME"다음 값을 바꿉니다.
: 프로젝트 ID
프로젝트_ID
: 서비스 계정의 이름
SA_NAME
: 역할 이름(예:
ROLE_NAME
역할/compute.os로그인
-
선택 사항: 사용자가 서비스 계정을 가장하도록 허용하려면 다음을 실행합니다.
사용자에게 서비스 계정 사용자 역할을 부여하는 gcloud iam service-accounts add-iam-policy-binding 명령(
roles/iam.serviceAccountUser) 서비스 계정:
gcloud iam 서비스 계정 추가 iam-policy-binding SA_NAME@ PROJECT_ID.iam.gserviceaccount.com \ --member="user: USER_EMAIL"\ --role="roles/iam.serviceAccountUser"다음 값을 바꿉니다.
: 프로젝트 ID
프로젝트_ID
: 서비스 계정의 이름
SA_NAME
: 사용자의 이메일 주소
USER_EMAIL
-
 나머지
그만큼
serviceAccounts.create
메서드는 서비스 계정을 만듭니다.

요청 데이터를 사용하기 전에 다음과 같이 교체하십시오.
: Google Cloud 프로젝트 ID입니다. 프로젝트 ID는 다음과 같은 영숫자 문자열입니다.
프로젝트_ID
내 프로젝트
: 서비스 계정의 영숫자 ID입니다. 이 이름은 6~30자 사이여야 하며 소문자 영숫자와 대시를 포함할 수 있습니다.

SA_NAME
: 선택 사항입니다. 서비스 계정에 대한 설명

SA_설명
: 사람이 읽을 수 있는 서비스 계정 이름

SA_DISPLAY_NAME
HTTP 메서드 및 URL:
게시 httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts
요청 JSON 본문:
{ "계정 ID": "SA_NAME", "serviceAccount": { "description": "SA_DESCRIPTION", "displayName": "SA_DISPLAY_NAME"} }
요청을 보내려면 다음 옵션 중 하나를 확장합니다.
 컬(Linux, macOS 또는 Cloud Shell)
라는 파일에 요청 본문을 저장합니다.
요청.json,
다음 명령을 실행합니다.
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)"-H "Content-Type: application/json; charset=utf-8"-d @request.json "httpsiam.googleapis.com /v1/프로젝트/
PROJECT_ID/serviceAccounts"파워셸(윈도우즈)
라는 파일에 요청 본문을 저장합니다.
요청.json,
다음 명령을 실행합니다.
$cred = gcloud 인증 인쇄 액세스 토큰
$headers = @{ "Authorization"= "Bearer $cred"}
WebRequest 호출 `
-방법 POST`
-헤더 $헤더 `
-ContentType: "응용 프로그램/json; charset=utf-8"`
-InFile 요청.json `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts"| 개체 선택 - 콘텐츠 확장
 API 탐색기(브라우저)
요청 본문을 복사하고
방법 참조 페이지

페이지 오른쪽에 API 탐색기 패널이 열립니다.

이 도구와 상호 작용하여 요청을 보낼 수 있습니다.

이 도구에 요청 본문을 붙여넣고 다른 필수 필드를 완성한 다음 클릭하십시오.
**실행하다**

다음과 유사한 JSON 응답을 받아야 합니다.
{ "이름": "projects/my-project/serviceAccounts/[email protected]", "projectId": "내 프로젝트", "uniqueId": "123456789012345678901", "email": "[email protected]", "displayName": "내 서비스 계정", "etag": "BwUp3rVlzes "description": "내 서비스 계정에서 작업을 실행하기 위한 서비스 계정 프로젝트", "oauth2ClientId": "987654321098765432109"}
 C++
IAM용 클라이언트 라이브러리를 설치하고 사용하는 방법을 알아보려면 IAM 클라이언트 라이브러리를 참조하십시오. 자세한 내용은 IAM C++ API 참조 문서를 참조하세요.
namespace iam = ::google::cloud::iam; std::string const& project_id, std::string const& account_id, std::string const& display_name, std::string const& description) { iam::IAMClient 클라이언트(iam::MakeIAMConnection google::iam::admin::v1::ServiceAccount service_account; service_account.set_display_name(display_name); service_account.set_description(description); auto response = client.CreateServiceAccount("projects/ "+ project_id, account_id, service_account); if (!response) throw std::runtime_error(response.statusmessage std::cout<< "ServiceAccount가 성공적으로 생성됨: "<< response->DebugString()<< ""; }
 씨#
IAM용 클라이언트 라이브러리를 설치하고 사용하는 방법을 알아보려면 IAM 클라이언트 라이브러리를 참조하십시오. 자세한 내용은 IAM C# API 참조 문서를 참조하세요.

시스템 사용; Google.Apis.Auth.OAuth2 사용; Google.Apis.Iam.v1 사용; Google.Apis.Iam.v1.Data 사용; public partial class ServiceAccounts { public static ServiceAccount CreateServiceAccount(string projectId, string name, string displayName) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credentialvar request = new CreateServiceAccountRequest { AccountId = 이름, ServiceAccount = new ServiceAccount { DisplayName = displayName } }; var serviceAccount = service.Projects.ServiceAccounts.Create( 요청, "프로젝트/ "+ projectId).Execute Console.WriteLine("생성된 서비스 계정: "+ serviceAccount.Email); return serviceAccount; } }
 가다
IAM용 클라이언트 라이브러리를 설치하고 사용하는 방법을 알아보려면 IAM 클라이언트 라이브러리를 참조하십시오. 자세한 내용은 IAM Go API 참조 문서를 참조하세요.

import ( "context""fmt""io"iam "google.golang.org/api/iam/v1") // createServiceAccount는 서비스 계정을 생성합니다. func createServiceAccount(w io.Writer, projectID, name, displayName string) (*iam.ServiceAccount, error) { ctx := context.Background() 서비스, err := iam.NewService(ctx) if err != nil { return nil, fmt.Errorf("iam.NewService: %v", err) } request :=&iam.CreateServiceAccountRequest{ AccountId: 이름, ServiceAccount:&iam.ServiceAccount{ DisplayName: displayName, }, } account, err := service.Projects.ServiceAccounts.Create("projectsprojectID, request).Do() if err != nil { return nil, fmt.Errorf("Projects.ServiceAccounts.Create: %v", err) } fmt.Fprintf(w, "Created service account: %v", account) return account, nil }
 자바
IAM용 클라이언트 라이브러리를 설치하고 사용하는 방법을 알아보려면 IAM 클라이언트 라이브러리를 참조하십시오. 자세한 내용은 IAM Java API 참조 문서를 참조하세요.

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.services.iam.v1.Iam; import com.google.api.services.iam.v1.IamScopes; import com.google.api.services.iam.v1.model.CreateServiceAccountRequest; import com.google.api.services.iam.v1.model.ServiceAccount; import com.google.auth.http.HttpCredentialsAdapter; import com.google.auth.oauth2.GoogleCredentials; import java.io.IOException; import java.security.GeneralSecurityException; import java.util.Collections; public class CreateServiceAccount { // 서비스 계정을 생성합니다. public static void createServiceAccount(String projectId, String serviceAccountName) { // String projectId = "my-project-id"; // String serviceAccountName = "my-service-account-name"; Iam 서비스 = null; try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("서비스를 초기화할 수 없습니다:
"+ e.toString return; } try { ServiceAccount serviceAccount = new ServiceAccount serviceAccount.setDisplayName("your-display-name CreateServiceAccountRequest request = new CreateServiceAccountRequest request.setAccountId(serviceAccountName); request.setServiceAccount(serviceAccount); serviceAccount = service.projectsserviceAccountscreate( "projects/"+ projectId, request).execute System.out.println("만든 서비스 계정: "+ serviceAccount.getEmail } catch (IOException e) { System.out.println("서비스 계정을 만들 수 없습니다:
"+ e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // 인증에 애플리케이션 기본 자격 증명 전략을 사용합니다. 자세한 내용은 다음을 참조하세요. // httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // IAM API에 요청을 보내는 데 사용할 수 있는 IAM 서비스를 초기화합니다. Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory. getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build 반환 서비스; } }
 파이썬
IAM용 클라이언트 라이브러리를 설치하고 사용하는 방법을 알아보려면 IAM 클라이언트 라이브러리를 참조하십시오. 자세한 내용은 IAM Python API 참조 문서를 참조하세요.

import os from google.oauth2 import service_account import googleapiclient.discovery def create_service_account(project_id, name, display_name): 서비스 계정을 생성합니다. 클라우드 플랫폼 서비스 = googleapiclient.discovery.build('iam', 'v1', credentials=credentials) my_service_account = service.projectsserviceAccountscreate( name='projects/'+ project_id, body={ 'accountId': 이름, 'serviceAccount': { 'displayName': display_name } execute() print('만든 서비스 계정: '+ my_service_account['email return my_service_account
서비스 계정을 만든 후 역할을 대신할 수 있도록 서비스 계정에 하나 이상의 역할을 부여합니다.

또한 서비스 계정이 다른 프로젝트의 리소스에 액세스해야 하는 경우 일반적으로 서비스 계정을 만든 프로젝트의 해당 리소스에 대해 API를 사용 설정해야 합니다.

## 서비스 계정 나열
서비스 계정을 나열하여 서비스 계정 및 키를 감사하는 데 도움이 되거나 서비스 계정 관리를 위한 사용자 지정 도구의 일부로 사용할 수 있습니다.

 콘솔
Google Cloud Console에서 다음으로 이동합니다.
서비스 계정 페이지

프로젝트 선택

그만큼
서비스 계정 페이지에는 선택한 프로젝트의 모든 사용자 관리 서비스 계정이 나열됩니다. 페이지에 Google 관리 서비스 계정이 나열되지 않습니다.

 gcloud CLI
실행
gcloud iam 서비스 계정 목록
프로젝트의 모든 서비스 계정을 나열하는 명령어

명령:
gcloud iam 서비스 계정 목록
출력은 프로젝트의 모든 서비스 계정 목록입니다.
이름 이메일
SA_DISPLAY_NAME_1 SA_NAME_1@ PROJECT_ID.iam.gserviceaccount.com SA_DISPLAY_NAME_2 SA_NAME_2@ PROJECT_ID.iam.gserviceaccount.com
 나머지
그만큼
serviceAccounts.list
메서드는 프로젝트의 모든 서비스 계정을 나열합니다.

요청 데이터를 사용하기 전에 다음과 같이 교체하십시오.
: Google Cloud 프로젝트 ID입니다. 프로젝트 ID는 다음과 같은 영숫자 문자열입니다.
프로젝트_ID
내 프로젝트

HTTP 메서드 및 URL:
httpsiam.googleapis.com/v1/projects/ 가져오기
PROJECT_ID/serviceAccounts
요청을 보내려면 다음 옵션 중 하나를 확장합니다.
 컬(Linux, macOS 또는 Cloud Shell)
다음 명령을 실행합니다.
curl -X GET -H "인증: Bearer $(gcloud auth print-access-token)""httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts"파워셸(윈도우즈)
다음 명령을 실행합니다.
$cred = gcloud 인증 인쇄 액세스 토큰
$headers = @{ "Authorization"= "Bearer $cred"}
WebRequest 호출 `
-방법 GET `
-헤더 $헤더 `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts"| 개체 선택 - 콘텐츠 확장
 API 탐색기(브라우저)
열기
방법 참조 페이지

페이지 오른쪽에 API 탐색기 패널이 열립니다.

이 도구와 상호 작용하여 요청을 보낼 수 있습니다.

필수 필드를 작성하고 클릭하십시오.
**실행하다**

다음과 유사한 JSON 응답을 받아야 합니다.
{ "계정": [ { "이름": "projects/my-project/serviceAccounts/[email protected]", "projectId": "내 프로젝트", "uniqueId": "123456789012345678901", "email": "[email protected]", "description": "내 첫 번째 서비스 계정", "displayName": "서비스 계정 1", "etag": "BwUpTsLVUkQ "oauth2ClientId": "987654321098765432109"}, { "이름": "projects/my-project/serviceAccounts/[email protected]", "projectId": "내 프로젝트", "uniqueId ": "234567890123456789012", "email": "[email protected]", "description": "내 두 번째 서비스 계정", "displayName": "서비스 계정 2", "etag": "UkQpTwBVUsL "oauth2ClientId": "876543210987654321098"} ] }
 C++
IAM용 클라이언트 라이브러리를 설치하고 사용하는 방법을 알아보려면 IAM 클라이언트 라이브러리를 참조하십시오. 자세한 내용은 IAM C++ API 참조 문서를 참조하세요.

네임스페이스 iam = ::google::cloud::iam; std::문자열 상수& project_id) { iam::IAMClient 클라이언트(iam::MakeIAMConnection int count = 0; for (auto const)& sa : client.ListServiceAccounts("projects/"+ project_id)) { if (!sa) throw std::runtime_error(sa.statusmessage std::cout<< "ServiceAccount가 성공적으로 검색됨: "<< sa->name()<< ""; ++count; } if (count == 0) { std::cout<< "프로젝트에서 서비스 계정을 찾을 수 없음: "<< project_id<< ""; } }
 씨#

IAM용 클라이언트 라이브러리를 설치하고 사용하는 방법을 알아보려면 IAM 클라이언트 라이브러리를 참조하십시오. 자세한 내용은 IAM C# API 참조 문서를 참조하세요.

시스템 사용; System.Collections.Generic 사용; Google.Apis.Auth.OAuth2 사용; Google.Apis.Iam.v1 사용; Google.Apis.Iam.v1.Data 사용; 공개 부분 클래스 ServiceAccounts { 공개 정적 IList ListServiceAccounts(string projectId) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credentialvar response = service.Projects.ServiceAccounts.List( "projects/" + projectId).Execute foreach (ServiceAccount account in response.Accounts) { Console.WriteLine("Name: " + account.Name); Console.WriteLine("Display Name: " + account.DisplayName); Console.WriteLine("Email: " + account.Email); Console.WriteLine } return response.Accounts; } }
 Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation

import ( "context" "fmt" "io" iam "google.golang.org/api/iam/v1" ) // listServiceAccounts lists a project's service accounts. func listServiceAccounts(w io.Writer, projectID string) iam.ServiceAccount, error) { ctx := context.Background() service, err := iam.NewService(ctx) if err != nil { return nil, fmt.Errorf("iam.NewService: %v", err) } response, err := service.Projects.ServiceAccounts.List("projects/" + projectID).Do() if err != nil { return nil, fmt.Errorf("Projects.ServiceAccounts.List: %v", err) } for _, account := range response.Accounts { fmt.Fprintf(w, "Listing service account: %v
", account.Name) } return response.Accounts, nil }
 Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation


import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.services.iam.v1.Iam; import com.google.api.services.iam.v1.IamScopes; import com.google.api.services.iam.v1.model.ListServiceAccountsResponse; import com.google.api.services.iam.v1.model.ServiceAccount; import com.google.auth.http.HttpCredentialsAdapter; import com.google.auth.oauth2.GoogleCredentials; import java.io.IOException; import java.security.GeneralSecurityException; import java.util.Collections; import java.util.List; public class ListServiceAccounts { // Lists all service accounts for the current project. public static void listServiceAccounts(String projectId) { // String projectId = "my-project-id" Iam service = null; try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("Unable to initialize service: 
" + e.toString return; } try { ListServiceAccountsResponse response = service.projectsserviceAccountslist("projects/" + projectId).execute List serviceAccounts = response.getAccounts for (ServiceAccount account : serviceAccounts) { System.out.println("Name: " + account.getName System.out.println("Display Name: " + account.getDisplayName System.out.println("Email: " + account.getEmail System.out.println } } catch (IOException e) { System.out.println("Unable to list service accounts: 
" + e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // Use the Application Default Credentials strategy for authentication. For more info, see: // httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // Initialize the IAM service, which can be used to send requests to the IAM API. Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory.getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build return service; } }
 Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation

import os from google.oauth2 import service_account import googleapiclient.discovery def list_service_accounts(project_id): Lists all service accounts for the current project credentials = service_account.Credentials.from_service_account_file( filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS scopeshttpswww.googleapis.com/auth/cloud-platform service = googleapiclient.discovery.build( 'iam', 'v1', credentials=credentials) service_accounts = service.projectsserviceAccountslist( name='projects/' + project_id).execute() for account in service_accounts['accounts print('Name: ' + account['name print('Email: ' + account['email print(' ') return service_accounts
## Updating a service account
The display name (friendly name) and description of a service account are commonly used to capture additional information about the service account, such as the purpose of the service account or a contact person for the account

 Console
In the Google Cloud console, go to the
Service accountspage

Select a project

Click the email address of the service account that you want to rename

Enter the new name in the
Namebox, then click Save

 gcloud CLI
Execute the
gcloud iam service-accounts update
command to update a service account

Command:
gcloud iam service-accounts update SA_NAME@ PROJECT_ID.iam.gserviceaccount.com \ --description=" UPDATED_SA_DESCRIPTION" \ --display-name=" UPDATED_DISPLAY_NAME"
The output is the renamed service account:
description:
UPDATED_SA_DESCRIPTIONdisplayName: UPDATED_DISPLAY_NAMEname: projects/ PROJECT_ID/serviceAccounts/ SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
 REST
The
serviceAccounts.patch
method updates a service account

Before using any of the request data, make the following replacements:
: Your Google Cloud project ID. Project IDs are alphanumeric strings, like
PROJECT_ID
my-project

: The ID of your service account. This can either be the service account's email address in the form
SA_ID
, or the service account's unique numeric ID

SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
: The alphanumeric ID of your service account. This name must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes

SA_NAME
- Replace at least one of the following:
: A new display name for your service account

UPDATED_DISPLAY_NAME
: A new description for your service account

UPDATED_DESCRIPTION
HTTP method and URL:
PATCH httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID
Request JSON body:
{ "serviceAccount": { "email": "
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com", "displayName": " UPDATED_DISPLAY_NAME", "description": " UPDATED_DESCRIPTION" }, "updateMask": "displayName,description" }
To send your request, expand one of these options:
 curl (Linux, macOS, or Cloud Shell)
Save the request body in a file called
request.json,
and execute the following command:
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json; charset=utf-8" -d @request.json "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID"
 PowerShell (Windows)
Save the request body in a file called
request.json,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID" | Select-Object -Expand Content
 API Explorer (browser)
Copy the request body and open the
method reference page

The API Explorer panel opens on the right side of the page

You can interact with this tool to send requests


Paste the request body in this tool, complete any other required fields, and click
**Execute**

You should receive a JSON response similar to the following:
{ "name": "projects/my-project/serviceAccounts/[email protected]", "displayName": "My updated service account", "description": "An updated description of my service account" }
 C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation

namespace iam = ::google::cloud::iam; std::string const& name, std::string const& display_name) { iam::IAMClient client(iam::MakeIAMConnection google::iam::admin::v1::PatchServiceAccountRequest request; google::iam::admin::v1::ServiceAccount service_account; service_account.set_name(name); service_account.set_display_name(display_name); google::protobuf::FieldMask update_mask; *update_mask.add_paths() = "display_name"; *request.mutable_service_account() = service_account; *request.mutable_update_mask() = update_mask; auto response = client.PatchServiceAccount(request); if (!response) throw std::runtime_error(response.statusmessage std::cout << "ServiceAccount successfully updated: " << response->DebugString() << "
"; }
 C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation

using System; using Google.Apis.Auth.OAuth2; using Google.Apis.Iam.v1; using Google.Apis.Iam.v1.Data; public partial class ServiceAccounts { public static ServiceAccount RenameServiceAccount(string email, string newDisplayName) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credential// First, get a ServiceAccount using List() or Get string resource = "projectsserviceAccounts/" + email; var serviceAccount = service.Projects.ServiceAccounts.Get(resource) .Execute // Then you can update the display name. serviceAccount.DisplayName = newDisplayName; serviceAccount = service.Projects.ServiceAccounts.Update( serviceAccount, resource).Execute Console.WriteLineUpdated display name for {serviceAccount.Email} " + "to: " + serviceAccount.DisplayName); return serviceAccount; } }
 Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation


import ( "context" "fmt" "io" iam "google.golang.org/api/iam/v1" ) // renameServiceAccount renames a service account. func renameServiceAccount(w io.Writer, email, newDisplayName string) (*iam.ServiceAccount, error) { ctx := context.Background() service, err := iam.NewService(ctx) if err != nil { return nil, fmt.Errorf("iam.NewService: %v", err) } // First, get a ServiceAccount using List() or Get resource := "projectsserviceAccounts/" + email serviceAccount, err := service.Projects.ServiceAccounts.Get(resource).Do() if err != nil { return nil, fmt.Errorf("Projects.ServiceAccounts.Get: %v", err) } // Then you can update the display name. serviceAccount.DisplayName = newDisplayName serviceAccount, err = service.Projects.ServiceAccounts.Update(resource, serviceAccount).Do() if err != nil { return nil, fmt.Errorf("Projects.ServiceAccounts.Update: %v", err) } fmt.Fprintf(w, "Updated service account: %v", serviceAccount.Email) return serviceAccount, nil }
 Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.services.iam.v1.Iam; import com.google.api.services.iam.v1.IamScopes; import com.google.api.services.iam.v1.model.ServiceAccount; import com.google.auth.http.HttpCredentialsAdapter; import com.google.auth.oauth2.GoogleCredentials; import java.io.IOException; import java.security.GeneralSecurityException; import java.util.Collections; public class RenameServiceAccount { // Changes a service account's display name. public static void renameServiceAccount(String projectId, String serviceAccountName) { // String projectId = "my-project-id"; // String serviceAccountName = "my-service-account-name"; Iam service = null; try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("Unable to initialize service: 
" + e.toString return; } String serviceAccountEmail = serviceAccountName ++ projectId + ".iam.gserviceaccount.com"; try { // First, get a service account using List() or Get() ServiceAccount serviceAccount = service .projects() .serviceAccounts() .get("projectsserviceAccounts/" + serviceAccountEmail) .execute // Then you can update the display name serviceAccount.setDisplayName("your-new-display-name serviceAccount = service .projects() .serviceAccounts() .update(serviceAccount.getName serviceAccount) .execute System.out.println( "Updated display name for " + serviceAccount.getName() + " to: " + serviceAccount.getDisplayName } catch (IOException e) { System.out.println("Unable to rename service account: 
" + e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // Use the Application Default Credentials strategy for authentication. For more info, see: // httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // Initialize the IAM service, which can be used to send requests to the IAM API. Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory.getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build return service; } }
 Python

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation

import os from google.oauth2 import service_account import googleapiclient.discovery def rename_service_account(email, new_display_name): Changes a service account's display name # First, get a service account using List() or Get() credentials = service_account.Credentials.from_service_account_file( filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS scopeshttpswww.googleapis.com/auth/cloud-platform service = googleapiclient.discovery.build( 'iam', 'v1', credentials=credentials) resource = 'projectsserviceAccounts/' + email my_service_account = service.projectsserviceAccountsget( name=resource).execute() # Then you can update the display name my_service_account['displayName'] = new_display_name my_service_account = service.projectsserviceAccountsupdate( name=resource, body=my_service_account).execute() print('Updated display name for {} to: format( my_service_account['email my_service_account['displayName return my_service_account
## Disabling a service account
Similar to deleting a service account, when you disable a service account, applications will no longer have access to Google Cloud resources through that service account. If you disable the default App Engine and Compute Engine service accounts, the instances will no longer have access to resources in the project. If you attempt to disable an already disabled service account, it will have no effect

Unlike deleting a service account, disabled service accounts can easily be re-enabled as necessary. We recommend disabling a service account before deleting it to make sure no critical applications are using the service account

 Console
In the Google Cloud console, go to the
Service accountspage

Select a project

Click the name of the service account that you want to disable

Under
Service account status, click Disable service account, then click Disableto confirm the change

 gcloud CLI
Execute the
gcloud iam service-accounts disable
command to disable a service account

Command:
gcloud iam service-accounts disable
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
Output:
Disabled service account
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
 REST
The
serviceAccounts.disable
method immediately disables a service account

Before using any of the request data, make the following replacements:
: Your Google Cloud project ID. Project IDs are alphanumeric strings, like
PROJECT_ID
my-project

: The ID of your service account. This can either be the service account's email address in the form
SA_ID
, or the service account's unique numeric ID

SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
HTTP method and URL:
POST httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:disable
To send your request, expand one of these options:
 curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json; charset=utf-8" -d "" "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:disable"
 PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:disable" | Select-Object -Expand Content
 API Explorer (browser)
Open the
method reference page

The API Explorer panel opens on the right side of the page

You can interact with this tool to send requests

Complete any required fields and click
**Execute**

If successful, the response body will be empty

 C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation

namespace iam = ::google::cloud::iam; std::string const& name) { iam::IAMClient client(iam::MakeIAMConnection google::iam::admin::v1::DisableServiceAccountRequest request; request.set_name(name); auto response = client.DisableServiceAccount(request); if (!response.ok throw std::runtime_error(response.message std::cout << "ServiceAccount successfully disabled.
"; }
 C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation

using System; using Google.Apis.Auth.OAuth2; using Google.Apis.Iam.v1; using Google.Apis.Iam.v1.Data; public partial class ServiceAccounts { public static void DisableServiceAccount(string email) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credentialvar request = new DisableServiceAccountRequest string resource = "projectsserviceAccounts/" + email; service.Projects.ServiceAccounts.Disable(request, resource).Execute Console.WriteLine("Disabled service account: " + email); } }
 Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation


import ( "context" "fmt" "io" iam "google.golang.org/api/iam/v1" ) // disableServiceAccount disables a service account. func disableServiceAccount(w io.Writer, email string) error { // email:= [email protected] ctx := context.Background() service, err := iam.NewService(ctx) if err != nil { return fmt.Errorf("iam.NewService: %v", err) } request := &iam.DisableServiceAccountRequest{} _, err = service.Projects.ServiceAccounts.Disable("projectsserviceAccountsemail, request).Do() if err != nil { return fmt.Errorf("Projects.ServiceAccounts.Disable: %v", err) } fmt.Fprintf(w, "Disabled service account: %v", email) return nil }
 Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.services.iam.v1.Iam; import com.google.api.services.iam.v1.IamScopes; import com.google.api.services.iam.v1.model.DisableServiceAccountRequest; import com.google.auth.http.HttpCredentialsAdapter; import com.google.auth.oauth2.GoogleCredentials; import java.io.IOException; import java.security.GeneralSecurityException; import java.util.Collections; public class DisableServiceAccount { // Disables a service account. public static void disableServiceAccount(String projectId, String serviceAccountName) { // String projectId = "my-project-id"; // String serviceAccountName = "my-service-account-name"; Iam service = null; try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("Unable to initialize service: 
" + e.toString return; } String serviceAccountEmail = serviceAccountName ++ projectId + ".iam.gserviceaccount.com"; try { DisableServiceAccountRequest request = new DisableServiceAccountRequest service .projects() .serviceAccounts() .disable("projectsserviceAccounts/" + serviceAccountEmail, request) .execute System.out.println("Disabled service account: " + serviceAccountEmail); } catch (IOException e) { System.out.println("Unable to disable service account: 
" + e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // Use the Application Default Credentials strategy for authentication. For more info, see: // httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // Initialize the IAM service, which can be used to send requests to the IAM API. Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory.getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build return service; } }
 Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation


import os from google.oauth2 import service_account import googleapiclient.discovery def disable_service_account(email): Disables a service account credentials = service_account.Credentials.from_service_account_file( filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS scopeshttpswww.googleapis.com/auth/cloud-platform service = googleapiclient.discovery.build( 'iam', 'v1', credentials=credentials) service.projectsserviceAccountsdisable( name='projectsserviceAccounts/' + email).execute() print("Disabled service account :" + email)
## Enabling a service account
After enabling a disabled service account, applications will regain access to Google Cloud resources through that service account

You can enable a disabled service account whenever you need to. If you attempt to enable an already enabled service account, it will have no effect

 Console
In the Google Cloud console, go to the
Service accountspage

Select a project

Click the name of the service account that you want to enable

Under
Service account status, click Enable service account, then click Enableto confirm the change

 gcloud CLI
Execute the
gcloud iam service-accounts enable
command to enable a service account

Command:
gcloud iam service-accounts enable
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
Output:
Enabled service account
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
 REST
The
serviceAccounts.enable
method enables a previously disabled service account

Before using any of the request data, make the following replacements:
: Your Google Cloud project ID. Project IDs are alphanumeric strings, like
PROJECT_ID
my-project

: The ID of your service account. This can either be the service account's email address in the form
SA_ID
, or the service account's unique numeric ID

SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
HTTP method and URL:
POST httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:enable
To send your request, expand one of these options:
 curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json; charset=utf-8" -d "" "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:enable"
 PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:enable" | Select-Object -Expand Content
 API Explorer (browser)
Open the
method reference page

The API Explorer panel opens on the right side of the page

You can interact with this tool to send requests

Complete any required fields and click
**Execute**

If successful, the response body will be empty

 C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation


namespace iam = ::google::cloud::iam; std::string const& name) { iam::IAMClient client(iam::MakeIAMConnection google::iam::admin::v1::EnableServiceAccountRequest request; request.set_name(name); auto response = client.EnableServiceAccount(request); if (!response.ok throw std::runtime_error(response.message std::cout << "ServiceAccount successfully enabled.
"; }
 C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation

using System; using Google.Apis.Auth.OAuth2; using Google.Apis.Iam.v1; using Google.Apis.Iam.v1.Data; public partial class ServiceAccounts { public static void EnableServiceAccount(string email) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credentialvar request = new EnableServiceAccountRequest string resource = "projectsserviceAccounts/" + email; service.Projects.ServiceAccounts.Enable(request, resource).Execute Console.WriteLine("Enabled service account: " + email); } }
 Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation

import ( "context" "fmt" "io" iam "google.golang.org/api/iam/v1" ) // enableServiceAccount enables a service account. func enableServiceAccount(w io.Writer, email string) error { // email:= [email protected] ctx := context.Background() service, err := iam.NewService(ctx) if err != nil { return fmt.Errorf("iam.NewService: %v", err) } request := &iam.EnableServiceAccountRequest{} _, err = service.Projects.ServiceAccounts.Enable("projectsserviceAccountsemail, request).Do() if err != nil { return fmt.Errorf("Projects.ServiceAccounts.Enable: %v", err) } fmt.Fprintf(w, "Enabled service account: %v", email) return nil }
 Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.services.iam.v1.Iam; import com.google.api.services.iam.v1.IamScopes; import com.google.api.services.iam.v1.model.EnableServiceAccountRequest; import com.google.auth.http.HttpCredentialsAdapter; import com.google.auth.oauth2.GoogleCredentials; import java.io.IOException; import java.security.GeneralSecurityException; import java.util.Collections; public class EnableServiceAccount { // Enables a service account. public static void enableServiceAccount(String projectId, String serviceAccountName) { // String projectId = "my-project-id"; // String serviceAccountName = "my-service-account-name"; Iam service = null; try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("Unable to initialize service: 
" + e.toString return; } String serviceAccountEmail = serviceAccountName ++ projectId + ".iam.gserviceaccount.com"; try { EnableServiceAccountRequest request = new EnableServiceAccountRequest service .projects() .serviceAccounts() .enable("projectsserviceAccounts/" + serviceAccountEmail, request) .execute System.out.println("Enabled service account: " + serviceAccountEmail); } catch (IOException e) { System.out.println("Unable to enable service account: 
" + e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // Use the Application Default Credentials strategy for authentication. For more info, see: // httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // Initialize the IAM service, which can be used to send requests to the IAM API. Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory.getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build return service; } }
 Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation

import os from google.oauth2 import service_account import googleapiclient.discovery def enable_service_account(email): Enables a service account credentials = service_account.Credentials.from_service_account_file( filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS scopeshttpswww.googleapis.com/auth/cloud-platform service = googleapiclient.discovery.build( 'iam', 'v1', credentials=credentials) service.projectsserviceAccountsenable( name='projectsserviceAccounts/' + email).execute() print("Enabled service account :" + email)
## Deleting a service account
When you delete a service account, applications will no longer have access to Google Cloud resources through that service account. If you delete the default App Engine and Compute Engine service accounts, the instances will no longer have access to resources in the project

Delete with caution; make sure your critical applications are no longer using a service account before deleting it. If you're not sure whether a service account is being used, we recommend disabling the service account before deleting it. Disabled service accounts can be easily re-enabled if they are still in use

If you delete a service account, then create a new service account with the same name, the new service account is treated as a separate identity; it does not inherit the roles granted to the deleted service account. In contrast, when you delete a service account, then undelete it, the service account's identity does not change, and the service account retains its roles

When a service account is deleted, its role bindings are not immediately

removed; they are automatically purged from the system after a maximum of 60
days. Until that time, the service account appears in role bindings with a
deleted: prefix and a
?uid= suffix, where
`NUMERIC_ID`
is a unique numeric ID for the service
account

`NUMERIC_ID`
Deleted service accounts do not count towards your service account quota

 Console
In the Google Cloud console, go to the
Service accountspage

Select a project

Select the service account you want to delete, and then click
Delete

 gcloud CLI
Execute the
gcloud iam service-accounts delete
command to delete a service account

Command:
gcloud iam service-accounts delete SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
Output:
Deleted service account
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
 REST
The
serviceAccounts.delete
method deletes a service account

Before using any of the request data, make the following replacements:
: Your Google Cloud project ID. Project IDs are alphanumeric strings, like
PROJECT_ID
my-project

: The ID of your service account. This can either be the service account's email address in the form
SA_ID
, or the service account's unique numeric ID

SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
HTTP method and URL:
DELETE httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID
To send your request, expand one of these options:
 curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X DELETE -H "Authorization: Bearer $(gcloud auth print-access-token)" "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID"
 PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method DELETE `
-Headers $headers `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID" | Select-Object -Expand Content
 API Explorer (browser)
Open the
method reference page

The API Explorer panel opens on the right side of the page

You can interact with this tool to send requests

Complete any required fields and click
**Execute**

If successful, the response body will be empty

 C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation

namespace iam = ::google::cloud::iam; std::string const& name) { iam::IAMClient client(iam::MakeIAMConnection auto response = client.DeleteServiceAccount(name); if (!response.ok throw std::runtime_error(response.message std::cout << "ServiceAccount successfully deleted.
"; }
 C#

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation

using System; using Google.Apis.Auth.OAuth2; using Google.Apis.Iam.v1; public partial class ServiceAccounts { public static void DeleteServiceAccount(string email) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credentialstring resource = "projectsserviceAccounts/" + email; service.Projects.ServiceAccounts.Delete(resource).Execute Console.WriteLine("Deleted service account: " + email); } }
 Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation

import ( "context" "fmt" "io" iam "google.golang.org/api/iam/v1" ) // deleteServiceAccount deletes a service account. func deleteServiceAccount(w io.Writer, email string) error { ctx := context.Background() service, err := iam.NewService(ctx) if err != nil { return fmt.Errorf("iam.NewService: %v", err) } _, err = service.Projects.ServiceAccounts.Delete("projectsserviceAccounts/" + email).Do() if err != nil { return fmt.Errorf("Projects.ServiceAccounts.Delete: %v", err) } fmt.Fprintf(w, "Deleted service account: %v", email) return nil }
 Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.services.iam.v1.Iam; import com.google.api.services.iam.v1.IamScopes; import com.google.auth.http.HttpCredentialsAdapter; import com.google.auth.oauth2.GoogleCredentials; import java.io.IOException; import java.security.GeneralSecurityException; import java.util.Collections; public class DeleteServiceAccount { // Deletes a service account. public static void deleteServiceAccount(String projectId, String serviceAccountName) { // String projectId = "my-project-id"; // String serviceAccountName = "my-service-account-name"; Iam service = null; try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("Unable to initialize service: 

" + e.toString return; } String serviceAccountEmail = serviceAccountName ++ projectId + ".iam.gserviceaccount.com"; try { service .projects() .serviceAccounts() .delete("projectsserviceAccounts/" + serviceAccountEmail) .execute System.out.println("Deleted service account: " + serviceAccountEmail); } catch (IOException e) { System.out.println("Unable to delete service account: 
" + e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // Use the Application Default Credentials strategy for authentication. For more info, see: // httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // Initialize the IAM service, which can be used to send requests to the IAM API. Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory.getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build return service; } }
 Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation

import os from google.oauth2 import service_account import googleapiclient.discovery def delete_service_account(email): Deletes a service account credentials = service_account.Credentials.from_service_account_file( filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS scopeshttpswww.googleapis.com/auth/cloud-platform service = googleapiclient.discovery.build( 'iam', 'v1', credentials=credentials) service.projectsserviceAccountsdelete( name='projectsserviceAccounts/' + email).execute() print('Deleted service account: ' + email)
## Undeleting a service account
In some cases, you can use the
undelete command to undelete a deleted service
account. You can usually undelete a deleted service account if it meets these
criteria:
The service account was deleted less than 30 days ago

After 30 days, IAM permanently removes the service account. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request

There is no existing service account with the same name as the deleted service account

For example, suppose that you accidentally delete the service account
[email protected]. You still need a service account with that name, so you create a new service account with the same name,
[email protected]

The new service account does not inherit the permissions of the deleted service account. In effect, it is completely separate from the deleted service account. However, you cannot undelete the original service account, because the new service account has the same name

To address this issue, delete the new service account, then try to undelete the original service account

If you are not able to undelete the service account, you can create a new service account with the same name; revoke all of the roles from the deleted service account; and grant the same roles to the new service account. For details, see Policies with deleted principals

 Finding a deleted service account's numeric ID
When you undelete a service account, you must provide its numeric ID. The
numeric ID is a 21-digit number, such as
123456789012345678901, that uniquely
identifies the service account. For example, if you delete a service account,
then create a new service account with the same name, the original service
account and the new service account will have different numeric IDs

If you know that a binding in an allow policy includes the deleted service
account, you can get the allow policy, then find the numeric ID
in the allow policy. The numeric ID is appended to the name of the deleted
service account. For example, in this allow policy, the numeric ID for the
deleted service account is
123456789012345678901:
{ "version": 1, "etag": "BwUjMhCsNvY "bindings": [ { "members": [
"deleted:serviceAccount:[email protected]?uid=123456789012345678901 "role": "roles/iam.serviceAccountUser" }, ] }
Numeric IDs are only appended to the names of deleted principals

Alternatively, you can search your audit logs for the
DeleteServiceAccount
operation that deleted the service account:
In the Google Cloud console, go to the
Logs explorerpage

In the query editor, enter the following query, replacing
with the email address of your service account (for example,
SERVICE_ACCOUNT_EMAIL
[email protected]):
resource.type="service_account" resource.labels.email_id="
SERVICE_ACCOUNT_EMAIL" "DeleteServiceAccount"
If the service account was deleted more than an hour ago, click
Last 1 hour, select a longer period of time from the drop-down list, then click Apply

Click
Run query. The Logs Explorer displays the
DeleteServiceAccountoperations that affected service accounts with the name you specified

Find and note the numeric ID of the deleted service account by doing one of the following:
If the search results include only one
DeleteServiceAccountoperation, find the numeric ID in the
Unique IDfield of the Log fieldspane

If the search results show more than one log, do the following:

Find the correct log entry. To find the correct log entry, click theexpander arrow next to a log entry. Review the details of the log entry and determine whether the log entry shows the operation that you want to undo. Repeat this process until you find the correct log entry

In the correct log entry, locate the service account's numeric ID. To locate the numeric ID, expand the log entry's
protoPayloadfield, then find the
resourceNamefield

The numeric ID is everything after
serviceAccountsin the
resourceNamefield

-
-
 Undeleting the service account by numeric ID
After you find the numeric ID for the deleted service account, you can try to undelete the service account

 gcloud CLI
Execute the
gcloud beta iam service-accounts undelete
command to undelete a service account

Command:
gcloud beta iam service-accounts undelete
ACCOUNT_ID
Output:
restoredAccount: email:
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com etag: BwWWE7zpApg= name: projects/ PROJECT_ID/serviceAccounts/ SA_NAME@ PROJECT_ID.iam.gserviceaccount.com oauth2ClientId: '123456789012345678901' projectId: PROJECT_IDuniqueId: ' ACCOUNT_ID'
 REST
The
serviceAccounts.undelete
method restores a deleted service account

Before using any of the request data, make the following replacements:
: Your Google Cloud project ID. Project IDs are alphanumeric strings, like
PROJECT_ID
my-project

: The unique numeric ID of the service account

SA_NUMERIC_ID
HTTP method and URL:
POST httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_NUMERIC_ID:undelete
To send your request, expand one of these options:
 curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json; charset=utf-8" -d "" "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_NUMERIC_ID:undelete"
 PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_NUMERIC_ID:undelete" | Select-Object -Expand Content
 API Explorer (browser)
Open the
method reference page

The API Explorer panel opens on the right side of the page

You can interact with this tool to send requests

Complete any required fields and click
**Execute**

If the account can be undeleted, you receive a
200 OK response
code with details about the restored service account, like the following:

{ "restoredAccount": { "name": "projects/my-project/serviceAccounts/[email protected]", "projectId": "my-project", "uniqueId": "123456789012345678901", "email": "[email protected]", "displayName": "My service account", "etag": "BwUp3rVlzes "description": "A service account for running jobs in my project", "oauth2ClientId": "987654321098765432109" } }
## What's next
- Learn how to create and manage service account keys

- Review the process for granting IAM roles to all types of principals, including service accounts

- Explore how you can use role recommendations to downscope permissions for all principals, including service accounts

- Understand how to allow principals to impersonate service accounts

## Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.Get started for free