创建和管理服务帐户 | IAM 文档 | Google Cloud

本页说明如何使用
身份和访问管理 (IAM) API、Google Cloud 控制台和
gcloud 命令-
线条工具

默认情况下，每个项目最多可以有 100 个服务帐户来控制对您的资源的访问。如有必要，您可以请求增加配额。详细了解配额和限制

＃＃ 在你开始之前
启用 IAM API

了解 IAM 服务帐户
安装谷歌云 CLI
 所需角色
要获得管理服务帐户所需的权限，请让您的管理员授予您项目的以下 IAM 角色：
-
查看服务帐户和服务帐户元数据：
查看服务帐户 (
角色/iam.serviceAccountViewer)
-
查看和创建服务帐户：
创建服务帐户（
角色/iam.serviceAccountCreator)
-
查看和删除服务帐户：
删除服务帐户 (
角色/iam.serviceAccountDeleter）
-
要完全管理（查看、创建、更新、禁用、启用、删除、取消删除和管理访问）服务帐户：
服务帐户管理员 (
角色/iam.serviceAccountAdmin）
有关授予角色的更多信息，请参阅管理访问

要了解有关这些角色的更多信息，请参阅服务帐户角色

IAM 基本角色还包含管理服务帐户的权限。您不应在生产环境中授予基本角色，但可以在开发或测试环境中授予它们

## 创建服务账户
创建服务帐户时，您必须提供字母数字 ID
(
在下面的示例中），例如
`SA_NAME`
我的服务帐户。 ID 必须介于 6 到 30 个字符之间，并且可以
包含小写字母数字字符和破折号。创建服务后
帐户，您不能更改其名称

服务帐户的名称显示在配置的电子邮件地址中
在创建过程中，以格式


`SA_NAME`@ `PROJECT_ID`.iam.gserviceaccount.com
每个服务帐户还有一个永久的、唯一的数字 ID，该 ID 是自动生成的

创建服务帐户时，您还需要提供以下信息：
是服务帐户的可选描述

SA_DESCRIPTION 说明
是服务帐户的友好名称

SA_DISPLAY_NAME
是您的 Google Cloud 项目的 ID

项目编号
创建服务帐户后，您可能需要等待 60 秒或更长时间才能使用该服务帐户。出现这种行为是因为读取操作最终是一致的；新服务帐户可能需要一些时间才能显示。如果您在创建服务帐户后立即尝试读取或使用它，并且收到错误，您可以使用指数退避重试该请求

 安慰
在 Google Cloud 控制台中，转到
创建服务帐号页面

转到创建服务帐户
选择一个云项目

输入要在 Google Cloud 控制台中显示的服务帐号名称

Google Cloud 控制台基于此名称生成一个服务帐户 ID。如有必要，编辑 ID。您以后无法更改 ID

可选：输入服务帐户的说明

如果您现在不想设置访问控制，请单击
完成以完成服务帐户的创建

要立即设置访问控制，请单击
Create and continue继续下一步

可选：选择一个或多个 IAM 角色以授予项目的服务帐户

添加完角色后，单击
继续

可选：在
Service account users rolefield，添加可以模拟服务账号的成员

可选：在
Service account admins rolefield，添加可以管理服务账号的成员

点击
完成以完成服务帐户的创建

 云命令行
要创建服务帐户，请运行
gcloud iam 服务账户创建命令：
gcloud iam 服务帐户创建
SA_NAME\ --description="DESCRIPTION"\ --display-name="DISPLAY_NAME"替换以下值：
: 服务帐户的名称
SA_NAME
：服务帐户的可选描述
描述
：要在 Google Cloud 控制台中显示的服务帐户名称
显示名称
-
可选：要向您的服务帐户授予项目的 IAM 角色，请运行
gcloud 项目 add-iam-policy-binding 命令：
gcloud 项目 add-iam-policy-binding
PROJECT_ID\ --member="serviceAccount: SA_NAME@ PROJECT_ID.iam.gserviceaccount.com"\ --role="ROLE_NAME"替换以下值：
: 项目编号
项目编号
: 服务帐户的名称
SA_NAME
：角色名称，例如
ROLE_NAME
角色/compute.osLogin
-
可选：要允许用户模拟服务帐户，请运行
gcloud iam service-accounts add-iam-policy-bindingcommand 授予用户服务帐户用户角色（
服务帐户上的角色/iam.serviceAccountUser）：
gcloud iam service-accounts add-iam-policy-binding SA_NAME@ PROJECT_ID.iam.gserviceaccount.com \ --member="user: USER_EMAIL"\ --role="角色/iam.serviceAccountUser"替换以下值：
: 项目编号
项目编号
: 服务帐户的名称
SA_NAME
：用户的电子邮件地址
USER_EMAIL
-
 休息
这
serviceAccounts.创建
方法创建一个服务帐户

在使用任何请求数据之前，请进行以下替换：
：您的 Google Cloud 项目 ID。项目 ID 是字母数字字符串，例如
项目编号
我的项目
：您的服务帐户的字母数字 ID。此名称必须介于 6 到 30 个字符之间，并且可以包含小写字母数字字符和破折号

SA_NAME
： 选修的。服务帐户的描述

SA_DESCRIPTION 说明
：服务帐户的人类可读名称

SA_DISPLAY_NAME
HTTP 方法和 URL：
发布 httpssiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts
请求 JSON 正文：
{ “帐户ID”： ”
SA_NAME", "serviceAccount": { "description": "SA_DESCRIPTION", "displayName": "SA_DISPLAY_NAME"} }
要发送您的请求，请展开以下选项之一：
 curl（Linux、macOS 或 Cloud Shell）
将请求正文保存在名为
请求.json,
并执行以下命令：
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)"-H "Content-Type: application/json; charset=utf-8"-d @request.json "httpsiam.googleapis.com /v1/项目/
PROJECT_ID/serviceAccounts”
 电源外壳 (视窗)
将请求正文保存在名为
请求.json,
并执行以下命令：
$cred = gcloud auth 打印访问令牌
$headers = @{ "Authorization"= "Bearer $cred"}
调用 WebRequest`
-方法 POST `
- 标题 $headers `
-ContentType: "application/json; charset=utf-8"`
-InFile request.json `
-URI“httpssiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts"| 选择对象 - 展开内容
 API Explorer（浏览器）
复制请求正文并打开
方法参考页

API Explorer 面板在页面右侧打开

您可以与此工具交互以发送请求

将请求正文粘贴到此工具中，完成任何其他必填字段，然后单击
**执行**

您应该会收到类似于以下内容的 JSON 响应：
{ “名称”：“项目/我的项目/serviceAccounts/[email protected]”，“projectId”：“我的项目”，“uniqueId”：“123456789012345678901”，“ email": "[email protected]", "displayName": "My service account", "etag": "BwUp3rVlzes "description": "A service account for running jobs in my项目", "oauth2ClientId": "987654321098765432109"}
 C++
要了解如何为 IAM 安装和使用客户端库，请参阅 IAM 客户端库。有关更多信息，请参阅 IAM C++ API 参考文档
namespace iam = ::google::cloud::iam; std::string const& project_id, std::string const& account_id, std::string const& display_name, std::string const& 描述) { iam::IAMClient 客户端(iam::MakeIAMConnection google::iam::admin::v1::ServiceAccount service_account; service_account.set_display_name(display_name); service_account.set_description(description); auto response = client.CreateServiceAccount("projects/ "+ project_id, account_id, service_account); if (!response) throw std::runtime_error(response.statusmessage std::cout<< "ServiceAccount 成功创建："<< response->DebugString()<< “
“；}
 C＃
要了解如何为 IAM 安装和使用客户端库，请参阅 IAM 客户端库。有关详细信息，请参阅 IAM C# API 参考文档

使用系统；使用 Google.Apis.Auth.OAuth2；使用 Google.Apis.Iam.v1；使用 Google.Apis.Iam.v1.Data； public partial class ServiceAccounts { public static ServiceAccount CreateServiceAccount(string projectId, string name, string displayName) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credentialvar request = new CreateServiceAccountRequest { AccountId = name, ServiceAccount = new ServiceAccount { DisplayName = displayName } }; var serviceAccount = service.Projects.ServiceAccounts.Create( 请求，“项目/ "+ projectId).Execute Console.WriteLine("创建服务账号："+ serviceAccount.Email); return serviceAccount; } }
 去
要了解如何为 IAM 安装和使用客户端库，请参阅 IAM 客户端库。有关更多信息，请参阅 IAM Go API 参考文档

import ( "context""fmt""io"iam "google.golang.org/api/iam/v1") // createServiceAccount 创建一个服务账户。 func createServiceAccount(w io.Writer, projectID, name, displayName string) (*iam.ServiceAccount, error) { ctx := context.Background() 服务, err := iam.NewService(ctx) if err != nil { 返回nil, fmt.Errorf("iam.NewService: %v", err) } request :=&iam.CreateServiceAccountRequest{ AccountId: 名称, ServiceAccount:&iam.ServiceAccount{ DisplayName: displayName, }, } account, err := service.Projects.ServiceAccounts.Create("projectsprojectID, request).Do() 如果错误！= nil { return nil, fmt.Errorf("Projects.ServiceAccounts.Create: %v", err) } fmt.Fprintf(w, "已创建的服务账户: %v", account) return account, nil }
 爪哇
要了解如何为 IAM 安装和使用客户端库，请参阅 IAM 客户端库。有关更多信息，请参阅 IAM Java API 参考文档

导入 com.google.api.client.googleapis.javanet.GoogleNetHttpTransport；导入 com.google.api.client.json.jackson2.JacksonFactory；导入 com.google.api.services.iam.v1.Iam；导入 com.google.api.services.iam.v1.IamScopes；导入 com.google.api.services.iam.v1.model.CreateServiceAccountRequest；导入 com.google.api.services.iam.v1.model.ServiceAccount；导入 com.google.auth.http.HttpCredentialsAdapter；导入 com.google.auth.oauth2.GoogleCredentials；导入java.io.IOException；导入 java.security.GeneralSecurityException；导入 java.util.Collections； public class CreateServiceAccount { // 创建服务帐户。 public static void createServiceAccount(String projectId, String serviceAccountName) { // String projectId = "my-project-id"; // String serviceAccountName = "我的服务账户名";我的服务=空； try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("无法初始化服务：
"+ e.toString return; } try { ServiceAccount serviceAccount = new ServiceAccount serviceAccount.setDisplayName("你的显示名称 CreateServiceAccountRequest request = new CreateServiceAccountRequest request.setAccountId(serviceAccountName); request.setServiceAccount(serviceAccount); serviceAccount = service.projectsserviceAccountscreate( "projects/"+ projectId, request).execute System.out.println("创建服务账号："+ serviceAccount.getEmail } catch (IOException e) { System.out.println("无法创建服务账号：
"+ e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // 使用应用程序默认凭证策略进行身份验证。有关详细信息，请参阅：// httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // 初始化 IAM 服务，可用于向 IAM API 发送请求 Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory. getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build 返回服务；} }
 Python
要了解如何为 IAM 安装和使用客户端库，请参阅 IAM 客户端库。有关更多信息，请参阅 IAM Python API 参考文档

import os from google.oauth2 import service_account import googleapiclient.discovery def create_service_account(project_id, name, display_name): 创建服务账户 credentials = service_account.Credentials.from_service_account_file( filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS scopeshttpswww.googleapis.com/auth/云平台服务 = googleapiclient.discovery.build( 'iam', 'v1', credentials=credentials) my_service_account = service.projectsserviceAccountscreate( name='projects/'+ project_id, body={ 'accountId': name, 'serviceAccount': { 'displayName': display_name } execute() print('创建的服务账户：'+ my_service_account['email return my_service_account
创建服务帐户后，向服务帐户授予一个或多个角色，以便它可以代表您执行操作

此外，如果服务帐户需要访问其他项目中的资源，您通常必须在创建服务帐户的项目中为这些资源启用 API

## 列出服务帐户
您可以列出您的服务帐户以帮助您审核服务帐户和密钥，或作为管理服务帐户的自定义工具的一部分

 安慰
在 Google Cloud 控制台中，转到
服务帐号页面

选择项目

这
服务帐户页面列出了您选择的项目中所有用户管理的服务帐户。该页面未列出 Google 管理的服务帐户

 云命令行
执行
gcloud iam 服务帐户列表
命令列出项目中的所有服务帐户

命令：
gcloud iam 服务帐户列表
输出是项目中所有服务帐户的列表：
姓名 电邮
SA_DISPLAY_NAME_1 SA_NAME_1@ PROJECT_ID.iam.gserviceaccount.com SA_DISPLAY_NAME_2 SA_NAME_2@ PROJECT_ID.iam.gserviceaccount.com
 休息
这
服务帐户.list
方法列出项目中的每个服务帐户

在使用任何请求数据之前，请进行以下替换：
：您的 Google Cloud 项目 ID。项目 ID 是字母数字字符串，例如
项目编号
我的项目

HTTP 方法和 URL：
获取 httpssiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts
要发送您的请求，请展开以下选项之一：
 curl（Linux、macOS 或 Cloud Shell）
执行以下命令：
curl -X GET -H “授权：Bearer $(gcloud auth print-access-token)” “httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts”
 电源外壳 (视窗)
执行以下命令：
$cred = gcloud auth 打印访问令牌
$headers = @{ "Authorization"= "Bearer $cred"}
调用 WebRequest`
-方法获取`
- 标题 $headers `
-URI“httpssiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts"| 选择对象 - 展开内容
 API Explorer（浏览器）
打开
方法参考页

API Explorer 面板在页面右侧打开

您可以与此工具交互以发送请求

填写任何必填字段并单击
**执行**

您应该会收到类似于以下内容的 JSON 响应：
{ “帐户”：[ { “名称”：“项目/我的项目/serviceAccounts/[email protected]”， “projectId”：“我的项目”， “uniqueId”：“ 123456789012345678901", "email": "[email protected]", "description": "我的第一个服务账户", "displayName": "服务账户1", "etag": "BwUpTsLVUkQ "oauth2ClientId": "987654321098765432109"}, { "name": "projects/my-project/serviceAccounts/[email protected]", "projectId": "my-project", "uniqueId ": "234567890123456789012", "email": "[email protected]", "description": "我的第二个服务账号", "displayName": "服务账号2", "etag": "UkQpTwBVUsL "oauth2ClientId": "876543210987654321098"} ] }
 C++
要了解如何为 IAM 安装和使用客户端库，请参阅 IAM 客户端库。有关更多信息，请参阅 IAM C++ API 参考文档

命名空间 iam = ::google::cloud::iam; std::字符串常量& project_id) { iam::IAMClient 客户端(iam::MakeIAMConnection int count = 0; for (auto const& sa : client.ListServiceAccounts("projects/"+ project_id)) { if (!sa) throw std::runtime_error(sa.statusmessage std::cout<< "ServiceAccount 成功检索："<< sa->name()<< ”
"; ++count; } if (count == 0) { std::cout<< "在项目中找不到服务帐户："<< project_id<< ""; } }
 C＃

要了解如何为 IAM 安装和使用客户端库，请参阅 IAM 客户端库。有关详细信息，请参阅 IAM C# API 参考文档

使用系统；使用 System.Collections.Generic；使用 Google.Apis.Auth.OAuth2；使用 Google.Apis.Iam.v1；使用 Google.Apis.Iam.v1.Data； public partial class ServiceAccounts { public static IList ListServiceAccounts(string projectId) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credentialvar response = service.Projects.ServiceAccounts.List( "projects/" + projectId).Execute foreach (ServiceAccount account in response.Accounts) { Console.WriteLine("Name: " + account.Name); Console.WriteLine("Display Name: " + account.DisplayName); Console.WriteLine("Email: " + account.Email); Console.WriteLine } return response.Accounts; } }
 Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation

import ( "context" "fmt" "io" iam "google.golang.org/api/iam/v1" ) // listServiceAccounts lists a project's service accounts. func listServiceAccounts(w io.Writer, projectID string) iam.ServiceAccount, error) { ctx := context.Background() service, err := iam.NewService(ctx) if err != nil { return nil, fmt.Errorf("iam.NewService: %v", err) } response, err := service.Projects.ServiceAccounts.List("projects/" + projectID).Do() if err != nil { return nil, fmt.Errorf("Projects.ServiceAccounts.List: %v", err) } for _, account := range response.Accounts { fmt.Fprintf(w, "Listing service account: %v
", account.Name) } return response.Accounts, nil }
 Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation


import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.services.iam.v1.Iam; import com.google.api.services.iam.v1.IamScopes; import com.google.api.services.iam.v1.model.ListServiceAccountsResponse; import com.google.api.services.iam.v1.model.ServiceAccount; import com.google.auth.http.HttpCredentialsAdapter; import com.google.auth.oauth2.GoogleCredentials; import java.io.IOException; import java.security.GeneralSecurityException; import java.util.Collections; import java.util.List; public class ListServiceAccounts { // Lists all service accounts for the current project. public static void listServiceAccounts(String projectId) { // String projectId = "my-project-id" Iam service = null; try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("Unable to initialize service: 
" + e.toString return; } try { ListServiceAccountsResponse response = service.projectsserviceAccountslist("projects/" + projectId).execute List serviceAccounts = response.getAccounts for (ServiceAccount account : serviceAccounts) { System.out.println("Name: " + account.getName System.out.println("Display Name: " + account.getDisplayName System.out.println("Email: " + account.getEmail System.out.println } } catch (IOException e) { System.out.println("Unable to list service accounts: 
" + e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // Use the Application Default Credentials strategy for authentication. For more info, see: // httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // Initialize the IAM service, which can be used to send requests to the IAM API. Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory.getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build return service; } }
 Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation

import os from google.oauth2 import service_account import googleapiclient.discovery def list_service_accounts(project_id): Lists all service accounts for the current project credentials = service_account.Credentials.from_service_account_file( filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS scopeshttpswww.googleapis.com/auth/cloud-platform service = googleapiclient.discovery.build( 'iam', 'v1', credentials=credentials) service_accounts = service.projectsserviceAccountslist( name='projects/' + project_id).execute() for account in service_accounts['accounts print('Name: ' + account['name print('Email: ' + account['email print(' ') return service_accounts
## Updating a service account
The display name (friendly name) and description of a service account are commonly used to capture additional information about the service account, such as the purpose of the service account or a contact person for the account

 Console
In the Google Cloud console, go to the
Service accountspage

Select a project

Click the email address of the service account that you want to rename

Enter the new name in the
Namebox, then click Save

 gcloud CLI
Execute the
gcloud iam service-accounts update
command to update a service account

Command:
gcloud iam service-accounts update SA_NAME@ PROJECT_ID.iam.gserviceaccount.com \ --description=" UPDATED_SA_DESCRIPTION" \ --display-name=" UPDATED_DISPLAY_NAME"
The output is the renamed service account:
description:
UPDATED_SA_DESCRIPTIONdisplayName: UPDATED_DISPLAY_NAMEname: projects/ PROJECT_ID/serviceAccounts/ SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
 REST
The
serviceAccounts.patch
method updates a service account

Before using any of the request data, make the following replacements:
: Your Google Cloud project ID. Project IDs are alphanumeric strings, like
PROJECT_ID
my-project

: The ID of your service account. This can either be the service account's email address in the form
SA_ID
, or the service account's unique numeric ID

SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
: The alphanumeric ID of your service account. This name must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes

SA_NAME
- Replace at least one of the following:
: A new display name for your service account

UPDATED_DISPLAY_NAME
: A new description for your service account

UPDATED_DESCRIPTION
HTTP method and URL:
PATCH httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID
Request JSON body:
{ "serviceAccount": { "email": "
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com", "displayName": " UPDATED_DISPLAY_NAME", "description": " UPDATED_DESCRIPTION" }, "updateMask": "displayName,description" }
To send your request, expand one of these options:
 curl (Linux, macOS, or Cloud Shell)
Save the request body in a file called
request.json,
and execute the following command:
curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json; charset=utf-8" -d @request.json "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID"
 PowerShell (Windows)
Save the request body in a file called
request.json,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID" | Select-Object -Expand Content
 API Explorer (browser)
Copy the request body and open the
method reference page

The API Explorer panel opens on the right side of the page

You can interact with this tool to send requests


Paste the request body in this tool, complete any other required fields, and click
**Execute**

You should receive a JSON response similar to the following:
{ "name": "projects/my-project/serviceAccounts/[email protected]", "displayName": "My updated service account", "description": "An updated description of my service account" }
 C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation

namespace iam = ::google::cloud::iam; std::string const& name, std::string const& display_name) { iam::IAMClient client(iam::MakeIAMConnection google::iam::admin::v1::PatchServiceAccountRequest request; google::iam::admin::v1::ServiceAccount service_account; service_account.set_name(name); service_account.set_display_name(display_name); google::protobuf::FieldMask update_mask; *update_mask.add_paths() = "display_name"; *request.mutable_service_account() = service_account; *request.mutable_update_mask() = update_mask; auto response = client.PatchServiceAccount(request); if (!response) throw std::runtime_error(response.statusmessage std::cout << "ServiceAccount successfully updated: " << response->DebugString() << "
"; }
 C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation

using System; using Google.Apis.Auth.OAuth2; using Google.Apis.Iam.v1; using Google.Apis.Iam.v1.Data; public partial class ServiceAccounts { public static ServiceAccount RenameServiceAccount(string email, string newDisplayName) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credential// First, get a ServiceAccount using List() or Get string resource = "projectsserviceAccounts/" + email; var serviceAccount = service.Projects.ServiceAccounts.Get(resource) .Execute // Then you can update the display name. serviceAccount.DisplayName = newDisplayName; serviceAccount = service.Projects.ServiceAccounts.Update( serviceAccount, resource).Execute Console.WriteLineUpdated display name for {serviceAccount.Email} " + "to: " + serviceAccount.DisplayName); return serviceAccount; } }
 Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation


import ( "context" "fmt" "io" iam "google.golang.org/api/iam/v1" ) // renameServiceAccount renames a service account. func renameServiceAccount(w io.Writer, email, newDisplayName string) (*iam.ServiceAccount, error) { ctx := context.Background() service, err := iam.NewService(ctx) if err != nil { return nil, fmt.Errorf("iam.NewService: %v", err) } // First, get a ServiceAccount using List() or Get resource := "projectsserviceAccounts/" + email serviceAccount, err := service.Projects.ServiceAccounts.Get(resource).Do() if err != nil { return nil, fmt.Errorf("Projects.ServiceAccounts.Get: %v", err) } // Then you can update the display name. serviceAccount.DisplayName = newDisplayName serviceAccount, err = service.Projects.ServiceAccounts.Update(resource, serviceAccount).Do() if err != nil { return nil, fmt.Errorf("Projects.ServiceAccounts.Update: %v", err) } fmt.Fprintf(w, "Updated service account: %v", serviceAccount.Email) return serviceAccount, nil }
 Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.services.iam.v1.Iam; import com.google.api.services.iam.v1.IamScopes; import com.google.api.services.iam.v1.model.ServiceAccount; import com.google.auth.http.HttpCredentialsAdapter; import com.google.auth.oauth2.GoogleCredentials; import java.io.IOException; import java.security.GeneralSecurityException; import java.util.Collections; public class RenameServiceAccount { // Changes a service account's display name. public static void renameServiceAccount(String projectId, String serviceAccountName) { // String projectId = "my-project-id"; // String serviceAccountName = "my-service-account-name"; Iam service = null; try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("Unable to initialize service: 
" + e.toString return; } String serviceAccountEmail = serviceAccountName ++ projectId + ".iam.gserviceaccount.com"; try { // First, get a service account using List() or Get() ServiceAccount serviceAccount = service .projects() .serviceAccounts() .get("projectsserviceAccounts/" + serviceAccountEmail) .execute // Then you can update the display name serviceAccount.setDisplayName("your-new-display-name serviceAccount = service .projects() .serviceAccounts() .update(serviceAccount.getName serviceAccount) .execute System.out.println( "Updated display name for " + serviceAccount.getName() + " to: " + serviceAccount.getDisplayName } catch (IOException e) { System.out.println("Unable to rename service account: 
" + e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // Use the Application Default Credentials strategy for authentication. For more info, see: // httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // Initialize the IAM service, which can be used to send requests to the IAM API. Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory.getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build return service; } }
 Python

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation

import os from google.oauth2 import service_account import googleapiclient.discovery def rename_service_account(email, new_display_name): Changes a service account's display name # First, get a service account using List() or Get() credentials = service_account.Credentials.from_service_account_file( filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS scopeshttpswww.googleapis.com/auth/cloud-platform service = googleapiclient.discovery.build( 'iam', 'v1', credentials=credentials) resource = 'projectsserviceAccounts/' + email my_service_account = service.projectsserviceAccountsget( name=resource).execute() # Then you can update the display name my_service_account['displayName'] = new_display_name my_service_account = service.projectsserviceAccountsupdate( name=resource, body=my_service_account).execute() print('Updated display name for {} to: format( my_service_account['email my_service_account['displayName return my_service_account
## Disabling a service account
Similar to deleting a service account, when you disable a service account, applications will no longer have access to Google Cloud resources through that service account. If you disable the default App Engine and Compute Engine service accounts, the instances will no longer have access to resources in the project. If you attempt to disable an already disabled service account, it will have no effect

Unlike deleting a service account, disabled service accounts can easily be re-enabled as necessary. We recommend disabling a service account before deleting it to make sure no critical applications are using the service account

 Console
In the Google Cloud console, go to the
Service accountspage

Select a project

Click the name of the service account that you want to disable

Under
Service account status, click Disable service account, then click Disableto confirm the change

 gcloud CLI
Execute the
gcloud iam service-accounts disable
command to disable a service account

Command:
gcloud iam service-accounts disable
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
Output:
Disabled service account
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
 REST
The
serviceAccounts.disable
method immediately disables a service account

Before using any of the request data, make the following replacements:
: Your Google Cloud project ID. Project IDs are alphanumeric strings, like
PROJECT_ID
my-project

: The ID of your service account. This can either be the service account's email address in the form
SA_ID
, or the service account's unique numeric ID

SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
HTTP method and URL:
POST httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:disable
To send your request, expand one of these options:
 curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json; charset=utf-8" -d "" "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:disable"
 PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:disable" | Select-Object -Expand Content
 API Explorer (browser)
Open the
method reference page

The API Explorer panel opens on the right side of the page

You can interact with this tool to send requests

Complete any required fields and click
**Execute**

If successful, the response body will be empty

 C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation

namespace iam = ::google::cloud::iam; std::string const& name) { iam::IAMClient client(iam::MakeIAMConnection google::iam::admin::v1::DisableServiceAccountRequest request; request.set_name(name); auto response = client.DisableServiceAccount(request); if (!response.ok throw std::runtime_error(response.message std::cout << "ServiceAccount successfully disabled.
"; }
 C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation

using System; using Google.Apis.Auth.OAuth2; using Google.Apis.Iam.v1; using Google.Apis.Iam.v1.Data; public partial class ServiceAccounts { public static void DisableServiceAccount(string email) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credentialvar request = new DisableServiceAccountRequest string resource = "projectsserviceAccounts/" + email; service.Projects.ServiceAccounts.Disable(request, resource).Execute Console.WriteLine("Disabled service account: " + email); } }
 Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation


import ( "context" "fmt" "io" iam "google.golang.org/api/iam/v1" ) // disableServiceAccount disables a service account. func disableServiceAccount(w io.Writer, email string) error { // email:= [email protected] ctx := context.Background() service, err := iam.NewService(ctx) if err != nil { return fmt.Errorf("iam.NewService: %v", err) } request := &iam.DisableServiceAccountRequest{} _, err = service.Projects.ServiceAccounts.Disable("projectsserviceAccountsemail, request).Do() if err != nil { return fmt.Errorf("Projects.ServiceAccounts.Disable: %v", err) } fmt.Fprintf(w, "Disabled service account: %v", email) return nil }
 Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.services.iam.v1.Iam; import com.google.api.services.iam.v1.IamScopes; import com.google.api.services.iam.v1.model.DisableServiceAccountRequest; import com.google.auth.http.HttpCredentialsAdapter; import com.google.auth.oauth2.GoogleCredentials; import java.io.IOException; import java.security.GeneralSecurityException; import java.util.Collections; public class DisableServiceAccount { // Disables a service account. public static void disableServiceAccount(String projectId, String serviceAccountName) { // String projectId = "my-project-id"; // String serviceAccountName = "my-service-account-name"; Iam service = null; try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("Unable to initialize service: 
" + e.toString return; } String serviceAccountEmail = serviceAccountName ++ projectId + ".iam.gserviceaccount.com"; try { DisableServiceAccountRequest request = new DisableServiceAccountRequest service .projects() .serviceAccounts() .disable("projectsserviceAccounts/" + serviceAccountEmail, request) .execute System.out.println("Disabled service account: " + serviceAccountEmail); } catch (IOException e) { System.out.println("Unable to disable service account: 
" + e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // Use the Application Default Credentials strategy for authentication. For more info, see: // httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // Initialize the IAM service, which can be used to send requests to the IAM API. Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory.getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build return service; } }
 Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation


import os from google.oauth2 import service_account import googleapiclient.discovery def disable_service_account(email): Disables a service account credentials = service_account.Credentials.from_service_account_file( filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS scopeshttpswww.googleapis.com/auth/cloud-platform service = googleapiclient.discovery.build( 'iam', 'v1', credentials=credentials) service.projectsserviceAccountsdisable( name='projectsserviceAccounts/' + email).execute() print("Disabled service account :" + email)
## Enabling a service account
After enabling a disabled service account, applications will regain access to Google Cloud resources through that service account

You can enable a disabled service account whenever you need to. If you attempt to enable an already enabled service account, it will have no effect

 Console
In the Google Cloud console, go to the
Service accountspage

Select a project

Click the name of the service account that you want to enable

Under
Service account status, click Enable service account, then click Enableto confirm the change

 gcloud CLI
Execute the
gcloud iam service-accounts enable
command to enable a service account

Command:
gcloud iam service-accounts enable
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
Output:
Enabled service account
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
 REST
The
serviceAccounts.enable
method enables a previously disabled service account

Before using any of the request data, make the following replacements:
: Your Google Cloud project ID. Project IDs are alphanumeric strings, like
PROJECT_ID
my-project

: The ID of your service account. This can either be the service account's email address in the form
SA_ID
, or the service account's unique numeric ID

SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
HTTP method and URL:
POST httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:enable
To send your request, expand one of these options:
 curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json; charset=utf-8" -d "" "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:enable"
 PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID:enable" | Select-Object -Expand Content
 API Explorer (browser)
Open the
method reference page

The API Explorer panel opens on the right side of the page

You can interact with this tool to send requests

Complete any required fields and click
**Execute**

If successful, the response body will be empty

 C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation


namespace iam = ::google::cloud::iam; std::string const& name) { iam::IAMClient client(iam::MakeIAMConnection google::iam::admin::v1::EnableServiceAccountRequest request; request.set_name(name); auto response = client.EnableServiceAccount(request); if (!response.ok throw std::runtime_error(response.message std::cout << "ServiceAccount successfully enabled.
"; }
 C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation

using System; using Google.Apis.Auth.OAuth2; using Google.Apis.Iam.v1; using Google.Apis.Iam.v1.Data; public partial class ServiceAccounts { public static void EnableServiceAccount(string email) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credentialvar request = new EnableServiceAccountRequest string resource = "projectsserviceAccounts/" + email; service.Projects.ServiceAccounts.Enable(request, resource).Execute Console.WriteLine("Enabled service account: " + email); } }
 Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation

import ( "context" "fmt" "io" iam "google.golang.org/api/iam/v1" ) // enableServiceAccount enables a service account. func enableServiceAccount(w io.Writer, email string) error { // email:= [email protected] ctx := context.Background() service, err := iam.NewService(ctx) if err != nil { return fmt.Errorf("iam.NewService: %v", err) } request := &iam.EnableServiceAccountRequest{} _, err = service.Projects.ServiceAccounts.Enable("projectsserviceAccountsemail, request).Do() if err != nil { return fmt.Errorf("Projects.ServiceAccounts.Enable: %v", err) } fmt.Fprintf(w, "Enabled service account: %v", email) return nil }
 Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.services.iam.v1.Iam; import com.google.api.services.iam.v1.IamScopes; import com.google.api.services.iam.v1.model.EnableServiceAccountRequest; import com.google.auth.http.HttpCredentialsAdapter; import com.google.auth.oauth2.GoogleCredentials; import java.io.IOException; import java.security.GeneralSecurityException; import java.util.Collections; public class EnableServiceAccount { // Enables a service account. public static void enableServiceAccount(String projectId, String serviceAccountName) { // String projectId = "my-project-id"; // String serviceAccountName = "my-service-account-name"; Iam service = null; try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("Unable to initialize service: 
" + e.toString return; } String serviceAccountEmail = serviceAccountName ++ projectId + ".iam.gserviceaccount.com"; try { EnableServiceAccountRequest request = new EnableServiceAccountRequest service .projects() .serviceAccounts() .enable("projectsserviceAccounts/" + serviceAccountEmail, request) .execute System.out.println("Enabled service account: " + serviceAccountEmail); } catch (IOException e) { System.out.println("Unable to enable service account: 
" + e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // Use the Application Default Credentials strategy for authentication. For more info, see: // httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // Initialize the IAM service, which can be used to send requests to the IAM API. Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory.getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build return service; } }
 Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation

import os from google.oauth2 import service_account import googleapiclient.discovery def enable_service_account(email): Enables a service account credentials = service_account.Credentials.from_service_account_file( filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS scopeshttpswww.googleapis.com/auth/cloud-platform service = googleapiclient.discovery.build( 'iam', 'v1', credentials=credentials) service.projectsserviceAccountsenable( name='projectsserviceAccounts/' + email).execute() print("Enabled service account :" + email)
## Deleting a service account
When you delete a service account, applications will no longer have access to Google Cloud resources through that service account. If you delete the default App Engine and Compute Engine service accounts, the instances will no longer have access to resources in the project

Delete with caution; make sure your critical applications are no longer using a service account before deleting it. If you're not sure whether a service account is being used, we recommend disabling the service account before deleting it. Disabled service accounts can be easily re-enabled if they are still in use

If you delete a service account, then create a new service account with the same name, the new service account is treated as a separate identity; it does not inherit the roles granted to the deleted service account. In contrast, when you delete a service account, then undelete it, the service account's identity does not change, and the service account retains its roles

When a service account is deleted, its role bindings are not immediately

removed; they are automatically purged from the system after a maximum of 60
days. Until that time, the service account appears in role bindings with a
deleted: prefix and a
?uid= suffix, where
`NUMERIC_ID`
is a unique numeric ID for the service
account

`NUMERIC_ID`
Deleted service accounts do not count towards your service account quota

 Console
In the Google Cloud console, go to the
Service accountspage

Select a project

Select the service account you want to delete, and then click
Delete

 gcloud CLI
Execute the
gcloud iam service-accounts delete
command to delete a service account

Command:
gcloud iam service-accounts delete SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
Output:
Deleted service account
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
 REST
The
serviceAccounts.delete
method deletes a service account

Before using any of the request data, make the following replacements:
: Your Google Cloud project ID. Project IDs are alphanumeric strings, like
PROJECT_ID
my-project

: The ID of your service account. This can either be the service account's email address in the form
SA_ID
, or the service account's unique numeric ID

SA_NAME@ PROJECT_ID.iam.gserviceaccount.com
HTTP method and URL:
DELETE httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID
To send your request, expand one of these options:
 curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X DELETE -H "Authorization: Bearer $(gcloud auth print-access-token)" "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID"
 PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method DELETE `
-Headers $headers `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_ID" | Select-Object -Expand Content
 API Explorer (browser)
Open the
method reference page

The API Explorer panel opens on the right side of the page

You can interact with this tool to send requests

Complete any required fields and click
**Execute**

If successful, the response body will be empty

 C++
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation

namespace iam = ::google::cloud::iam; std::string const& name) { iam::IAMClient client(iam::MakeIAMConnection auto response = client.DeleteServiceAccount(name); if (!response.ok throw std::runtime_error(response.message std::cout << "ServiceAccount successfully deleted.
"; }
 C#

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation

using System; using Google.Apis.Auth.OAuth2; using Google.Apis.Iam.v1; public partial class ServiceAccounts { public static void DeleteServiceAccount(string email) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(IamService.Scope.CloudPlatform); var service = new IamService(new IamService.Initializer { HttpClientInitializer = credentialstring resource = "projectsserviceAccounts/" + email; service.Projects.ServiceAccounts.Delete(resource).Execute Console.WriteLine("Deleted service account: " + email); } }
 Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation

import ( "context" "fmt" "io" iam "google.golang.org/api/iam/v1" ) // deleteServiceAccount deletes a service account. func deleteServiceAccount(w io.Writer, email string) error { ctx := context.Background() service, err := iam.NewService(ctx) if err != nil { return fmt.Errorf("iam.NewService: %v", err) } _, err = service.Projects.ServiceAccounts.Delete("projectsserviceAccounts/" + email).Do() if err != nil { return fmt.Errorf("Projects.ServiceAccounts.Delete: %v", err) } fmt.Fprintf(w, "Deleted service account: %v", email) return nil }
 Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.jackson2.JacksonFactory; import com.google.api.services.iam.v1.Iam; import com.google.api.services.iam.v1.IamScopes; import com.google.auth.http.HttpCredentialsAdapter; import com.google.auth.oauth2.GoogleCredentials; import java.io.IOException; import java.security.GeneralSecurityException; import java.util.Collections; public class DeleteServiceAccount { // Deletes a service account. public static void deleteServiceAccount(String projectId, String serviceAccountName) { // String projectId = "my-project-id"; // String serviceAccountName = "my-service-account-name"; Iam service = null; try { service = initService } catch (IOException | GeneralSecurityException e) { System.out.println("Unable to initialize service: 

" + e.toString return; } String serviceAccountEmail = serviceAccountName ++ projectId + ".iam.gserviceaccount.com"; try { service .projects() .serviceAccounts() .delete("projectsserviceAccounts/" + serviceAccountEmail) .execute System.out.println("Deleted service account: " + serviceAccountEmail); } catch (IOException e) { System.out.println("Unable to delete service account: 
" + e.toString } } private static Iam initService() throws GeneralSecurityException, IOException { // Use the Application Default Credentials strategy for authentication. For more info, see: // httpscloud.google.com/docs/authentication/production#finding_credentials_automatically GoogleCredentials credential = GoogleCredentials.getApplicationDefault() .createScoped(Collections.singleton(IamScopes.CLOUD_PLATFORM // Initialize the IAM service, which can be used to send requests to the IAM API. Iam service = new Iam.Builder( GoogleNetHttpTransport.newTrustedTransport JacksonFactory.getDefaultInstance new HttpCredentialsAdapter(credential)) .setApplicationName("service-accounts") .build return service; } }
 Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation

import os from google.oauth2 import service_account import googleapiclient.discovery def delete_service_account(email): Deletes a service account credentials = service_account.Credentials.from_service_account_file( filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS scopeshttpswww.googleapis.com/auth/cloud-platform service = googleapiclient.discovery.build( 'iam', 'v1', credentials=credentials) service.projectsserviceAccountsdelete( name='projectsserviceAccounts/' + email).execute() print('Deleted service account: ' + email)
## Undeleting a service account
In some cases, you can use the
undelete command to undelete a deleted service
account. You can usually undelete a deleted service account if it meets these
criteria:
The service account was deleted less than 30 days ago

After 30 days, IAM permanently removes the service account. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request

There is no existing service account with the same name as the deleted service account

For example, suppose that you accidentally delete the service account
[email protected]. You still need a service account with that name, so you create a new service account with the same name,
[email protected]

The new service account does not inherit the permissions of the deleted service account. In effect, it is completely separate from the deleted service account. However, you cannot undelete the original service account, because the new service account has the same name

To address this issue, delete the new service account, then try to undelete the original service account

If you are not able to undelete the service account, you can create a new service account with the same name; revoke all of the roles from the deleted service account; and grant the same roles to the new service account. For details, see Policies with deleted principals

 Finding a deleted service account's numeric ID
When you undelete a service account, you must provide its numeric ID. The
numeric ID is a 21-digit number, such as
123456789012345678901, that uniquely
identifies the service account. For example, if you delete a service account,
then create a new service account with the same name, the original service
account and the new service account will have different numeric IDs

If you know that a binding in an allow policy includes the deleted service
account, you can get the allow policy, then find the numeric ID
in the allow policy. The numeric ID is appended to the name of the deleted
service account. For example, in this allow policy, the numeric ID for the
deleted service account is
123456789012345678901:
{ "version": 1, "etag": "BwUjMhCsNvY "bindings": [ { "members": [
"deleted:serviceAccount:[email protected]?uid=123456789012345678901 "role": "roles/iam.serviceAccountUser" }, ] }
Numeric IDs are only appended to the names of deleted principals

Alternatively, you can search your audit logs for the
DeleteServiceAccount
operation that deleted the service account:
In the Google Cloud console, go to the
Logs explorerpage

In the query editor, enter the following query, replacing
with the email address of your service account (for example,
SERVICE_ACCOUNT_EMAIL
[email protected]):
resource.type="service_account" resource.labels.email_id="
SERVICE_ACCOUNT_EMAIL" "DeleteServiceAccount"
If the service account was deleted more than an hour ago, click
Last 1 hour, select a longer period of time from the drop-down list, then click Apply

Click
Run query. The Logs Explorer displays the
DeleteServiceAccountoperations that affected service accounts with the name you specified

Find and note the numeric ID of the deleted service account by doing one of the following:
If the search results include only one
DeleteServiceAccountoperation, find the numeric ID in the
Unique IDfield of the Log fieldspane

If the search results show more than one log, do the following:

Find the correct log entry. To find the correct log entry, click theexpander arrow next to a log entry. Review the details of the log entry and determine whether the log entry shows the operation that you want to undo. Repeat this process until you find the correct log entry

In the correct log entry, locate the service account's numeric ID. To locate the numeric ID, expand the log entry's
protoPayloadfield, then find the
resourceNamefield

The numeric ID is everything after
serviceAccountsin the
resourceNamefield

-
-
 Undeleting the service account by numeric ID
After you find the numeric ID for the deleted service account, you can try to undelete the service account

 gcloud CLI
Execute the
gcloud beta iam service-accounts undelete
command to undelete a service account

Command:
gcloud beta iam service-accounts undelete
ACCOUNT_ID
Output:
restoredAccount: email:
SA_NAME@ PROJECT_ID.iam.gserviceaccount.com etag: BwWWE7zpApg= name: projects/ PROJECT_ID/serviceAccounts/ SA_NAME@ PROJECT_ID.iam.gserviceaccount.com oauth2ClientId: '123456789012345678901' projectId: PROJECT_IDuniqueId: ' ACCOUNT_ID'
 REST
The
serviceAccounts.undelete
method restores a deleted service account

Before using any of the request data, make the following replacements:
: Your Google Cloud project ID. Project IDs are alphanumeric strings, like
PROJECT_ID
my-project

: The unique numeric ID of the service account

SA_NUMERIC_ID
HTTP method and URL:
POST httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_NUMERIC_ID:undelete
To send your request, expand one of these options:
 curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json; charset=utf-8" -d "" "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_NUMERIC_ID:undelete"
 PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "httpsiam.googleapis.com/v1/projects/
PROJECT_ID/serviceAccounts/ SA_NUMERIC_ID:undelete" | Select-Object -Expand Content
 API Explorer (browser)
Open the
method reference page

The API Explorer panel opens on the right side of the page

You can interact with this tool to send requests

Complete any required fields and click
**Execute**

If the account can be undeleted, you receive a
200 OK response
code with details about the restored service account, like the following:

{ "restoredAccount": { "name": "projects/my-project/serviceAccounts/[email protected]", "projectId": "my-project", "uniqueId": "123456789012345678901", "email": "[email protected]", "displayName": "My service account", "etag": "BwUp3rVlzes "description": "A service account for running jobs in my project", "oauth2ClientId": "987654321098765432109" } }
## What's next
- Learn how to create and manage service account keys

- Review the process for granting IAM roles to all types of principals, including service accounts

- Explore how you can use role recommendations to downscope permissions for all principals, including service accounts

- Understand how to allow principals to impersonate service accounts

## Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.Get started for free
Published date: 11 Nov 2022


          
           什么是虚拟专用服务器？什么是 VPS 托管？
        

          
          GoDaddy | 虚拟专用服务器获取 7 天免费 VPS
        

          
          最佳虚拟机监控工具