Troubleshooting default service accounts

To access Google Cloud resources, Compute Engine virtualmachine (VM) instances useservice accounts. If youaccidentally delete theCompute Engine default service account,applications that run on your VMs might not be able to make calls toGoogle Cloud APIs.

This document explains how to recover the Compute Engine default serviceaccount after it is deleted.

Recover the Compute Engine default service account

When you delete a service account, Identity and Access Management (IAM)permanently removes the service account after 30 days. If you accidentallydelete the Compute Enginedefault service account, Google Cloud cannot recover the service accountafter it is permanently removed and then the VMs will no longer have access toresources in the project. In such cases, if you want to assign aCompute Engine default service account for the VM, create a service accountand set it as the default service account.

To get the permissions that you need to perform this task, ask your administrator to grant you the following IAM roles on your project:

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

To recover a deleted Compute Engine default service account, do the following:

  1. In the Google Cloud console, go to theLogs Explorer page.

    Go to Logs Explorer

    Use the following query to validate when the Compute Engine default serviceaccount was deleted:

    resource.type="service_account"protoPayload.methodName="google.iam.admin.v1.DeleteServiceAccount""PROJECT_NUMBER-compute@developer.gserviceaccount.com"

    ReplacePROJECT_NUMBER with the project number of yourproject.

    If the default service account was deleted less than 30 days ago:

    Use theundelete command to recover the service account. For moreinformation, seeUndelete a serviceaccount.

    If the default service account was deleted more than 30 days ago:

    1. Create a service account orselect an existing service account to set as the new Compute Enginedefault service account.

  2. If you want VMs to use the newly created default service account,follow thesesteps:

    1. Go to theVM instances page.

      Go to VM instances

    2. Click the VM instance name for which you want to use the service account.

    3. If the VM is running, clickStop to stop the VM. If there is noStop option, clickMore actions >Stop.

    4. ClickEdit.

    5. Scroll down to theService Account section.

    6. From the drop-down list, select the service account to assign to theinstance.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.