This page explains how to delete and undelete service accounts using theIdentity and Access Management (IAM) API, the Google Cloud console, and thegcloud command-line tool.

Before you begin

• Enable the IAM API.

  Roles required to enable APIs

  To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

  Enable the API

• Set up authentication.

  Select the tab for how you plan to use the samples on this page:

  Console

  When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

  gcloud

  In the Google Cloud console, activate Cloud Shell.

  Activate Cloud Shell

  At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  C#

  To use the .NET samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  C++

  To use the C++ samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Go

  To use the Go samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Java

  To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Python

  To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  REST

  To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.

• UnderstandIAM service accounts

Required roles

To get the permissions that you need to delete and undelete service accounts, ask your administrator to grant you the following IAM roles on the project:

• To delete service accounts:Delete Service Accounts (roles/iam.serviceAccountDeleter)
• To delete and undelete service accounts:Service Account Admin (roles/iam.serviceAccountAdmin)

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

To learn more about these roles, seeService Accounts roles.

IAM basic roles also contain permissions to manage serviceaccounts. You should not grant basic roles in a production environment, but you can grant them in adevelopment or test environment.

Delete a service account

When you delete a service account, applications will no longer have access toGoogle Cloud resources through that service account. If you delete thedefault App Engine and Compute Engine service accounts, then theApp Engine apps and Compute Engine VM instances that use thoseservice accounts will no longer have access to resources in the project.

Delete service accounts with caution. Make sure your critical applications areno longer using a service account before deleting it. If you're not sure whethera service account is being used, Google recommendsdisabling the service accountinstead of deleting it. Disabled service accounts can be re-enabled if they arestill needed. For more information, seeDisable unused serviceaccounts before deleting them.

If you want to restore a deleted service account, you canundelete it, if it's been 30 days or lesssince you deleted the service account. After 30 days,IAM permanently removes the service account. Google Cloudcannot recover the service account after it is permanently removed, even if youfile a support request.

To further reduce the risk of deleting a necessary service account, you canalso enablechange risk recommendations. Changerisk recommendations generate warnings when you try to delete service accountsthat Google Cloud has identified as important.

If you delete a service account, then create a new service account with the samename, the new service account is treated as a separate identity; it does notinherit the roles granted to the deleted service account. In contrast, when youdelete a service account, then undelete it, the service account's identity doesnot change, and the service account retains its roles.

When a service account is deleted, its role bindings are not immediatelyremoved; they are automatically purged from the system after a maximum of60 days. Until that time, the service account appears inrole bindings with adeleted: prefix and a?uid=NUMERIC_ID suffix, whereNUMERIC_ID is a unique numeric ID for the serviceaccount.

Deleted service accounts do not count towards yourservice account quota.

namespaceiam=::google::cloud::iam_admin_v1;[](std::stringconst&name){iam::IAMClientclient(iam::MakeIAMConnection());autoresponse=client.DeleteServiceAccount(name);if(!response.ok())throwstd::runtime_error(response.message());std::cout <<"ServiceAccount successfully deleted.\n";}

usingSystem;usingGoogle.Apis.Auth.OAuth2;usingGoogle.Apis.Iam.v1;publicpartialclassServiceAccounts{publicstaticvoidDeleteServiceAccount(stringemail){varcredential=GoogleCredential.GetApplicationDefault().CreateScoped(IamService.Scope.CloudPlatform);varservice=newIamService(newIamService.Initializer{HttpClientInitializer=credential});stringresource="projects/-/serviceAccounts/"+email;service.Projects.ServiceAccounts.Delete(resource).Execute();Console.WriteLine("Deleted service account: "+email);}}

import("context""fmt""io"iam"google.golang.org/api/iam/v1")// deleteServiceAccount deletes a service account.funcdeleteServiceAccount(wio.Writer,emailstring)error{ctx:=context.Background()service,err:=iam.NewService(ctx)iferr!=nil{returnfmt.Errorf("iam.NewService: %w",err)}_,err=service.Projects.ServiceAccounts.Delete("projects/-/serviceAccounts/"+email).Do()iferr!=nil{returnfmt.Errorf("Projects.ServiceAccounts.Delete: %w",err)}fmt.Fprintf(w,"Deleted service account: %v",email)returnnil}

importcom.google.cloud.iam.admin.v1.IAMClient;importcom.google.iam.admin.v1.DeleteServiceAccountRequest;importcom.google.iam.admin.v1.ServiceAccountName;importjava.io.IOException;publicclassDeleteServiceAccount{publicstaticvoidmain(String[]args)throwsIOException{// TODO(developer): Replace the variables before running the sample.StringprojectId="your-project-id";StringserviceAccountName="my-service-account-name";deleteServiceAccount(projectId,serviceAccountName);}// Deletes a service account.publicstaticvoiddeleteServiceAccount(StringprojectId,StringserviceAccountName)throwsIOException{// Initialize client that will be used to send requests.// This client only needs to be created once, and can be reused for multiple requests.try(IAMClientclient=IAMClient.create()){StringaccountName=ServiceAccountName.of(projectId,serviceAccountName).toString();StringaccountEmail=String.format("%s@%s.iam.gserviceaccount.com",accountName,projectId);DeleteServiceAccountRequestrequest=DeleteServiceAccountRequest.newBuilder().setName(accountEmail).build();client.deleteServiceAccount(request);System.out.println("Deleted service account: "+serviceAccountName);}}}

fromgoogle.cloudimportiam_admin_v1fromgoogle.cloud.iam_admin_v1importtypesdefdelete_service_account(project_id:str,account:str)->None:"""Deletes a service account.    project_id: ID or number of the Google Cloud project you want to use.    account: ID or email which is unique identifier of the service account.    """iam_admin_client=iam_admin_v1.IAMClient()request=types.DeleteServiceAccountRequest()request.name=f"projects/{project_id}/serviceAccounts/{account}"iam_admin_client.delete_service_account(request=request)print(f"Deleted a service account:{account}")

DELETE https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method DELETE `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID" | Select-Object -Expand Content

Undelete a service account

In some cases, you can use theundelete command to undelete a deleted serviceaccount. You can usually undelete a deleted service account if it meets thesecriteria:

• The service account was deleted less than 30 daysago.

  After 30 days, IAM permanently removesthe service account. Google Cloud cannot recover the service accountafter it is permanently removed, even if you file a support request.

• There is no existing service account with the same name as the deleted serviceaccount.

  For example, suppose that you accidentally delete the service accountmy-service-account@project-id.iam.gserviceaccount.com. You still need aservice account with that name, so you create a new service account with thesame name,my-service-account@project-id.iam.gserviceaccount.com.

  The new service account does not inherit the permissions of the deletedservice account. In effect, it is completely separate from the deletedservice account. However, you cannot undelete the original service account,because the new service account has the same name.

  To address this issue, delete the new service account, then try to undeletethe original service account.

If you are not able to undelete the service account, you can create a newservice account with the same name; revoke all of the roles from the deletedservice account; and grant the same roles to the new service account. Fordetails, seePolicies with deleted principals.

Find a deleted service account's numeric ID

When you undelete a service account, you must provide its numeric ID. Thenumeric ID is a 21-digit number, such as123456789012345678901, that uniquelyidentifies the service account. For example, if you delete a service account,then create a new service account with the same name, the original serviceaccount and the new service account will have different numeric IDs.

If you know that a binding in an allow policy includes the deleted serviceaccount, you canget the allow policy, then find the numeric IDin the allow policy. The numeric ID is appended to the name of the deletedservice account. For example, in this allow policy, the numeric ID for thedeleted service account is123456789012345678901:

{"version":1,"etag":"BwUjMhCsNvY=","bindings":[{"members":["deleted:serviceAccount:my-service-account@project-id.iam.gserviceaccount.com?uid=123456789012345678901"],"role":"roles/iam.serviceAccountUser"},]}

Numeric IDs are only appended to the names of deleted principals.

Alternatively, you can search your audit logs for theDeleteServiceAccountoperation that deleted the service account:

1. In the Google Cloud console, go to theLogs explorer page.

   Go to Logs explorer

2. In the query editor, enter the following query, replacingSERVICE_ACCOUNT_EMAIL with the email address of yourservice account (for example,my-service-account@project-id.iam.gserviceaccount.com):

   resource.type="service_account"resource.labels.email_id="SERVICE_ACCOUNT_EMAIL""DeleteServiceAccount"

3. If the service account was deleted more than an hour ago, clickscheduleLast 1 hour,select a longer period of time from the drop-down list, then clickApply.

4. ClickRun query. The Logs Explorer displays theDeleteServiceAccountoperations that affected service accounts with the name you specified.

5. Find and note the numeric ID of the deleted service account by doing one ofthe following:

   • If the search results include only oneDeleteServiceAccount operation,find the numeric ID in theUnique ID field of theLog fields pane.

   

   

   • If the search results show more than one log, do the following:

     1. Find the correct log entry. To find the correct log entry, click thekeyboard_arrow_right expander arrownext to a log entry. Review the details of the log entry and determinewhether the log entry shows the operation that you want to undo. Repeatthis process until you find the correct log entry.

     2. In the correct log entry, locate the service account's numeric ID. Tolocate the numeric ID, expand the log entry'sprotoPayload field,then find theresourceName field.

     

     

     The numeric ID is everything afterserviceAccounts in theresourceName field.

Undelete the service account by numeric ID

After you find the numeric ID for the deleted service account, you can try toundelete the service account.

POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NUMERIC_ID:undelete

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NUMERIC_ID:undelete"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NUMERIC_ID:undelete" | Select-Object -Expand Content

{  "restoredAccount": {    "name": "projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com",    "projectId": "my-project",    "uniqueId": "123456789012345678901",    "email": "my-service-account@my-project.iam.gserviceaccount.com",    "displayName": "My service account",    "etag": "BwUp3rVlzes=",    "description": "A service account for running jobs in my project",    "oauth2ClientId": "987654321098765432109"  }}

What's next

• Learn how tolist and edit service accounts.
• Review the process forgranting IAM roles to all types of principals,including service accounts.
• Understand how toattach service accounts to resources.