This page explains how to disable and enable service accounts using theIdentity and Access Management (IAM) API, the Google Cloud console, and thegcloud CLI.

Before you begin

• Enable the IAM API.

  Roles required to enable APIs

  To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

  Enable the API

• Set up authentication.

  Select the tab for how you plan to use the samples on this page:

  Console

  When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

  gcloud

  In the Google Cloud console, activate Cloud Shell.

  Activate Cloud Shell

  At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  C#

  To use the .NET samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  C++

  To use the C++ samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Go

  To use the Go samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Java

  To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Python

  To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  If you're using a local shell, then create local authentication credentials for your user account:

  gcloudauthapplication-defaultlogin

  You don't need to do this if you're using Cloud Shell.

  If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  REST

  To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

  Install the Google Cloud CLI.

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.

• UnderstandIAM service accounts

Required roles

To get the permissions that you need to manage service accounts, ask your administrator to grant you theService Account Admin (roles/iam.serviceAccountAdmin) IAM role on the project. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

To learn more about this role, seeService Accounts roles.

IAM basic roles also contain permissions to manage serviceaccounts. You should not grant basic roles in a production environment, but you can grant them in adevelopment or test environment.

Disable a service account

Similar to deleting a service account, when you disable a service account,applications will no longer have access to Google Cloud resourcesthrough that service account. If you disable the default App Engine andCompute Engine service accounts, the instances will no longer haveaccess to resources in the project. If you attempt to disable an alreadydisabled service account, it will have no effect.

Unlike deleting a service account, disabled service accounts can easily bere-enabled as necessary. We recommend disabling a service account beforedeleting it to make sure no critical applications are using the service account.For more information, seeDisable unused serviceaccounts before deleting them.

namespaceiam=::google::cloud::iam_admin_v1;[](std::stringconst&name){iam::IAMClientclient(iam::MakeIAMConnection());google::iam::admin::v1::DisableServiceAccountRequestrequest;request.set_name(name);autoresponse=client.DisableServiceAccount(request);if(!response.ok())throwstd::runtime_error(response.message());std::cout <<"ServiceAccount successfully disabled.\n";}

usingSystem;usingGoogle.Apis.Auth.OAuth2;usingGoogle.Apis.Iam.v1;usingGoogle.Apis.Iam.v1.Data;publicpartialclassServiceAccounts{publicstaticvoidDisableServiceAccount(stringemail){varcredential=GoogleCredential.GetApplicationDefault().CreateScoped(IamService.Scope.CloudPlatform);varservice=newIamService(newIamService.Initializer{HttpClientInitializer=credential});varrequest=newDisableServiceAccountRequest();stringresource="projects/-/serviceAccounts/"+email;service.Projects.ServiceAccounts.Disable(request,resource).Execute();Console.WriteLine("Disabled service account: "+email);}}

import("context""fmt""io"iam"google.golang.org/api/iam/v1")// disableServiceAccount disables a service account.funcdisableServiceAccount(wio.Writer,emailstring)error{// email:= service-account@your-project.iam.gserviceaccount.comctx:=context.Background()service,err:=iam.NewService(ctx)iferr!=nil{returnfmt.Errorf("iam.NewService: %w",err)}request:=&iam.DisableServiceAccountRequest{}_,err=service.Projects.ServiceAccounts.Disable("projects/-/serviceAccounts/"+email,request).Do()iferr!=nil{returnfmt.Errorf("Projects.ServiceAccounts.Disable: %w",err)}fmt.Fprintf(w,"Disabled service account: %v",email)returnnil}

importcom.google.cloud.iam.admin.v1.IAMClient;importcom.google.iam.admin.v1.DisableServiceAccountRequest;importjava.io.IOException;publicclassDisableServiceAccount{publicstaticvoidmain(String[]args)throwsIOException{// TODO(Developer): Replace the below variables before running.StringprojectId="your-project-id";StringserviceAccountName="your-service-account-name";disableServiceAccount(projectId,serviceAccountName);}// Disables a service account.publicstaticvoiddisableServiceAccount(StringprojectId,StringaccountName)throwsIOException{Stringemail=String.format("%s@%s.iam.gserviceaccount.com",accountName,projectId);// Initialize client that will be used to send requests.// This client only needs to be created once, and can be reused for multiple requests.try(IAMClientiamClient=IAMClient.create()){iamClient.disableServiceAccount(DisableServiceAccountRequest.newBuilder().setName(String.format("projects/%s/serviceAccounts/%s",projectId,email)).build());System.out.println("Disabled service account: "+accountName);}}}

importtimefromgoogle.cloudimportiam_admin_v1fromgoogle.cloud.iam_admin_v1importtypesdefdisable_service_account(project_id:str,account:str)->types.ServiceAccount:"""Disables a service account.    project_id: ID or number of the Google Cloud project you want to use.    account: ID or email which is unique identifier of the service account.    """iam_admin_client=iam_admin_v1.IAMClient()request=types.DisableServiceAccountRequest()name=f"projects/{project_id}/serviceAccounts/{account}"request.name=nameiam_admin_client.disable_service_account(request=request)time.sleep(5)# waiting to make sure changes appliedget_request=types.GetServiceAccountRequest()get_request.name=nameservice_account=iam_admin_client.get_service_account(request=get_request)ifservice_account.disabled:print(f"Disabled service account:{account}")returnservice_account

POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID:disable

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID:disable"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID:disable" | Select-Object -Expand Content

Enable a service account

After enabling a disabled service account, applications will regain access toGoogle Cloud resources through that service account.

You can enable a disabled service account whenever you need to. If you attemptto enable an already enabled service account, it will have no effect.

namespaceiam=::google::cloud::iam_admin_v1;[](std::stringconst&name){iam::IAMClientclient(iam::MakeIAMConnection());google::iam::admin::v1::EnableServiceAccountRequestrequest;request.set_name(name);autoresponse=client.EnableServiceAccount(request);if(!response.ok())throwstd::runtime_error(response.message());std::cout <<"ServiceAccount successfully enabled.\n";}

usingSystem;usingGoogle.Apis.Auth.OAuth2;usingGoogle.Apis.Iam.v1;usingGoogle.Apis.Iam.v1.Data;publicpartialclassServiceAccounts{publicstaticvoidEnableServiceAccount(stringemail){varcredential=GoogleCredential.GetApplicationDefault().CreateScoped(IamService.Scope.CloudPlatform);varservice=newIamService(newIamService.Initializer{HttpClientInitializer=credential});varrequest=newEnableServiceAccountRequest();stringresource="projects/-/serviceAccounts/"+email;service.Projects.ServiceAccounts.Enable(request,resource).Execute();Console.WriteLine("Enabled service account: "+email);}}

import("context""fmt""io"iam"google.golang.org/api/iam/v1")// enableServiceAccount enables a service account.funcenableServiceAccount(wio.Writer,emailstring)error{// email:= service-account@your-project.iam.gserviceaccount.comctx:=context.Background()service,err:=iam.NewService(ctx)iferr!=nil{returnfmt.Errorf("iam.NewService: %w",err)}request:=&iam.EnableServiceAccountRequest{}_,err=service.Projects.ServiceAccounts.Enable("projects/-/serviceAccounts/"+email,request).Do()iferr!=nil{returnfmt.Errorf("Projects.ServiceAccounts.Enable: %w",err)}fmt.Fprintf(w,"Enabled service account: %v",email)returnnil}

importcom.google.cloud.iam.admin.v1.IAMClient;importcom.google.iam.admin.v1.EnableServiceAccountRequest;importjava.io.IOException;publicclassEnableServiceAccount{publicstaticvoidmain(String[]args)throwsIOException{// TODO(Developer): Replace the below variables before running.StringprojectId="your-project-id";StringserviceAccountName="your-service-account-name";enableServiceAccount(projectId,serviceAccountName);}// Enables a service account.publicstaticvoidenableServiceAccount(StringprojectId,StringaccountName)throwsIOException{Stringemail=String.format("%s@%s.iam.gserviceaccount.com",accountName,projectId);// Initialize client that will be used to send requests.// This client only needs to be created once, and can be reused for multiple requests.try(IAMClientiamClient=IAMClient.create()){iamClient.enableServiceAccount(EnableServiceAccountRequest.newBuilder().setName(String.format("projects/%s/serviceAccounts/%s",projectId,email)).build());System.out.println("Enabled service account: "+email);}}}

importtimefromgoogle.cloudimportiam_admin_v1fromgoogle.cloud.iam_admin_v1importtypesdefenable_service_account(project_id:str,account:str)->types.ServiceAccount:"""Enables a service account.    project_id: ID or number of the Google Cloud project you want to use.    account: ID or email which is unique identifier of the service account.    """iam_admin_client=iam_admin_v1.IAMClient()request=types.EnableServiceAccountRequest()name=f"projects/{project_id}/serviceAccounts/{account}"request.name=nameiam_admin_client.enable_service_account(request=request)time.sleep(5)# waiting to make sure changes appliedget_request=types.GetServiceAccountRequest()get_request.name=nameservice_account=iam_admin_client.get_service_account(request=get_request)ifnotservice_account.disabled:print(f"Enabled service account:{account}")returnservice_account

POST https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID:enable

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID:enable"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_ID:enable" | Select-Object -Expand Content

What's next

• Learn how todelete and undelete service accounts.
• Review the process forgranting IAM roles to all types of principals,including service accounts.
• Explore how you can userole recommendations todownscope permissions for all principals, including service accounts.
• Understand how toattach service accounts to resources.