service_accounts
Creates, updates, deletes, gets or lists a service_accounts resource.
Overview
| Name | service_accounts |
| Type | Resource |
| Id | google.iam.service_accounts |
Fields
The following fields are returned by SELECT queries:
- get
- list
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} * projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: * projects/-/serviceAccounts/{EMAIL_ADDRESS} * projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error. |
description | string | Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes. |
disabled | boolean | Output only. Whether the service account is disabled. |
displayName | string | Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes. |
email | string | Output only. The email address of the service account. |
etag | string (byte) | Deprecated. Do not use. |
oauth2ClientId | string | Output only. The OAuth 2.0 client ID for the service account. |
projectId | string | Output only. The ID of the project that owns the service account. |
uniqueId | string | Output only. The unique, stable numeric ID for the service account. Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account. |
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | The resource name of the service account. Use one of the following formats: * projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} * projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: * projects/-/serviceAccounts/{EMAIL_ADDRESS} * projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error. |
description | string | Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes. |
disabled | boolean | Output only. Whether the service account is disabled. |
displayName | string | Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes. |
email | string | Output only. The email address of the service account. |
etag | string (byte) | Deprecated. Do not use. |
oauth2ClientId | string | Output only. The OAuth 2.0 client ID for the service account. |
projectId | string | Output only. The ID of the project that owns the service account. |
uniqueId | string | Output only. The unique, stable numeric ID for the service account. Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | projectsId, serviceAccountsId | Gets a ServiceAccount. | |
list | select | projectsId | pageSize, pageToken | Lists every ServiceAccount that belongs to a specific project. |
create | insert | projectsId | Creates a ServiceAccount. | |
patch | update | projectsId, serviceAccountsId | Patches a ServiceAccount. | |
update | replace | projectsId, serviceAccountsId | Note: We are in the process of deprecating this method. Use PatchServiceAccount instead. Updates a ServiceAccount. You can update only the display_name field. | |
delete | delete | projectsId, serviceAccountsId | Deletes a ServiceAccount. Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead. If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account. | |
undelete | exec | projectsId, serviceAccountsId | Restores a deleted ServiceAccount. Important: It is not always possible to restore a deleted service account. Use this method only as a last resort. After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed. | |
enable | exec | projectsId, serviceAccountsId | Enables a ServiceAccount that was disabled by DisableServiceAccount. If the service account is already enabled, then this method has no effect. If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account. | |
disable | exec | projectsId, serviceAccountsId | Disables a ServiceAccount immediately. If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail. To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount. | |
sign_blob | exec | projectsId, serviceAccountsId | Signs a blob using the system-managed private key for a ServiceAccount. | |
sign_jwt | exec | projectsId, serviceAccountsId | Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
projectsId | string | |
serviceAccountsId | string | |
pageSize | integer (int32) | |
pageToken | string |
SELECT examples
- get
- list
Gets a ServiceAccount.
SELECT
name,
description,
disabled,
displayName,
email,
etag,
oauth2ClientId,
projectId,
uniqueId
FROM google.iam.service_accounts
WHERE projectsId = '{{ projectsId }}' -- required
AND serviceAccountsId = '{{ serviceAccountsId }}' -- required;
Lists every ServiceAccount that belongs to a specific project.
SELECT
name,
description,
disabled,
displayName,
email,
etag,
oauth2ClientId,
projectId,
uniqueId
FROM google.iam.service_accounts
WHERE projectsId = '{{ projectsId }}' -- required
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}';
INSERT examples
- create
- Manifest
Creates a ServiceAccount.
INSERT INTO google.iam.service_accounts (
data__accountId,
data__serviceAccount,
projectsId
)
SELECT
'{{ accountId }}',
'{{ serviceAccount }}',
'{{ projectsId }}'
RETURNING
name,
description,
disabled,
displayName,
email,
etag,
oauth2ClientId,
projectId,
uniqueId
;
# Description fields are for documentation purposes
- name: service_accounts
props:
- name: projectsId
value: string
description: Required parameter for the service_accounts resource.
- name: accountId
value: string
description: >
Required. The account id that is used to generate the service account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035.
- name: serviceAccount
value: object
description: >
An IAM service account. A service account is an account for an application or a virtual machine (VM) instance, not a person. You can use a service account to call Google APIs. To learn more, read the [overview of service accounts](https://cloud.google.com/iam/help/service-accounts/overview). When you create a service account, you specify the project ID that owns the service account, as well as a name that must be unique within the project. IAM uses these values to create an email address that identifies the service account. //
UPDATE examples
- patch
Patches a ServiceAccount.
UPDATE google.iam.service_accounts
SET
data__serviceAccount = '{{ serviceAccount }}',
data__updateMask = '{{ updateMask }}'
WHERE
projectsId = '{{ projectsId }}' --required
AND serviceAccountsId = '{{ serviceAccountsId }}' --required
RETURNING
name,
description,
disabled,
displayName,
email,
etag,
oauth2ClientId,
projectId,
uniqueId;
REPLACE examples
- update
Note: We are in the process of deprecating this method. Use PatchServiceAccount instead. Updates a ServiceAccount. You can update only the display_name field.
REPLACE google.iam.service_accounts
SET
data__name = '{{ name }}',
data__displayName = '{{ displayName }}',
data__etag = '{{ etag }}',
data__description = '{{ description }}'
WHERE
projectsId = '{{ projectsId }}' --required
AND serviceAccountsId = '{{ serviceAccountsId }}' --required
RETURNING
name,
description,
disabled,
displayName,
email,
etag,
oauth2ClientId,
projectId,
uniqueId;
DELETE examples
- delete
Deletes a ServiceAccount. Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead. If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account.
DELETE FROM google.iam.service_accounts
WHERE projectsId = '{{ projectsId }}' --required
AND serviceAccountsId = '{{ serviceAccountsId }}' --required;
Lifecycle Methods
- undelete
- enable
- disable
- sign_blob
- sign_jwt
Restores a deleted ServiceAccount. Important: It is not always possible to restore a deleted service account. Use this method only as a last resort. After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed.
EXEC google.iam.service_accounts.undelete
@projectsId='{{ projectsId }}' --required,
@serviceAccountsId='{{ serviceAccountsId }}' --required;
Enables a ServiceAccount that was disabled by DisableServiceAccount. If the service account is already enabled, then this method has no effect. If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account.
EXEC google.iam.service_accounts.enable
@projectsId='{{ projectsId }}' --required,
@serviceAccountsId='{{ serviceAccountsId }}' --required;
Disables a ServiceAccount immediately. If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail. To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount.
EXEC google.iam.service_accounts.disable
@projectsId='{{ projectsId }}' --required,
@serviceAccountsId='{{ serviceAccountsId }}' --required;
Signs a blob using the system-managed private key for a ServiceAccount.
EXEC google.iam.service_accounts.sign_blob
@projectsId='{{ projectsId }}' --required,
@serviceAccountsId='{{ serviceAccountsId }}' --required
@@json=
'{
"bytesToSign": "{{ bytesToSign }}"
}';
Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount.
EXEC google.iam.service_accounts.sign_jwt
@projectsId='{{ projectsId }}' --required,
@serviceAccountsId='{{ serviceAccountsId }}' --required
@@json=
'{
"payload": "{{ payload }}"
}';