service_accounts
Creates, updates, deletes, gets or lists a service_accounts resource.
Overview
| Name | service_accounts |
| Type | Resource |
| Id | google.iam.service_accounts |
Fields
| Name | Datatype | Description |
|---|---|---|
name | string | The resource name of the service account. Use one of the following formats: projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS} projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID} As an alternative, you can use the - wildcard character instead of the project ID: projects/-/serviceAccounts/{EMAIL_ADDRESS} projects/-/serviceAccounts/{UNIQUE_ID} When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account projects/-/serviceAccounts/fake@example.com, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error. |
description | string | Optional. A user-specified, human-readable description of the service account. The maximum length is 256 UTF-8 bytes. |
disabled | boolean | Output only. Whether the service account is disabled. |
displayName | string | Optional. A user-specified, human-readable name for the service account. The maximum length is 100 UTF-8 bytes. |
email | string | Output only. The email address of the service account. |
etag | string | Deprecated. Do not use. |
oauth2ClientId | string | Output only. The OAuth 2.0 client ID for the service account. |
projectId | string | Output only. The ID of the project that owns the service account. |
uniqueId | string | Output only. The unique, stable numeric ID for the service account. Each service account retains its unique ID even if you delete the service account. For example, if you delete a service account, then create a new service account with the same name, the new service account has a different unique ID than the deleted service account. |
Methods
| Name | Accessible by | Required Params | Description |
|---|---|---|---|
get | SELECT | projectsId, serviceAccountsId | Gets a ServiceAccount. |
list | SELECT | projectsId | Lists every ServiceAccount that belongs to a specific project. |
create | INSERT | projectsId | Creates a ServiceAccount. |
delete | DELETE | projectsId, serviceAccountsId | Deletes a ServiceAccount. Warning: After you delete a service account, you might not be able to undelete it. If you know that you need to re-enable the service account in the future, use DisableServiceAccount instead. If you delete a service account, IAM permanently removes the service account 30 days later. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use DisableServiceAccount to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account. |
patch | UPDATE | projectsId, serviceAccountsId | Patches a ServiceAccount. |
update | REPLACE | projectsId, serviceAccountsId | Note: We are in the process of deprecating this method. Use PatchServiceAccount instead. Updates a ServiceAccount. You can update only the display_name field. |
disable | EXEC | projectsId, serviceAccountsId | Disables a ServiceAccount immediately. If an application uses the service account to authenticate, that application can no longer call Google APIs or access Google Cloud resources. Existing access tokens for the service account are rejected, and requests for new access tokens will fail. To re-enable the service account, use EnableServiceAccount. After you re-enable the service account, its existing access tokens will be accepted, and you can request new access tokens. To help avoid unplanned outages, we recommend that you disable the service account before you delete it. Use this method to disable the service account, then wait at least 24 hours and watch for unintended consequences. If there are no unintended consequences, you can delete the service account with DeleteServiceAccount. |
enable | EXEC | projectsId, serviceAccountsId | Enables a ServiceAccount that was disabled by DisableServiceAccount. If the service account is already enabled, then this method has no effect. If the service account was disabled by other means—for example, if Google disabled the service account because it was compromised—you cannot use this method to enable the service account. |
sign_blob | EXEC | projectsId, serviceAccountsId | Note: This method is deprecated. Use the signBlob method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a blob using the system-managed private key for a ServiceAccount. |
sign_jwt | EXEC | projectsId, serviceAccountsId | Note: This method is deprecated. Use the signJwt method in the IAM Service Account Credentials API instead. If you currently use this method, see the migration guide for instructions. Signs a JSON Web Token (JWT) using the system-managed private key for a ServiceAccount. |
undelete | EXEC | projectsId, serviceAccountsId | Restores a deleted ServiceAccount. Important: It is not always possible to restore a deleted service account. Use this method only as a last resort. After you delete a service account, IAM permanently removes the service account 30 days later. There is no way to restore a deleted service account that has been permanently removed. |
SELECT examples
Lists every ServiceAccount that belongs to a specific project.
SELECT
name,
description,
disabled,
displayName,
email,
etag,
oauth2ClientId,
projectId,
uniqueId
FROM google.iam.service_accounts
WHERE projectsId = '{{ projectsId }}';
INSERT example
Use the following StackQL query and manifest file to create a new service_accounts resource.
- All Properties
- Manifest
/*+ create */
INSERT INTO google.iam.service_accounts (
projectsId,
accountId,
serviceAccount
)
SELECT
'{{ projectsId }}',
'{{ accountId }}',
'{{ serviceAccount }}'
;
- name: your_resource_model_name
props:
- name: accountId
value: string
- name: serviceAccount
value:
- name: name
value: string
- name: projectId
value: string
- name: uniqueId
value: string
- name: email
value: string
- name: displayName
value: string
- name: etag
value: string
- name: description
value: string
- name: oauth2ClientId
value: string
- name: disabled
value: boolean
UPDATE example
Updates a service_accounts resource.
/*+ update */
UPDATE google.iam.service_accounts
SET
serviceAccount = '{{ serviceAccount }}',
updateMask = '{{ updateMask }}'
WHERE
projectsId = '{{ projectsId }}'
AND serviceAccountsId = '{{ serviceAccountsId }}';
REPLACE example
Replaces all fields in the specified service_accounts resource.
/*+ update */
REPLACE google.iam.service_accounts
SET
name = '{{ name }}',
displayName = '{{ displayName }}',
etag = '{{ etag }}',
description = '{{ description }}'
WHERE
projectsId = '{{ projectsId }}'
AND serviceAccountsId = '{{ serviceAccountsId }}';
DELETE example
Deletes the specified service_accounts resource.
/*+ delete */
DELETE FROM google.iam.service_accounts
WHERE projectsId = '{{ projectsId }}'
AND serviceAccountsId = '{{ serviceAccountsId }}';