Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Deleted Compute Engine default service account

I cannot create a virtual machines in GCE.. While creating it is showing the error message, i have attached my screen-shot of error message.. i will briefly explain what i have done..

--> I have deleted my compute engine default service account from my service account list.. later i created new service account..

--> While creating virtual machines i selected newly created service account, vm creating was failed but the error shows the deleted service account id is not found under service account..

--> While creating vm's it is referring my deleted service account id..

Now what i need to do? Is there is any solution to reactivate my Compute Engine default service account.. Completely iam struck now i cannot create new vms and kubernetes. enter image description here

like image 698
Anumantha Raja Avatar asked Apr 28 '16 08:04

Anumantha Raja


People also ask

How can I recover my deleted service account in GCP?

To restore a service account, you would need the project ID and the service account's unique ID, which you wish to restore. The unique ID would be a 21-digit number that can be accessed by going to the IAM console and searching the same with the deleted email address.

What is default service account?

By default, the App Engine default service account has the Editor role in the project. This means that any user account with sufficient permissions to deploy changes to the Cloud project can also run code with read/write access to all resources within that project.


4 Answers

To restore your google compute default service account, run the following gcloud command within your project:

gcloud services enable compute

In previous versions the command was known to be:

gcloud service-management enable compute.googleapis.com

As stated in this issue: https://issuetracker.google.com/issues/69612457

like image 182
Overbryd Avatar answered Sep 22 '22 17:09

Overbryd


You can now "undelete" service accounts by doing a curl request as below:

curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-length: 0" "https://iam.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_ID:undelete"

SERVICE_ACCOUNT_ID is the id of the account you want to recover

You can get a list of service accounts by running:

gcloud logging read "resource.type=service_account" --freshness=10y

Reference: https://cloud.google.com/iam/docs/creating-managing-service-accounts#undeleting_a_service_account

like image 37
Sherief El-Feky Avatar answered Sep 23 '22 17:09

Sherief El-Feky


There are two default service accounts and I am not sure which one you are referring to:

  1. Google API service account, in your case it is called: [email protected]. It is a special service account. It is always created but never listed in gcloud or the web console. It is intended to be used by some of the internal Google processes on user's behalf. GKE may be one of the services that uses this account (I am not sure). It is impossible to delete this account, the only thing you could do is to remove it from any roles on the project. By default it is an Editor. You can add it back any time.
  2. Default service account: [email protected]. This is a normal service account, which you may delete.

In the error message you pasted there is a different service account name, is it the new one you created? If this is the case, you might only need to go to IAM settings on the web console and add your user to service account actor. Take a look at this manual page: https://cloud.google.com/compute/docs/access/iam#the_serviceaccountactor_role

like image 38
Grzenio Avatar answered Sep 22 '22 17:09

Grzenio


  1. First you need to find the removed SERVICE_ACCOUNT_ID. Using Logging advanced queries is:
resource.type = "service_account"
protoPayload.authorizationInfo.permission = "iam.serviceAccounts.delete"

Example here:

==> unique_id value is SERVICE_ACCOUNT_ID

  1. Use the API provided by @sherief-el-feky :
curl -X POST -H "Authorization: Bearer $ (gcloud auth print-access-token)" -H "Content-length: 0" https://iam.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_ID : undelete "
  • Logging advanced queries: https://cloud.google.com/logging/docs/view/advanced-queries
like image 23
NguyenNhatKhang Avatar answered Sep 25 '22 17:09

NguyenNhatKhang