How to recover Google App Engine's "default service account"

Question

I have mistakenly deleted the default "app engine service account" for my project - {id}@appspot.gserviceaccount.com Is there a way to recover it without resetting/recreating my project on Google Cloud Platform?

Answer 1

Unfortunately at this time, there is no way to recover the default App Engine service account. The solution is as you say creating a new project and redeploying your code there.

Should you wish to see this deletion prevented or default service account recreation made possible in the future, I strongly urge you to file a feature request on the App Engine public issue tracker while providing this example as a business case.

UPDATE: As filed by the OP, a feature request now exists on the App Engine public issue tracker as Issue 13085. Please star this issue to receive updates on its progress.

UPDATE 2: As part of the App Engine Admin API, one can now use the apps.repair API to attempt to address issues of default Cloud Storage buckets and App Engine service accounts. I would recommend trying this API before creating a new project and redeploying. I'm leaving this as an addendum and not the primary solution as it's not guaranteed to solve the issue.

UPDATE 3 It is now possible to undelete service accounts. As per the Undeleting a service account documentation, a service account may be restored if:

The service account was deleted less than 30 days ago

and

There is no existing service account with the same name as the deleted service account.

Answer 2

Recover

You can undelete service accounts. You will need the service account's unique ID. If you don't have it, you can find it on Google Cloud Logging.

You can find Logging service here on the side menu:

Then you will need to filter by date and type service account to find the exact moment the service was deleted.

Then you can either

Option 1: Use Google Cloud Command Line

You can run the command line by installing it on your computer (https://cloud.google.com/sdk/docs/install). Or you can run it online using the Active Shell offered by Google Cloud Platform.

The command you want to run is the following.

gcloud beta iam service-accounts undelete 12345678901234567890

Option 2: Use Google Cloud API

Using curl, call the API with the following command.

You will need to change API_KEY, PROJECT_ID and SERVICE_ACCOUNT_UID for real values.

curl -X POST \
-H "Authorization: Bearer API_KEY \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_UID:undelete"

You can get the API_KEY from Google Cloud Command Line:

gcloud auth application-default print-access-token

Again you can either have gcloud installed on your local machine or you can use it online with the Active Shell.

Answer 3

Your Account is deleted less than 30 days you can recover it via cloud console

Go to Cloud Console Open Terminal :

Write :

gcloud beta iam service-accounts undelete 100214681451516381413

100214681451516381413 this is the Deleted Account UID .

If You Don't know the Deleted Account ID then GO IAM and Search With Your Deleted Email Address you will find-out the UID there .

Thanks .

Answer 4

If you don't know the default service account UniqueID, there is another solution.

Simply disable the App Engine Admin API and enable the same after some time. This will create a new default service account. Please note that this will delete all the associated resources.

(To enable/disable an API: Menu -> API & Services -> Dashboard -> Enable APIs and Services -> Search for that API -> Enable/Disable)

Answer 5

You can now recover the deleted service accounts from https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/undelete

you have to get the UniqueID of the service account from https://console.cloud.google.com/home/activity