Reputation: 4259
Deleting unneeded service accounts from gcloud permission denied to owner
I have a number of unused service accounts in gcloud that I want to remove.
Credentialed Accounts
ACTIVE ACCOUNT
* [email protected]
[email protected]
[email protected]
[email protected]
[email protected]
tf-service@mycompany-terraform-admin-20200422.iam.gserviceaccount.com
However, running
gcloud iam service-accounts delete [email protected]
ERROR: (gcloud.iam.service-accounts.delete) PERMISSION_DENIED: Permission iam.serviceAccounts.delete is required to perform this operation on service account projects/-/serviceAccounts/[email protected].
I am the owner of the account. What more permissions do I need?
Aside: I seem to spend >90% of my time with gcp on permissions instead of actually doing stuff and have not been able to find a clear write-up of this. Anyone knows a good explanation on how to use service-accounts effectively.
Upvotes: 0
Views: 1765
Answers (1)
Reputation: 537
In order to delete a service account, your permissions must be higher than the editor role (roles/editor) or you must be granted the Service Account Admin role (roles/iam.serviceAccountAdmin).
I suggest that you verify the current account that you are using to make sure that the IAM policies set on it respect the minimum that is required for the actions to be completed successfully.
In regards to the use of Service Accounts, I suggest you consider the following docs:
- Understanding Service Accounts; This will give you a detailed, but high level overview of that Service Accounts are, how they work, deletion and recreation of service accounts and best practices.
- Service Account Overview; This is a very general, but well written overview of Service Accounts. It contains an easy to follow and descriptive explination regarding each step that may need to be taken when using service accounts.
- A Hitchhiker’s Guide to GCP Service Account Impersonation in Terraform; Adding this here as I noticed that your service accounts were linked to the use of Terraform and many people use Terraform within their projects.
- Managing Service Accounts; This is a very detailed (and thus, long) post explaining how to better manage Service Accounts.
- IAM FAQs; These FAQs, even though very general, they do cover a good chunk of the issues that are to be had with IAM. As Service Accounts are a subset of IAM, I suggest that this be consulted as needed.
I hope that this is helpful. IAM is very big and can take a bit of time to get just right. Keep in mind that once IAM is set up right, you may not need to look at it again.
Upvotes: 1
Related Questions
- (Terraform, GCP) Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on
- gcloud: The user does not have access to service account "default"
- IAM permission denied for service account <service-account-name>@<project-name>.iam.gserviceaccount.com
- GCP - Storage Service Account Access Issue
- How to stop running my terraform commands with a service account
- Cannot change service account user gcloud gcp
- Can't remove Google Cloud project
- How To Grant GCP Organization Level Permissions to Service Account via Command Line
- Terraform google_project_iam_binding deletes GCP compute engine default service account from IAM principals
- GCP project quota issue with service account