How to recover Google App Engine default service account
Google Cloud provides App Engine applications, which are an easy way to build, deploy and scale your applications. With the App Engine, you never have to maintain your servers and it can automatically scale as per the incoming traffic. Once you create an App Engine application, the App Engine default service account is created which […]
July 26, 2021
by Abijith
8 mins Read
Table of Contents
Google Cloud provides App Engine applications, which are an easy way to build, deploy and scale your applications. With the App Engine, you never have to maintain your servers and it can automatically scale as per the incoming traffic. Once you create an App Engine application, the App Engine default service account is created which is responsible for identifying your App Engine application.
But what would happen if you accidentally delete your default service account? It is the tough realization that follows afterward that we require a default service account to deploy our code on the App Engine. But the real question comes: How can we recover our Google App Engine default service account if we accidentally delete them?
Problem
All of the App Engine applications have a default service account in the form of {project_id}@appspot.gserviceaccount.com
. This default service account acts as a security feature so that only authenticated and authorized entities can access the data through Google APIs.
Without the same, you will not be able to deploy your applications through the App Engine project that you have. For example, if you are deploying a Firebase cloud function, after deleting your default service account, you will get the following error:
“HTTP Error: 400,
Default service account‘<project_id>@appspot.gserviceaccount.com’ doesn’t exist.
Please recreate this account (for example by disabling and enabling the Cloud Functions API), or specify a different account.”
This issue recurred with a lot of users who were looking to deploy their applications but accidentally deleted their default service account. At some point, it was regarded as impossible to recover and required the creation of a new project to deploy our applications again.
Until now.
Solution
Google Cloud has added a feature through which we can now restore our default service account and restore them back. According to this new feature, you can now restore your default service account, within 30 days of deletion. If the service account has been deleted for more than 30 days, it cannot be recovered. To continue using the App engine or Cloud functions, you would need to create a new project.
Google Cloud has also added a feature that you won’t be able to restore an account if you create a new App Engine project with the same name as your deleted service account. It is then highly suggested to delete your new App Engine project so that you can restore your previous service account.
To restore a service account, you would need the project ID and the service account’s unique ID, which you wish to restore. The unique ID would be a 21-digit number that can be accessed by going to the IAM console and searching the same with the deleted email address.
To access the service account’s unique ID, follow these steps:
- Open the Logs Explorer and select your GCP project.
- Estimate the approximate time of deletion which could be off by a few months (If you wish to restore an account, it should be within 30 days of deletion).
- Select that time period and pass the below query in the Query section:
appspot.gserviceaccount.com
protoPayload.methodName = "google.iam.admin.v1.DeleteServiceAccount" - After a wait, you will find the deletion of the service account log if the time period is correct.
- Expand the request section to identify the service account ID and the user who initiated the deletion.
You can now open the Google Console open terminal and run the following command:
gcloud beta iam service-accounts undelete {SERVICE_ACCOUNT_UNIQUE_ID}
And your service account would be restored! If you prefer using a REST client over the Google Console, visit the service.Account.undelete
page and click on “Try this API” and enter the following:
projects/{PROJECT_ID}/ServiceAccounts/{SERVICE_ACCOUNT_UNIQUE_ID}
You will be able to access your default service account now!
If you would like to create a cloud function even after 30 days of deletion of your default service account, follow these steps:
- Create a new service account with the Editor permission.
- On your local machine, create a directory for function & place your code in it. For instance, we have a file called
function.go
. - Open your terminal and run:
gcloud functions deploy test-go-func --service-account YOUR_SERVICE_ACCOUNT --entry-point=HelloWorld --runtime=go113 --memory=256MB --region=us-central1 --trigger-http
Conclusion
We always need to carefully manage projects and default service accounts over Google Cloud. If you accidentally delete your default service account, you need to restore the same, by following the above steps, within 30 days of deletion. But what about critical cloud infrastructure and debugging the nits and picks around the same? It is always ideal to follow the Google App Engine best practices to gain maximum benefit for your businesses.