non-existing default cloud run account

Google Cloud Serverless Applications
1

Hi,

I believed that it is a good time to develop an app and deploy it into cloud run to learn more about GCP Cloud Run and Cloud Storage, maybe more, and contemporary Python for AI purposes, as I am currently a Go developer.

I have a project that was created in 2016, mostly for Google Maps, whose billing account became similar to Google Maps Transitional Billing. The project name and context was relevant, so I have used that project and polished it, fixed its billing settings, etc.

I have developed an initial version of the project, which is a django app, committed to Github, set up a CI pipeline using Github Actions. There were issues with the actions, which made me realize that I did not know IAM. After watching some videos and doing some labs teaching about IAM, understood what to do, granted roles to service accounts and created federated workload mappings. So far, my Github Actions CI workflow can push to the Artifact Registry repository, so good.

However, the next step is the Cloud Run deployment. The Github Actions had this error at the gcloud run deploy step.

Permission 'iam.serviceaccounts.actAs' denied on service account 
.....-compute@developer.gserviceaccount.com (or it may not exist)

I have double-checked everything, and compared with other new projects, and realized that my project did not have a ...-compute@developer.gserviceaccount.com account.

I was able to create another service account and upon recommendations by LLM assigned ‘roles/editor’ to it. But still the gcloud run deploy looks for the non-existing account.

Is it possible to bring back that account? Is the only way to recover from this, to switch to a new project and reconfigure things?

The web UI warns strictly about not deleting the service account (an example is provided below).

But gcloud deletes it as easy as deleting other service accounts. BTW, I don’t remember deleting it, and could not find it in the logs explorer (with my limited experience with the logs explorer)



Delete service account “Default compute service account”
This service account lets Compute Engine access essential Cloud Platform services such as logging and Cloud Storage. Deleting this account will prevent instances that are running as this account from accessing Cloud Platform services.



You cannot undo this action.



If you delete this account, instances in this project will only be able to access Cloud Platform services via custom service accounts.

gcloud UI for the same action in another newly created project (no warnings):



cloud iam service-accounts delete xxxxx-compute@developer.gserviceaccount.com




You are about to delete service account [xxxxx-compute@developer.gserviceaccount.com]



Do you want to continue (Y/n)?



deleted service account [xxxxx-compute@developer.gserviceaccount.com]

It is also not possible to undelete this account after deleting it. After deleting, it is not possible to retrieve the account number, anyway.

Any suggestions? It is Okay to start over but if a recovery is possible I would like to follow that path.

1 Like
2

Hi @mcku,

Welcome to the Google Developer Program forums!

Regarding the missing default Compute Engine service account, unfortunately, once it’s deleted, there’s no way to bring it back, and GCP won’t recreate it automatically. At this point, you’ve got two clear options:

  • Switch to a new project – This is the simplest route. A new GCP project will automatically create the default service accounts, so you can avoid the deployment error and start fresh without any legacy issues.

  • Use a custom service account – If you prefer to keep your current project, you can create a new user-managed service account and configure it as the service identity for your Cloud Run service. The official Configure service identity for services documentation walks you through this setup.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.