To revoke an IC/DAM token use the "/oauth2/revoke" endpoint on IC/DAM as follows:
- Use
base64to encodeCLIENT_ID:CLIENT_SECRETasCLIENT. - Call the revoke endpoint.
The following code sample shows how to revoke a token:
export CLIENT=`echo ${CLIENT_ID?}:${CLIENT_SECRET?} | base64 -w 0`
curl -X POST ${URL?}/oauth2/revoke \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-H 'Authorization: basic ${CLIENT?}' \
-d 'token=${TOKEN?}'
For more information see Revoke OAuth2 tokens.
Regular GCP access tokens are not keys, and will expire in 1 hour or less.
For revoking GCP service account keys (used for >1 hour tokens) you must have administrator permissions on the GCP project. You can use the GCP developer console to filter service account keys by account name and delete the keys.
If you don't have administrator permissions on the GCP project, you can contact your IC/DAM administrator to revoke them for you.
To revoke a Remembered Consent without a consent dashboard:
- Login to the IC as an administrator or as the user that has the consent to revoke
- List all remembered consent for the user
- Delete the remembered consent by consent_id
./admin.bash set ic user $email
./admin.bash login ic
./admin.bash print ic user $user_id consent
./admin.bash delete ic user $user_id consent $consent_id
If you accidently deleted a service account and want to undelete it, complete the following steps:
-
Read Undeleting a Service Account to understand the process and limitations.
-
Go to the Stackdriver Log Viewer and create an advanced query. You can modify this example to filter out log entries until you find the
delete service accountoperation for the account you would like to recover. -
Expand the
operation details>resource>labels, and copy theunique_id. -
On the command line, execute the following
gcloudcommand:<set your gcloud project if you haven't already done so> gcloud beta iam service-accounts undelete <unqiue_id>