-
Notifications
You must be signed in to change notification settings - Fork 62
configure service accounts
App Engine applications require a service account to access other Google Cloud services and execute tasks.
There are two types of service accounts in App Engine and any service account in your Cloud project can be assigned to act as either the app-level default or per-version service account:
-
App-level default service account - This service account is used for all of your deployed services when you don't configure a "per-version service account". You can choose to assign a service account that you created or use the auto-created default service account that gets created when you initially deploy a service to your Cloud project. For example, the App Engine default service account (
PROJECT_ID@). -
Per-version service account - A service account configured as the identity for a specific version of your deployed service. When deploying an existing version or a new version, you can specify a service account to act as that version's identity. For example, if a version requires permissions that differ from the app-level default service account, you can assign a service account that is specific to that version.
To view the current app-level default service account, run the gcloud app describe command.
To view the service account used by a deployed version:
-
{gcloud}
Run the
gcloud app versions describecommand:gcloud app versions describe *VERSION_ID* --service=*SERVICE_NAME*
Replace:
-
VERSION_IDwith the ID of the version. -
SERVICE_NAMEwith the name of the service that you created.
-
-
{Console}
- Go to the App Engine Versions tab in the console. Go to Versions
- Locate the email address of your App Engine
version-specific service account. Example:
SERVICE_ACCOUNT_NAME@PROJECT_ID.
By default, the app-level default service account is the auto-created
PROJECT_ID@ service account. You can assign another service
account to act as the app-level default service account using gcloud CLI, Google
Cloud console, or {{gaeapi_name_short}}.
During the initial App Engine application creation process, you can choose to
assign a service account that you
created
or use the auto-created PROJECT_ID@ service account to act as
the default.
To create a your App Engine application and assign an app-level default service account, you can use one of the following:
-
{gcloud}
Run the
gcloud app createcommand:gcloud app create --service-account=*SERVICE_ACCOUNT_NAME*@*PROJECT_ID*.
Replace:
-
SERVICE_ACCOUNT_NAMEwith the name of the service account that you created. -
PROJECT_IDwith ID of the Google Cloud project in which you want to assign the service account.
-
-
{Console}
-
Go to the App Engine page:
-
Create a Google Cloud project.
-
In the Create App section, select a service account from Identity and API access.
-
To update the app-level default service account for your application, you can use one of the following to assign a new service account:
Important: Only versions deployed after the update will use the new app-level default service account. All previously deployed versions will not use the new app-level default service account until you re-deploy that version.
-
{gcloud}
Run the
gcloud app updatecommand.gcloud app update --service-account=*SERVICE_ACCOUNT_NAME*@*PROJECT_ID*.
Replace:
-
SERVICE_ACCOUNT_NAMEwith the name of the service account that you created. -
PROJECT_IDwith ID of the Google Cloud project in which you want to assign the service account.
Each new version that you deploy hereafter uses the new app-level default service account unless you explicitly assign a version-specific service account.
-
-
{Console}
- Go to the App Engine Application Settings tab in the console and click Edit Application Settings.
[Go to Application Settings](appengine/settings)- Choose an app-level default service account from Select a Service account and click Save.
You will be redirected to the Application Settings tab where you can view the email address of your updated app-level default service account. Example:
SERVICE_ACCOUNT_NAME@PROJECT_ID..Each new version that you deploy hereafter uses the new app-level default service account unless you explicitly assign a version-specific service account.
You can set a version-specific service account only during the deployment of new versions. Using a version-specific service account lets you grant different privileges to each application version, based on the specific tasks it performs, and avoid granting more privileges than necessary.
You must have an existing service account before deploying your application. Your version-specific service account must be in the same project where you deploy your application.
Note: If a version-specific service account is specified in both the app.yaml
file and in the gcloud CLI, the gcloud setting takes precedence.
After May 15, 2024, {{ar_name}} hosts images for the gcr.io domain in Google
Cloud projects without previous {{registry_name}} usage. If you deploy an
existing application in a new project created after this date, the service
account might not have the required permissions to deploy the app. To grant the
required permissions, see Deploying to App
Engine.
-
{gcloud}
Run the
gcloud app deploycommand:gcloud app deploy --service-account=*SERVICE_ACCOUNT_NAME*@*PROJECT_ID*.
Replace:
-
SERVICE_ACCOUNT_NAMEwith the name of the service account that you created. -
PROJECT_IDwith ID of the Google Cloud project in which you want to assign the service account. Your version-specific service account must be in the same project where you deploy your application.
-
-
{app.yaml}
In your
file, specify your service account by adding the
element:
service_account: *SERVICE_ACCOUNT_NAME*@*PROJECT_ID*.Replace:
-
SERVICE_ACCOUNT_NAMEwith the name of the service account that you created. -
PROJECT_IDwith ID of the Google Cloud project in which you want to assign the service account. Your version-specific service account must be in the same project where you deploy your application.
-
-
{appengine-web.xml}
If you use the Java runtimes and include the App Engine legacy bundled services, specify your service account by adding the
<service-account>element in yourappengine-web.xmlfile:<service-account>*SERVICE_ACCOUNT_NAME*@*PROJECT_ID*.</service-account>Replace:
-
SERVICE_ACCOUNT_NAMEwith the name of the service account that you created. -
PROJECT_IDwith ID of the Google Cloud project in which you want to assign the service account. Your version-specific service account must be in the same project where you deploy your application.
-
The default App Engine service account is automatically created when you use App Engine.
Depending on your organization policy configuration, the default service account
might automatically be granted the Editor role on your project. We
strongly recommend that you disable the automatic role grant by
enforcing the iam.automaticIamGrantsForDefaultServiceAccounts organization
policy constraint. If you created your organization after May 3, 2024, this
constraint is enforced by default.
If you disable the automatic role grant, you must decide which roles to grant to the default service accounts, and then grant these roles yourself.
If the default service account already has the Editor role, we recommend that you replace the Editor role with less permissive roles.
To safely modify the service account's roles, use Policy Simulator to see the impact of the change, and then grant and revoke the appropriate roles.
To learn how to grant roles to service accounts and other principals, see Manage access to projects, folders, and organizations.
After May 15, 2024, {{ar_name}} hosts images for the gcr.io domain in Google
Cloud projects without previous {{registry_name}} usage. If you deploy an
existing application in a new project created after this date, the service
account might not have the required permissions to deploy the app. To grant the
required permissions, see Deploying to App
Engine.
For modifying permissions, deleting, and restoring your service accounts, see Creating and managing service accounts.