Controlling Access in the Admin API

The Google App Engine Admin API uses Google Cloud Identity and Access Management (IAM) for access control.

Access control in Google App Engine Admin API can be configured at the project level. Access to Cloud Platform projects and the resources within them can be granted to user accounts, domains, groups, or service accounts. For example:

  • Grant access to all the resources within a project to an individual member or to all the members of a service account.
  • Grant access on a per-role basis, rather than for the whole project so that project members are provided limited capabilities. For example, read-only access to resources, or ability to deploy new versions, but not configure traffic to those versions.

For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management documentation.

Every Admin API method requires the caller to have the necessary permissions. See the following section for a list of all the permissions and roles that the Admin API IAM supports.

Permissions and roles

This section summarizes the permissions and roles that Admin API IAM supports.

For details about the App Engine roles, see App Engine Access Control.

Required permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
apps.get appengine.applications.get on the requested Application resource.
apps.patch appengine.applications.update on the requested Application resource.
apps.repair appengine.applications.update on the requested Application resource.
apps.services.delete appengine.services.delete on the requested Service resource.
apps.services.get appengine.services.get on the requested Service resource.
apps.services.list appengine.services.list on the requested Application resource.
apps.services.patch appengine.services.update on the requested Service resource.
apps.services.versions.create appengine.versions.create on the requested Service resource.
apps.services.versions.delete appengine.versions.delete on the requested Version resource.
apps.services.versions.get appengine.versions.get on the requested Version resource.
apps.services.versions.list appengine.versions.list on the requested Service resource.
apps.services.versions.patch appengine.versions.update on the requested Version resource.
apps.services.versions.instances.debug appengine.instances.enableDebug on the requested Instance resource.
apps.services.versions.instances.delete appengine.instances.delete on the requested Instance resource.
apps.services.versions.instances.get appengine.instances.get on the requested Instance resource.
apps.services.versions.instances.list appengine.instances.list on the requested Version resource.
apps.operations.get appengine.operations.get on the requested Operation resource.
apps.operations.list appengine.operations.list on the requested Operation resource.

Roles

The following table lists the Google App Engine Admin API IAM roles with a corresponding list of all the permissions included in each role. Note that every permission is applicable to a particular resource type.

Role Includes permissions
App Engine Admin:

/roles/appengine.appAdmin

Read/Write/Modify access to all application configuration and settings.

appengine.applications.get
appengine.applications.update
appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
appengine.instances.delete
appengine.instances.enableDebug
appengine.instances.get
appengine.instances.list
appengine.instances.update
appengine.operations.cancel
appengine.operations.delete
appengine.operations.get
appengine.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Deployer:

/roles/appengine.deployer

Read-only access to all application configuration and settings.

Write access to service-level and version-level settings. Cannot deploy a new version.

appengine.applications.get
appengine.services.create
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Service Admin:

/roles/appengine.serviceAdmin

Read-only access to all application configuration and settings.

Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic. Cannot change the default version.

appengine.applications.get
appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
appengine.instances.get
appengine.instances.list
appengine.instances.delete
appengine.operations.get
appengine.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Viewer:

/roles/appengine.appViewer

Read-only access to all application configuration and settings.

appengine.applications.get
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Code Viewer:

/roles/appengine.codeViewer

Read-only access to all application configuration and settings, and to deployed source code.

appengine.applications.get
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

Note that the roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud Platform services as well. For more information about these primative roles, see Access Control.

Controlling access via the Cloud Platform Console

You can use the Cloud Platform Console to manage access control for your Cloud Platform projects.

Setting project-wide access controls

To grant members access to a Cloud Platform project and its resources, see Granting, Changing, and Revoking Access to Project Members.

Setting service account access controls

You can create a service account in a Cloud Platform project to grant your app programmatic access to Cloud Platform services. For example, use a service account to allow one Cloud Platform project to send HTTP request with the Google App Engine Admin API to another Cloud Platform project.

To create service accounts and grant access, see the following IAM topics:

Send feedback about...

App Engine Admin API