The App Engine Admin API uses Identity and Access Management (IAM) for access control.
Access control in App Engine Admin API can be configured at the project level. Access to Google Cloud projects and the resources within them can be granted to user accounts, domains, groups, or service accounts. For example:
- Grant access to all the resources within a project to an individual user or service account.
- Grant partial access to resources within the project. For example, read-only access to resources, or the ability to deploy new versions but not to configure traffic to those versions.
For a detailed description of IAM and its features, see the IAM documentation.
Every Admin API method requires the caller to have the necessary permissions. See the following section for a list of all the permissions and roles that the Admin API supports.
Permissions and roles
This section summarizes the permissions and roles that the Admin API supports.
For details about the App Engine roles, see App Engine Access Control.
Required permissions
The following table lists the permissions that the caller must have to call each method:
Method | Required Permission(s) |
---|---|
apps.create |
appengine.applications.create on the requested Application resource. |
apps.get |
appengine.applications.get on the requested Application resource. |
apps.patch |
appengine.applications.update on the requested Application resource. |
apps.repair |
appengine.applications.update on the requested Application resource. |
apps.authorizedCertificates.create |
appengine.applications.update on the requested Application resource. |
apps.authorizedCertificates.delete |
appengine.applications.update on the requested Application resource. |
apps.authorizedCertificates.get |
appengine.applications.get on the requested Application resource. |
apps.authorizedCertificates.list |
appengine.applications.get on the requested Application resource. |
apps.authorizedCertificates.patch |
appengine.applications.update on the requested Application resource. |
apps.authorizedDomains.list |
appengine.applications.get on the requested Application resource. |
apps.domainMappings.create |
appengine.applications.update on the requested Application resource. |
apps.domainMappings.delete |
appengine.applications.update on the requested Application resource. |
apps.domainMappings.get |
appengine.applications.get on the requested Application resource. |
apps.domainMappings.list |
appengine.applications.get on the requested Application resource. |
apps.domainMappings.patch |
appengine.applications.update on the requested Application resource. |
apps.locations.get |
appengine.applications.get on the requested Application resource. |
apps.locations.list |
appengine.applications.get on the requested Application resource. |
apps.operations.get |
appengine.applications.get on the requested Application resource. |
apps.operations.list |
appengine.applications.get on the requested Application resource. |
apps.services.delete |
appengine.services.delete on the requested Service resource. |
apps.services.get |
appengine.services.get on the requested Service resource. |
apps.services.list |
appengine.services.list on the requested Application resource. |
apps.services.patch |
appengine.services.update on the requested Service resource. |
apps.services.versions.create |
appengine.versions.create on the requested Service resource. |
apps.services.versions.delete |
appengine.versions.delete on the requested Version resource. |
apps.services.versions.get |
appengine.versions.get on the requested Version resource. |
apps.services.versions.list |
appengine.versions.list on the requested Service resource. |
apps.services.versions.patch |
appengine.versions.update on the requested Version resource. |
apps.services.versions.instances.debug |
appengine.instances.enableDebug on the requested Instance resource. |
apps.services.versions.instances.delete |
appengine.instances.delete on the requested Instance resource. |
apps.services.versions.instances.get |
appengine.instances.get on the requested Instance resource. |
apps.services.versions.instances.list |
appengine.instances.list on the requested Version resource. |
Roles
The following table lists the App Engine Admin API IAM roles with a corresponding list of all the permissions included in each role. Note that every permission is applicable to a particular resource type.
Role | Includes permissions |
---|---|
App Engine Admin
Read/Write/Modify access to all application configuration and settings. |
appengine.applications.disable
|
appengine.applications.get | |
appengine.applications.update | |
appengine.instances.delete | |
appengine.instances.enableDebug | |
appengine.instances.get | |
appengine.instances.list | |
appengine.instances.update
|
|
appengine.operations.cancel
|
|
appengine.operations.delete
|
|
appengine.operations.get | |
appengine.operations.list | |
appengine.runtimes.actAsAdmin
|
|
appengine.services.delete | |
appengine.services.get | |
appengine.services.list | |
appengine.services.update | |
appengine.versions.create | |
appengine.versions.delete | |
appengine.versions.get | |
appengine.versions.list | |
appengine.versions.update | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
App Engine Deployer
Read-only access to all application configuration and settings. Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic. Cannot configure traffic to a version. |
appengine.applications.get |
appengine.instances.get | |
appengine.instances.list | |
appengine.operations.get | |
appengine.operations.list | |
appengine.services.create
|
|
appengine.services.get | |
appengine.services.list | |
appengine.versions.create | |
appengine.versions.delete | |
appengine.versions.get | |
appengine.versions.list | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
App Engine Service Admin
Read-only access to all application configuration and settings. Write access to service-level and version-level settings, including traffic configuration. Cannot deploy versions of apps. |
appengine.applications.get |
appengine.instances.delete | |
appengine.instances.get | |
appengine.instances.list | |
appengine.operations.get | |
appengine.operations.list | |
appengine.services.delete | |
appengine.services.get | |
appengine.services.list | |
appengine.services.update | |
appengine.versions.delete | |
appengine.versions.get | |
appengine.versions.list | |
appengine.versions.update | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
App Engine Viewer
Read-only access to all application configuration and settings. |
appengine.applications.get |
appengine.instances.get | |
appengine.instances.list | |
appengine.operations.get | |
appengine.operations.list | |
appengine.services.get | |
appengine.services.list | |
appengine.versions.get | |
appengine.versions.list | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
App Engine Code Viewer
Read-only access to all application configuration and settings, and to deployed source code. |
appengine.applications.get |
appengine.instances.get | |
appengine.instances.list | |
appengine.operations.get | |
appengine.operations.list | |
appengine.services.get | |
appengine.services.list | |
appengine.versions.get | |
appengine.versions.getFileContents | |
appengine.versions.list | |
resourcemanager.projects.get | |
resourcemanager.projects.list |
Note that the roles roles/owner
, roles/editor
, and roles/viewer
include
permissions for other Google Cloud services as well. For more information about
these basic roles, see
Access Control.
Permissions not available for custom roles
If you want to configure access beyond the predefined IAM roles, you can create a custom role. However, the following permissions are not available for custom roles:
appengine.applications.disable
appengine.applications.list
appengine.instances.update
appengine.operations.cancel
appengine.operations.delete
appengine.services.create
These permissions are not needed for any operations.
Controlling access via the Google Cloud console
You can use the Google Cloud console to manage access control for your Google Cloud projects.
Setting project-wide access controls
To grant principals access to a Google Cloud project and its resources, see Granting, Changing, and Revoking Access.
Setting service account access controls
You can create a service account in a Google Cloud project to grant your app programmatic access to Google Cloud services. For example, use a service account to allow one Google Cloud project to send HTTP request with the App Engine Admin API to another Google Cloud project.
To create service accounts and grant access, see the following IAM topics: