The Google App Engine Admin API uses Google Cloud Identity and Access Management (IAM) for access control.
Access control in Google App Engine Admin API can be configured at the project level. Access to GCP projects and the resources within them can be granted to user accounts, domains, groups, or service accounts. For example:
- Grant access to all the resources within a project to an individual member or to all the members of a service account.
- Grant access on a per-role basis, rather than for the whole project so that project members are provided limited capabilities. For example, read-only access to resources, or ability to deploy new versions, but not configure traffic to those versions.
For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management documentation.
Every Admin API method requires the caller to have the necessary permissions. See the following section for a list of all the permissions and roles that the Admin API IAM supports.
Permissions and roles
This section summarizes the permissions and roles that Admin API IAM supports.
For details about the App Engine roles, see App Engine Access Control.
Required permissions
The following table lists the permissions that the caller must have to call each method:
| Method | Required Permission(s) |
|---|---|
apps.create |
appengine.applications.create on the requested Application resource. Requires Owner role permissions on GCP project. |
apps.get |
appengine.applications.get on the requested Application resource. |
apps.patch |
appengine.applications.update on the requested Application resource. |
apps.repair |
appengine.applications.update on the requested Application resource. |
apps.authorizedCertificates.create |
appengine.applications.update on the requested Application resource. |
apps.authorizedCertificates.delete |
appengine.applications.update on the requested Application resource. |
apps.authorizedCertificates.get |
appengine.applications.get on the requested Application resource. |
apps.authorizedCertificates.list |
appengine.applications.get on the requested Application resource. |
apps.authorizedCertificates.patch |
appengine.applications.update on the requested Application resource. |
apps.authorizedDomains.list |
appengine.applications.get on the requested Application resource. |
apps.domainMappings.create |
appengine.applications.update on the requested Application resource. |
apps.domainMappings.delete |
appengine.applications.update on the requested Application resource. |
apps.domainMappings.get |
appengine.applications.get on the requested Application resource. |
apps.domainMappings.list |
appengine.applications.get on the requested Application resource. |
apps.domainMappings.patch |
appengine.applications.update on the requested Application resource. |
apps.locations.get |
appengine.applications.get on the requested Application resource. |
apps.locations.list |
appengine.applications.get on the requested Application resource. |
apps.operations.get |
appengine.applications.get on the requested Application resource. |
apps.operations.list |
appengine.applications.get on the requested Application resource. |
apps.services.delete |
appengine.services.delete on the requested Service resource. |
apps.services.get |
appengine.services.get on the requested Service resource. |
apps.services.list |
appengine.services.list on the requested Application resource. |
apps.services.patch |
appengine.services.update on the requested Service resource. |
apps.services.versions.create |
appengine.versions.create on the requested Service resource. |
apps.services.versions.delete |
appengine.versions.delete on the requested Version resource. |
apps.services.versions.get |
appengine.versions.get on the requested Version resource. |
apps.services.versions.list |
appengine.versions.list on the requested Service resource. |
apps.services.versions.patch |
appengine.versions.update on the requested Version resource. |
apps.services.versions.instances.debug |
appengine.instances.enableDebug on the requested Instance resource. |
apps.services.versions.instances.delete |
appengine.instances.delete on the requested Instance resource. |
apps.services.versions.instances.get |
appengine.instances.get on the requested Instance resource. |
apps.services.versions.instances.list |
appengine.instances.list on the requested Version resource. |
Roles
The following table lists the Google App Engine Admin API IAM roles with a corresponding list of all the permissions included in each role. Note that every permission is applicable to a particular resource type.
| Role | Includes permissions |
|---|---|
App Engine Admin
Read/Write/Modify access to all application configuration and settings. |
appengine.applications.disable
|
appengine.applications.get | |
appengine.applications.update | |
appengine.instances.delete | |
appengine.instances.enableDebug | |
appengine.instances.get | |
appengine.instances.list | |
appengine.instances.update
|
|
appengine.operations.cancel
|
|
appengine.operations.delete
|
|
appengine.operations.get | |
appengine.operations.list | |
appengine.runtimes.actAsAdmin | |
appengine.services.delete | |
appengine.services.get | |
appengine.services.list | |
appengine.services.update | |
appengine.versions.create | |
appengine.versions.delete | |
appengine.versions.get | |
appengine.versions.list | |
appengine.versions.update | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
App Engine Deployer
Read-only access to all application configuration and settings. Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic. Cannot configure traffic to a version. |
appengine.applications.get |
appengine.instances.get | |
appengine.instances.list | |
appengine.operations.get | |
appengine.operations.list | |
appengine.services.create
|
|
appengine.services.get | |
appengine.services.list | |
appengine.versions.create | |
appengine.versions.delete | |
appengine.versions.get | |
appengine.versions.list | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
App Engine Service Admin
Read-only access to all application configuration and settings. Write access to service-level and version-level settings, including traffic configuration. Cannot deploy versions of apps. |
appengine.applications.get |
appengine.instances.delete | |
appengine.instances.get | |
appengine.instances.list | |
appengine.operations.get | |
appengine.operations.list | |
appengine.services.delete | |
appengine.services.get | |
appengine.services.list | |
appengine.services.update | |
appengine.versions.delete | |
appengine.versions.get | |
appengine.versions.list | |
appengine.versions.update | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
App Engine Viewer
Read-only access to all application configuration and settings. |
appengine.applications.get |
appengine.instances.get | |
appengine.instances.list | |
appengine.operations.get | |
appengine.operations.list | |
appengine.services.get | |
appengine.services.list | |
appengine.versions.get | |
appengine.versions.list | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
App Engine Code Viewer
Read-only access to all application configuration and settings, and to deployed source code. |
appengine.applications.get |
appengine.instances.get | |
appengine.instances.list | |
appengine.operations.get | |
appengine.operations.list | |
appengine.services.get | |
appengine.services.list | |
appengine.versions.get | |
appengine.versions.getFileContents | |
appengine.versions.list | |
resourcemanager.projects.get | |
resourcemanager.projects.list |
Note that the roles roles/owner, roles/editor, and roles/viewer include
permissions for other Google Cloud Platform services as well. For more information about
these primitive roles, see
Access Control.
Permissions not available for custom roles
If you want to configure access beyond the predefined IAM roles, you can create a custom role. However, the following permissions are not available for custom roles:
appengine.applications.disableappengine.applications.listappengine.instances.updateappengine.operations.cancelappengine.operations.deleteappengine.services.create
These permissions are not needed for any operations.
Controlling access via the GCP Console
You can use the GCP Console to manage access control for your GCP projects.
Setting project-wide access controls
To grant members access to a GCP project and its resources, see Granting, Changing, and Revoking Access to Project Members.
Setting service account access controls
You can create a service account in a GCP project to grant your app programmatic access to GCP services. For example, use a service account to allow one GCP project to send HTTP request with the Google App Engine Admin API to another GCP project.
To create service accounts and grant access, see the following IAM topics:
