Controlling Access in the Admin API

The App Engine Admin API uses Identity and Access Management (IAM) for access control.

Access control in App Engine Admin API can be configured at the project level. Access to Google Cloud projects and the resources within them can be granted to user accounts, domains, groups, or service accounts. For example:

  • Grant access to all the resources within a project to an individual user or service account.
  • Grant partial access to resources within the project. For example, read-only access to resources, or the ability to deploy new versions but not to configure traffic to those versions.

For a detailed description of IAM and its features, see the IAM documentation.

Every Admin API method requires the caller to have the necessary permissions. See the following section for a list of all the permissions and roles that the Admin API supports.

Permissions and roles

This section summarizes the permissions and roles that the Admin API supports.

For details about the App Engine roles, see App Engine Access Control.

Required permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
apps.create appengine.applications.create on the requested Application resource.
apps.get appengine.applications.get on the requested Application resource.
apps.patch appengine.applications.update on the requested Application resource.
apps.repair appengine.applications.update on the requested Application resource.
apps.authorizedCertificates.create appengine.applications.update on the requested Application resource.
apps.authorizedCertificates.delete appengine.applications.update on the requested Application resource.
apps.authorizedCertificates.get appengine.applications.get on the requested Application resource.
apps.authorizedCertificates.list appengine.applications.get on the requested Application resource.
apps.authorizedCertificates.patch appengine.applications.update on the requested Application resource.
apps.authorizedDomains.list appengine.applications.get on the requested Application resource.
apps.domainMappings.create appengine.applications.update on the requested Application resource.
apps.domainMappings.delete appengine.applications.update on the requested Application resource.
apps.domainMappings.get appengine.applications.get on the requested Application resource.
apps.domainMappings.list appengine.applications.get on the requested Application resource.
apps.domainMappings.patch appengine.applications.update on the requested Application resource.
apps.locations.get appengine.applications.get on the requested Application resource.
apps.locations.list appengine.applications.get on the requested Application resource.
apps.operations.get appengine.applications.get on the requested Application resource.
apps.operations.list appengine.applications.get on the requested Application resource.
apps.services.delete appengine.services.delete on the requested Service resource.
apps.services.get appengine.services.get on the requested Service resource.
apps.services.list appengine.services.list on the requested Application resource.
apps.services.patch appengine.services.update on the requested Service resource.
apps.services.versions.create appengine.versions.create on the requested Service resource.
apps.services.versions.delete appengine.versions.delete on the requested Version resource.
apps.services.versions.get appengine.versions.get on the requested Version resource.
apps.services.versions.list appengine.versions.list on the requested Service resource.
apps.services.versions.patch appengine.versions.update on the requested Version resource.
apps.services.versions.instances.debug appengine.instances.enableDebug on the requested Instance resource.
apps.services.versions.instances.delete appengine.instances.delete on the requested Instance resource.
apps.services.versions.instances.get appengine.instances.get on the requested Instance resource.
apps.services.versions.instances.list appengine.instances.list on the requested Version resource.

Roles

The following table lists the App Engine Admin API IAM roles with a corresponding list of all the permissions included in each role. Note that every permission is applicable to a particular resource type.

Role Includes permissions

App Engine Admin

/roles/appengine.appAdmin

Read/Write/Modify access to all application configuration and settings.

appengine.applications.disable

appengine.applications.get
appengine.applications.update
appengine.instances.delete
appengine.instances.enableDebug
appengine.instances.get
appengine.instances.list
appengine.instances.update

appengine.operations.cancel

appengine.operations.delete

appengine.operations.get
appengine.operations.list
appengine.runtimes.actAsAdmin

appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list

App Engine Deployer

/roles/appengine.deployer

Read-only access to all application configuration and settings.

Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic. Cannot configure traffic to a version.

appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
appengine.services.create

appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list

App Engine Service Admin

/roles/appengine.serviceAdmin

Read-only access to all application configuration and settings.

Write access to service-level and version-level settings, including traffic configuration. Cannot deploy versions of apps.

appengine.applications.get
appengine.instances.delete
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
resourcemanager.projects.get
resourcemanager.projects.list

App Engine Viewer

/roles/appengine.appViewer

Read-only access to all application configuration and settings.

appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list

App Engine Code Viewer

/roles/appengine.codeViewer

Read-only access to all application configuration and settings, and to deployed source code.

appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list

Note that the roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud services as well. For more information about these basic roles, see Access Control.

Permissions not available for custom roles

If you want to configure access beyond the predefined IAM roles, you can create a custom role. However, the following permissions are not available for custom roles:

  • appengine.applications.disable
  • appengine.applications.list
  • appengine.instances.update
  • appengine.operations.cancel
  • appengine.operations.delete
  • appengine.services.create

These permissions are not needed for any operations.

Controlling access via the Google Cloud console

You can use the Google Cloud console to manage access control for your Google Cloud projects.

Setting project-wide access controls

To grant principals access to a Google Cloud project and its resources, see Granting, Changing, and Revoking Access.

Setting service account access controls

You can create a service account in a Google Cloud project to grant your app programmatic access to Google Cloud services. For example, use a service account to allow one Google Cloud project to send HTTP request with the App Engine Admin API to another Google Cloud project.

To create service accounts and grant access, see the following IAM topics: