The App Engine Flexible Environment Service Account

In addition to the App Engine default service account, the App Engine flexible environment includes a Google-managed service account named App Engine flexible environment service account. The App Engine flexible environment service account enables your GCP project to interact with the resources of your app separately from other GCP services.

Google automatically creates this account either when:

  • The Google App Engine Flexible Environment API is manually enabled in the GCP Console:

    Go to the API Library page

  • The first app is deployed to the App Engine flexible environment using App Engine tooling, for example: gcloud app deploy

The App Engine flexible environment service account is not listed on the Service Accounts page of the GCP Console and has the following restrictions:

  • Do not modify the permissions of the App Engine flexible environment service account.
  • Avoid using the related App Engine Flexible Environment Service Agent role with any user account. You cannot rely on the role because it can change without notice.

Verifying the App Engine flexible environment service account

To verify that the App Engine flexible environment service account exists in your GCP project, you must view the Permissions page in the GCP Console:

  1. Open the GCP Console:

    Go to the Permissions page

  2. In the Members list, locate the ID of the App Engine flexible environment service account.

    The App Engine flexible environment service account uses the member ID:
    service-[YOUR_PROJECT_NUMBER]@gae-api-prod.google.com.iam.gserviceaccount.com

  3. The App Engine flexible environment service account should have the App Engine Flexible Environment Service Agent role.

Service Agent role

The App Engine flexible environment service account has the App Engine Flexible Environment Service Agent role that includes a set of permissions needed by the App Engine to manage your flexible environment apps. For example, this role includes permissions to perform the following tasks:

  • Deploying a new version.
  • Stopping or deleting existing versions.
  • Automatic weekly restarts and system updates.

The App Engine Flexible Environment Service Agent role should be reserved for only the App Engine flexible environment service account. You should not use or assign this IAM role to any user account because the permissions change without any notice.

Troubleshooting

If you accidentally delete the App Engine flexible environment service account, recreate it by re-enabling the Google App Engine flexible environment API.

Оцените, насколько информация на этой странице была вам полезна:

Оставить отзыв о...

Текущей странице
Custom runtimes for the App Engine flexible environment