You can set access control using roles at the GCP project level. Assign a role to a GCP project member or service account to determine the level of access to your Google Cloud Platform project and its resources.
You can use primitive roles when you are working on smaller projects that have less complex needs. For more fine-tuned access controls, use Identity and Access Management (IAM) roles, which include the App Engine predefined roles. To learn more about IAM, see the IAM documentation.
For information on how to assign roles, see Granting Project Access.
For fine-grained details about which permissions are granted to the predefined IAM roles, down to the method call level, see Roles in the Admin API docs.
For App Engine applications, a GCP project member's role also controls the permissible actions of the command-line tools that are used to deploy and manage applications.
|Role||GCP Console permissions||Tools permissions|
||All viewer and editor privileges, plus the ability to view deployed source code, invite users, change user roles, and delete an application.||Create App Engine applications, deploy application code, update all configurations|
||View application information and edit application settings.||Deploy application code, update indexes/queues/crons|
||View application information.||Request logs|
Predefined App Engine roles
The predefined roles for App Engine provide you with finer grained options for access control. Each role is listed with its targeted user, in the following table. Use the comparison table to view all role capabilities.
|App Engine Admin||Read/Write/Modify access to all application configuration and settings.||
|App Engine Service Admin||
|App Engine Deployer||
See the deployments section below for more information about the required roles.
|App Engine Viewer||Read-only access to all application configuration and settings.||
|App Engine Code Viewer||Read-only access to all application configuration, settings, and deployed source code.||
Predefined roles comparison matrix
The following table provides a complete comparison of the capabilities of each predefined App Engine role.
|Capability||App Engine Admin||App Engine Service Admin||App Engine Deployer||App Engine Viewer||App Engine Code Viewer|
|List all services, versions and instances||Yes||Yes||Yes||Yes||Yes|
|View all application, service, version, and instance settings||Yes||Yes||Yes||Yes||Yes|
|View runtime metrics such as resource usage, load information, and error information||Yes||Yes||Yes||Yes||Yes|
|View app source code||No||No||No||No||Yes|
|Deploy a new version of an app||Yes||No||Yes||No||No|
|Split or migrate traffic||Yes||Yes||No||No||No|
|Start and stop a version||Yes||Yes||No||No||No|
|Delete a version||Yes||Yes||Yes||No||No|
|Delete an entire service||Yes||Yes||No||No||No|
|Shut down an instance||Yes||No||No||No||No|
|Disable and re-enable the App Engine application||Yes||No||No||No||No|
|Access handlers that have a login:admin restriction||Yes||No||No||No||No|
|Update dispatch rules||Yes||No||No||No||No|
|Update DoS settings||Yes||No||No||No||No|
|Update default cookie expiration||Yes||No||No||No||No|
|Update Email API Authorized Senders||Yes||No||No||No||No|
For details about the specific IAM permissions that are granted by each role, see the Roles section of the Admin API.
Deployments with predefined roles
The App Engine Deployer role is the recommended role for the user account that is responsible for only deploying a new version of an app. The App Engine Admin role is an alternative that includes additional administrative privileges, including the ability to deploy versions.
With either role, a user account is granted adequate permission to use the
Admin API to deploy apps. To grant
permission to use the
gcloud commands or other App Engine
tooling, you must also give the user account the Storage
Admin role and Cloud Container Builder Editor
For details about how to grant the required permissions, see Deploying using IAM Roles.
Separation of deployment and traffic routing duties
Many organizations prefer to separate the task of deploying an application version from the task of ramping up traffic to the newly created version, and to have these tasks done by different job functions. The App Engine Deployer and App Engine Service Admin roles provide this separation:
App Engine Deployer role - User accounts are limited to deploying new versions and deleting old versions that are not serving traffic. The user account with the App Engine Deployer role won’t be able to configure traffic to any version nor change application-level settings such as dispatch rules or authentication domain.
App Engine Service Admin role - User accounts cannot deploy a new version of an app nor change application-level settings. However, those accounts have privileges to change the properties of existing services and versions, including changing which versions can serve traffic. The App Engine Service Admin role is ideal for an Operations/IT department that handles ramping up traffic to newly deployed versions.
Permissions the predefined roles do NOT grant
None of the predefined roles listed above grant access to the following:
- Create App Engine applications.
- View and download application logs.
- View Monitoring charts in the GCP Console.
- Enable and Disable billing.
- Set up a daily Spending Limit (formerly known as Budget) for App Engine and view dollar amount spent.
- SSH into a VM instance running in the App Engine flexible environment.
- View and edit custom domains and uploaded SSL certificates.
- Run security scans in Cloud Security Scanner.
- Access configuration or data stored in Datastore, Task Queues, Memcache, Cloud Search or any other Cloud Platform storage product.
Currently, only the primitive roles have privileges to access these features. In the future more fine-grained roles might be available.
Service account for App Engine
After you create an App Engine application, the App Engine default service account is created and used as the identity of the App Engine service. The App Engine default service account is associated with your GCP project and executes tasks on behalf of your apps running in App Engine.
By default, the App Engine default service account has the Editor role in the project. This means that any user account with sufficient permissions to deploy changes to the GCP project can also run code with read/write access to all resources within that project.
You can change the permissions for your service accounts in the Permissions page of the GCP Console. For example, you can downgrade the permissions used by the App Engine default service account by changing its role from Editor to whichever role(s) that best represent the access needs for your App Engine application.
To change the permissions for your service accounts:
Open the GCP Console:
In the Members list, locate the ID of the App Engine default service account.
The App Engine default service account uses the member ID:
You can then use the dropdown menu to modify the roles assigned to the service account.
To rename or create keys for your service accounts, including the App Engine app default service account, use the Service Accounts page in the GCP Console to view and edit your service accounts:
To run Cloud SDK commands using a service account, including any of the GCP SDK development tools, you must first enable the Google App Engine Admin API in your Google Cloud Platform project. Use the API Library in the GCP Console to manage all of the APIs and Services in your GCP project:
Service account for the flexible environment
In the App Engine flexible environment, there is also a Google-managed service account that executes flexible environment specific tasks on behalf of your apps. For more information about this service account, see Service Account for the App Engine Flexible Environment.