The App Engine flexible environment service agent

In addition to the App Engine default service account, the App Engine flexible environment includes a Google-managed service account named App Engine flexible environment service agent. The service agent enables your Cloud project to interact with the resources of your app separately from other Google Cloud services.

Google automatically creates this account when you deploy a project's first app to the App Engine flexible environment using App Engine tooling, such as the gcloud app deploy command.

The service agent is not listed on the Service Accounts page of the Cloud Console and has the following restrictions:

Verifying the App Engine flexible environment service agent

To verify that the service agent exists in your Cloud project, perform the following steps:

  1. Open the Cloud Console:

    Go to the Permissions page

  2. In the upper-right corner of the Permissions page, select the Include Google-provided role grants checkbox.

  3. In the Principals list, locate the ID of the App Engine flexible environment service agent, which uses the ID
    service-PROJECT_NUMBER@gae-api-prod.google.com.iam.gserviceaccount.com.

  4. Verify that the service agent has been granted the App Engine Flexible Environment Service Agent role.

Service Agent role

The service agent has the App Engine Flexible Environment Service Agent role. The role includes a set of permissions needed by Go flexible environment to manage your flexible environment apps. For example, this role includes permissions to perform the following tasks:

  • Deploying a new version.
  • Stopping or deleting existing versions.
  • Automatic weekly restarts and system updates.

The App Engine Flexible Environment Service Agent role is reserved for the service agent. Do not grant this IAM role to any other account, because the permissions that the role includes can change without notice.

Restoring a deleted service agent

If you accidentally delete the App Engine flexible environment service agent, restore it by performing the following steps:

  1. Open the Cloud Console:

    Go to the Permissions page

  2. Click Add.

  3. Enter the service agent ID using the format
    service-PROJECT_NUMBER@gae-api-prod.google.com.iam.gserviceaccount.com.

  4. Select the App Engine Flexible Environment Service Agent role.

  5. Click Save.