Grant and control access to your Google Cloud Platform project and its resources by assigning roles. You can assign roles to project members and to service accounts.
A service account represents a Google Cloud service identity, such as an App Engine app, and can be used to access other services. To learn more about service accounts, see the OAuth 2.0 documentation.
For more information on the different types of App Engine roles, see Access Control.
Choosing the right access control
Assign roles to project members and service accounts to determine access to your Google Cloud Platform project. You can use Identity and Access Management (IAM) roles for more fine-tuned access controls. To learn more about IAM, see the IAM documentation.
In general, the primitive roles of Owner, Editor, and Viewer are simpler to use, but the predefined roles have more fine-grained options for access. If you are just experimenting with App Engine, the simplest approach to access control is to grant the Editor role to all people involved with the project, following the instructions below on Setting permissions. Keep in mind that only an Owner can add other people to the project.
When your project is ready for more complex roles:
Identify all the different job functions that need access to the project.
Set up a Google Group for each of these job functions.
Add members as desired to each Google Group.
Follow the instructions below on setting permissions below to add each Google Group as member of the project and set roles on each group.
To add a project member and set permissions:
In the Google Cloud Platform Console, visit the IAM & Admin Permissions page for your project.
Click Add member to add new members to the project and set their roles using the dropdown menu. You can add an individual user email or if you use Google Groups to manage group roles, you can supply a Google Group email (
Assign a role.
To see descriptions and a comparison matrix of all the App Engine roles, and to read about limitations, go to Access Control.
There are other roles in the dropdown menu that apply to other Google Cloud Platform products. For more information on these roles, see Predefined roles.
Deploying using IAM roles
You can grant the ability to deploy a version of an app to the services in your GCP project by assigning the appropriate IAM roles to an account. When you assign IAM roles to an account, that account is granted the ability to deploy new versions of apps, including deploying and overwriting existing versions that are currently serving traffic.
The App Engine Deployer role is the recommended role for an account that is responsible for deploying apps. The App Engine Admin role can also deploy apps but allows additional privileges. Depending on which configuration files must be deployed, you might also need to grant additional roles to an account as explained in the following steps.
To grant an account the ability to deploy to App Engine:
In the Google Cloud Platform Console, visit the IAM & Admin permissions page for your project.
Click Add member to add the account to the project and then select all of the roles for that account by using the dropdown menu:
- Required roles to allow an account to deploy
to App Engine:
Give the account one of the following roles:
- Use the App Engine > App Engine Deployer role to allow the account to deploy a version of an app.
- To also allow the
dispatch.yamlfiles to be deployed with an app, use the App Engine > App Engine Admin role instead.
- You must also give the account all of the following roles:
- Storage > Storage Admin
- Other > Deployment Manager Editor
- Container Builder > Cloud Container Builder Editor
If you don’t see this role, you must first enable the Container Builder API:
Go to APIs Library page
- Give the account one of the following roles:
- Optional. Give the account the following roles to grant
permission for uploading additional configuration
- Datastore > Datastore Index Admin role: Permissions for
- Cloud Scheduler > Cloud Scheduler Admin role: Permissions
- Cloud Tasks > Cloud Tasks Queue Admin role: Permissions for
- To allow an account to deploy changes to the default networking configuration, you must give the account a role with adequate permissions, such as the Compute Engine > Compute Network Admin role.
- Datastore > Datastore Index Admin role: Permissions for uploading
- Required roles to allow an account to deploy to App Engine:
The account can now deploy apps to the target GCP project in App Engine. For more information about how to deploy apps, see Deploying your application.
Troubleshooting IAM-related deployment failures
If you configured permissions as instructed above but accounts remain unable to deploy apps, use the following steps to ensure that your GCP project is configured properly.
By default, when you create a new GCP project and enable it for the App Engine flexible environment, that project gets created with all of the permissions and APIs that are required for deploying apps. However, it is possible for one or more of those permissions or APIs to be removed through the project settings. These instructions show you what to check for if you experience a deployment failure.
Verify that the following exist or have been enabled in your GCP project:
The App Engine application has been created and billing is enabled.
The following APIs are enabled in the GCP Console:
In the IAM & admin page of the GCP Console, ensure that the Google APIs service account that is used by Google Cloud Container Builder,
[PROJECT_NUMBER]>@cloudbuild.gserviceaccount.com, has the Editor permissions. The service account must have permissions to write to the
staging.[PROJECT_ID].appspot.combucket to stage files for Cloud Container Builder. By default, this service account has the Editor role on the project so you should only need to make changes here if you changed this service account’s role: