Service Account for the App Engine Flexible Environment

The App Engine flexible environment includes a Google-managed service account, the App Engine flexible environment service account, that executes flexible environment specific tasks on behalf of your apps.

The App Engine flexible environment service account is associated with your GCP project and allows your project to interact with the resources of your app separately from other GCP services.

The App Engine flexible environment service account is automatically created in a GCP project either when:

  • The Google App Engine Flexible Environment API is manually enabled in the GCP Console:

    Go to the API Library page

  • The first app is deployed to the App Engine flexible environment using App Engine tooling, for example: gcloud app deploy

Unlike the App Engine default service account, the App Engine flexible environment service account is not listed on the Service Accounts page of the GCP Console and has the following restrictions:

  • Do not modify the permissions of the App Engine flexible environment service account.
  • Avoid using the related App Engine Flexible Environment Service Agent role with any user account. You cannot rely on the role because it can change without notice.

Verifying the App Engine flexible environment service account

To verify can that the App Engine flexible environment service account exists in your GCP project, view the Permissions page in the GCP Console:

  1. Open the GCP Console:

    Go to the Permissions page

  2. In the Members list, locate the ID of the App Engine flexible environment service account.

    The App Engine flexible environment service account uses the member ID:
    service-[YOUR_PROJECT_ID]@gae-api-prod.google.com.iam.gserviceaccount.com

  3. The App Engine flexible environment service account should have the App Engine Flexible Environment Service Agent role.

Service Agent role

The App Engine flexible environment service account has the App Engine Flexible Environment Service Agent role that includes a set of permissions needed by the App Engine to manage your flexible environment apps. For example, this role includes permissions to perform the following tasks:

  • Deploying a new version.
  • Stopping or deleting existing versions.
  • Automatic weekly restarts and system updates.

The App Engine Flexible Environment Service Agent role should be reserved for only the App Engine flexible environment service account. You should not use or assign this IAM role to any user account because the permissions change without any notice.

Troubleshooting

If you accidentally delete the App Engine flexible environment service account, recreate it by re-enabling the Google App Engine flexible environment API.

Send feedback about...

App Engine flexible environment for Node.js docs