After you create an App Engine application, the App Engine default service account is created and used as the identity of your App Engine app. The App Engine default service account is associated with your Cloud project and executes tasks on behalf of your apps running in App Engine.
By default, the App Engine default service account has the Editor role in the project. This means that any user account with sufficient permissions to deploy changes to the Cloud project can also run code with read/write access to all resources within that project.
Service account for the flexible environment
In the App Engine flexible environment, there is also a Google-managed service account, known as a service agent, that executes flexible environment specific tasks on behalf of your apps. For more information about this service agent, see Service agent for the App Engine flexible environment.
Viewing the App Engine default service account
To view your service accounts:
In the Google Cloud console, go to the Service accounts page.
Select your project.
In the list, locate the email address of the App Engine default service account:
Modifying the default service account
By default, the App Engine default service account is granted the Editor role on the project. If you use an organization policy constraint to prevent the Editor role from being granted automatically, you must grant roles to the App Engine default service account. The roles that you grant to the default service account need to enable the app to access the resources it requires.
To learn how to grant roles to service accounts and other principals, see Manage access to service accounts.
Changing service account permissions
You can use the Google Cloud console to grant or remove roles from the default service account. For example, you can downgrade the permissions used by the App Engine default service account by changing its role from Editor to whichever role(s) that best represent the access needs for your App Engine app.
To modify roles for the App Engine default service account:
In the Google Cloud console, go to the IAM page.
Select your project.
Locate the App Engine default service account in the Principals list. The App Engine default service account appears in the list if roles have been automatically or manually granted to the service account.
Select the edit button to modify the roles assigned to the service account.
Using the default service account
Your App Engine app uses the credentials of the App Engine service account by default. For more information, see Granting your app access to Cloud services.
Restoring a deleted default service account
If you delete your App Engine default service account, your App Engine application might break and lose access to other Google Cloud services, such as Datastore.
You can restore App Engine default service accounts that have been deleted within the last 30 days by following the steps in undeleting a service account.