Granting Project Access

Grant and control access to your Google Cloud Platform project and its resources by assigning roles. You can assign roles to project members and to service accounts.

A service account represents a Google Cloud service identity, such as an App Engine app, and can be used to access other services. To learn more about service accounts, see the OAuth 2.0 documentation.

For more information on the different types of App Engine roles, see Access Control.

Choosing the right access control

Assign roles to project members and service accounts to determine access to your Google Cloud Platform project. You can use Identity and Access Management (IAM) roles for more fine-tuned access controls. To learn more about IAM, see the IAM documentation.

In general, the primitive roles of Owner, Editor, and Viewer are simpler to use, but the predefined roles have more fine-grained options for access. If you are just experimenting with App Engine, the simplest approach to access control is to grant the Editor role to all people involved with the project, following the instructions below on Setting permissions. Keep in mind that only an Owner can add other people to the project.

When your project is ready for more complex roles:

  1. Identify all the different job functions that need access to the project.

  2. Set up a Google Group for each of these job functions.

  3. Add members as desired to each Google Group.

  4. Follow the instructions below on setting permissions below to add each Google Group as member of the project and set roles on each group.

Setting permissions

To add a project member and set permissions:

  1. In the Google Cloud Platform Console, visit the IAM & Admin Permissions page for your project.

    Go to the IAM & Admin Permissions page

  2. Click Add member to add new members to the project and set their roles using the dropdown menu. You can add an individual user email or if you use Google Groups to manage group roles, you can supply a Google Group email (

    Add a Group

  3. Assign a role.

To see descriptions and a comparison matrix of all the App Engine roles, and to read about limitations, go to Access Control.

There are other roles in the dropdown menu that apply to other Google Cloud Platform products. For more information on these roles, see Predefined roles.

Deploying using IAM roles

The App Engine Deployer role is the recommended role to grant to the account responsible for deploying a new version of a service, although you could also deploy with the App Engine Admin role. Note that other roles may be required to deploy, depending on which configuration files you are deploying; this is detailed in the deployment instructions below.

To grant a user the ability to deploy to App Engine:

  1. In the Google Cloud Platform Console, visit the IAM & Admin Permissions page for your project.

    IAM & Admin Permissions page

  2. Click Add member to add the user to the project and set roles for the user via the dropdown menu:

    1. Give the user the App Engine > App Engine Deployer role, unless deployment uploads dos.yaml or dispatch.yaml in which case, give the user the App Engine Admin role instead.
    2. If the deployment uploads index.yaml, give the user the Datastore > Datastore Index Admin role.
    3. If the deployment uploads cron.yaml, give the user the Cloud Scheduler > Cloud Scheduler Admin role.
    4. If the deployment uploads queue.yaml, give the user the Cloud Tasks > Cloud Tasks Queue Admin role.
    5. Give the user the Storage > Storage Admin role.
    6. Give the user the Container Builder > Cloud Container Builder Editor role. If you don’t see this role, enable the Container Builder API first.
    7. Give the user the Other > Deployment Manager Editor role.
    8. If your deployment involves changes to the default networking configuration, give the user a role that allows changing networking configuration, such as the Compute Engine > Compute Network Admin role.
  3. The user can now deploy the project to App Engine. For information on deploying apps to App Engine, see Deploying your application.

By default, when you create a new project and enable it for App Engine flexible environment, the project has enabled all of the permissions and APIs required for successful deployment. However, it is possible for project settings to be edited to remove one or more of the permissions/APIs required for successful deployment. These instructions show you what to check for if you experience a deployment failure.

If you experience a deployment failure:

  1. Make sure billing is enabled on the project.

  2. Make sure the Google App Engine Flexible Environment API is enabled.

  3. Visit the IAM & Admin page in the console and in the list of service accounts locate the Google APIs service account used by Container Builder: it is named <project_number> Make sure it has Editor permissions: this service account must be able to write to the staging.<project_id> bucket to stage files for container builder. By default, this service account has the Editor role on the project so you should only need to make changes here if you changed this service account’s role.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

App Engine flexible environment for Ruby docs