Grant and control access to your Google Cloud Platform project and its resources by assigning roles. You can assign roles to project members and to service accounts.
A service account represents a Google Cloud service identity, such as an App Engine app, and can be used to access other services. To learn more about service accounts, see the OAuth 2.0 documentation.
For more information on the different types of App Engine roles, see Access Control.
Choosing the right access control
Assign roles to project members and service accounts to determine access to your Google Cloud Platform project. You can use Integrated and Access Management (IAM) roles for more fine-tuned access controls. To learn more about IAM, see the IAM documentation.
In general, the primitive roles of Owner, Editor, and Viewer are simpler to use, but the curated roles have more fine-grained options for access. If you are just experimenting with App Engine, the simplest approach to access control is to grant the Editor role to all people involved with the project, following the instructions below on Setting permissions. Keep in mind that only an Owner can add other people to the project.
When your project is ready for more complex roles:
Identify all the different job functions that need access to the project.
Set up a Google Group for each of these job functions.
Add members as desired to each Google Group.
Follow the instructions below on setting permissions below to add each Google Group as member of the project and set roles on each group.
To add a project member and set permissions:
In the Google Cloud Platform Console, visit the IAM & Admin Permissions page for your project.
Click Add member to add new members to the project and set their roles using the dropdown menu. You can add an individual user email or if you use Google Groups to manage group roles, you can supply a Google Group email (
Assign a role.
To see descriptions and a comparison matrix of all the App Engine roles, and to read about limitations, go to Access Control.
There are other roles in the dropdown menu that apply to other Google Cloud Platform products. For more information on these roles, see Curated roles.
Adding service accounts
By default, all App Engine projects have a service account. You can add another service account and create keys in the Service Accounts page in the Cloud Platform Console.
You can edit the roles of service accounts in the IAM Permissions page.
For more information on the public/private key for service accounts, see the Cloud Platform Console help page on Service accounts.