Note: Java 8 has reached end of support on January 31, 2024. Your existing Java 8 applications will continue to run and receive traffic. However, App Engine might block re-deployment of applications that use runtimes after their end of support date. We recommend that you migrate to the latest supported version of Java.

Using user-managed service accounts

App Engine apps require a service account in order to access other Google Cloud services and execute tasks. By default, the App Engine default service account is used as the identity of your App Engine app. You may also specify a different user-managed service account to be used as the identity for a specific version of your App Engine app. This allows you to grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.

This guide covers how to specify a different user-managed service account when deploying a new version. If you don't need to create a distinct service account when deploying a specific version of your app, you can continue to use the default service account by not specifying a service account.

Creating a user-managed service account

To create a user-managed service account, see these instructions. When defining the Identity and Access Management (IAM) roles to grant your service account, you can refer to Roles that Grant Access to App Engine.

If you need to review IAM concepts before creating your service account, see IAM concepts overview and service accounts guides.

Specifying a service account when deploying your app

gcloud

Run the gcloud app deploy command and specify your service account:

gcloud app deploy --service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

appengine-web.xml

In your appengine-web.xml file, specify your service account by adding the <service-account> element:

<service-account>SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com</service-account>

Next steps

Follow best practices for working with service accounts.