Notice: Over the next few months, we're reorganizing the App Engine documentation site to make it easier to find content and better align with the rest of Google Cloud products. The same content will be available, but the navigation will now match the rest of the Cloud products.

Python 2 is no longer supported by the community. We recommend that you migrate Python 2 apps to Python 3.

The App Engine standard environment service agent

Stay organized with collections Save and categorize content based on your preferences.

In addition to the App Engine default service account, the App Engine standard environment includes a Google-managed service account named App Engine standard environment service agent. The service agent enables your Cloud project to interact with the resources of your app separately from other Google Cloud services.

Google automatically creates this account when you deploy a project's first app to the App Engine standard environment using App Engine tooling, such as the gcloud app deploy command.

The service agent is not listed on the Service Accounts page of the Google Cloud console and has the following restrictions:

Verifying the App Engine standard environment service agent

To verify that the service agent exists in your Cloud project, perform the following steps:

  1. Open the Google Cloud console:

    Go to the Permissions page

  2. In the upper-right corner of the Permissions page, select the Include Google-provided role grants checkbox.

  3. In the Principals list, locate the ID of the App Engine standard environment service agent, which uses the ID
    service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com.

  4. Verify that the service agent has been granted the App Engine standard environment Service Agent role.

Service Agent role

The service agent has the App Engine standard environment Service Agent role. The role includes a set of permissions needed by Python 2 standard environment to manage your standard environment apps. For example, this role includes permissions to perform the following tasks:

  • Get an access token for App Engine instances to access other Google Cloud resources, such as a Cloud Storage bucket.
  • Use the Blobstore API from App Engine legacy bundled services.

The App Engine standard environment Service Agent role is reserved for the service agent. Do not grant this IAM role to any other account, because the permissions that the role includes can change without notice.

Restoring a deleted service agent

If you accidentally delete the App Engine standard environment service agent, restore it by performing the following steps:

  1. Open the Google Cloud console:

    Go to the Permissions page

  2. Click Add.

  3. Enter the service agent ID using the format
    service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com.

  4. Select the App Engine standard environment Service Agent role.

  5. Click Save.