Go 1.14 is now generally available.

Roles that Grant Access to App Engine

Roles determine which services and actions are available to a user account or service account. The following types of roles grant access to App Engine:

  • Basic roles which apply to all services and resources in a project, including but not limited App Engine. For example, an account with the Editor role can change App Engine settings as well as Cloud Storage settings.

  • Predefined App Engine roles, which provide granular access to App Engine. Each service in your Cloud project provides its own predefined roles. For example, an account that only has the App Engine Deployer role can deploy App Engine apps but cannot view or create objects in Cloud Storage. Such an account would also need a specific Cloud Storage predefined role to create or view objects in Cloud Storage.

  • Custom roles, which provide granular access according to a list of permissions you specify.

You can use basic roles when you are working on smaller projects that have less complex needs. For more fine-tuned access controls, use predefined roles.

Basic roles

Basic roles apply to all services and resources in a project. For example, an account in the Editor role can change App Engine settings as well as Cloud Storage settings.

Role Cloud Console permissions Tools permissions
Owner Required to create App Engine applications. All viewer and editor privileges, plus the ability to view deployed source code, invite users, change user roles, and delete an application. Required to create App Engine applications. Can also deploy application code and update all configurations.
Editor View application information and edit application settings. Deploy application code, update indexes/queues/crons.
Viewer View application information. Request logs

Predefined App Engine roles

Role Title Description Permissions Lowest resource
roles/appengine.appAdmin App Engine Admin

Read/Write/Modify access to all application configuration and settings.

To deploy new versions, you must also grant the Service Account User (roles/iam.serviceAccountUser) role.

To use the gcloud tool to deploy, you must add the Storage Admin (roles/compute.storageAdmin) and Cloud Build Editor (roles/cloudbuild.builds.editor) roles.

  • appengine.applications.get
  • appengine.applications.update
  • appengine.instances.*
  • appengine.operations.*
  • appengine.runtimes.*
  • appengine.services.*
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/appengine.appCreator App Engine Creator Ability to create the App Engine resource for the project.
  • appengine.applications.create
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/appengine.appViewer App Engine Viewer Read-only access to all application configuration and settings.
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/appengine.codeViewer App Engine Code Viewer Read-only access to all application configuration, settings, and deployed source code.
  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.get
  • appengine.versions.getFileContents
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/appengine.deployer App Engine Deployer

Read-only access to all application configuration and settings.

To deploy new versions, you must also grant the Service Account User (roles/iam.serviceAccountUser) role.

To use the gcloud tool to deploy, you must add the Storage Admin (roles/compute.storageAdmin) and Cloud Build Editor (roles/cloudbuild.builds.editor) roles.

Cannot modify existing versions other than deleting versions that are not receiving traffic.

  • appengine.applications.get
  • appengine.instances.get
  • appengine.instances.list
  • appengine.operations.*
  • appengine.services.get
  • appengine.services.list
  • appengine.versions.create
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project
roles/appengine.serviceAdmin App Engine Service Admin

Read-only access to all application configuration and settings.

Write access to module-level and version-level settings. Cannot deploy a new version.

  • appengine.applications.get
  • appengine.instances.*
  • appengine.operations.*
  • appengine.services.*
  • appengine.versions.delete
  • appengine.versions.get
  • appengine.versions.list
  • appengine.versions.update
  • resourcemanager.projects.get
  • resourcemanager.projects.list
Project

The predefined roles for App Engine provide you with finer grained options for access control.

These roles only provide access to App Engine. If your project includes other services, such as Cloud Storage or Cloud SQL, you will need to assign additional roles to enable access to the other services.

Comparison of App Engine predefined roles

The following table provides a complete comparison of the capabilities of each predefined App Engine role.

Capability App Engine Admin App Engine Service Admin App Engine Deployer App Engine Viewer App Engine Code Viewer
List all services, versions and instances Yes Yes Yes Yes Yes
View all application, service, version, and instance settings Yes Yes Yes Yes Yes
View runtime metrics such as resource usage, load information, and error information Yes Yes Yes Yes Yes
View app source code No No No No Yes
Deploy a new version of an app Yes No Yes, if you also grant the Service Account User role No No
Split or migrate traffic Yes Yes No No No
Start and stop a version Yes Yes No No No
Delete a version Yes Yes Yes No No
Delete an entire service Yes Yes No No No
Use SSH to connect to a VM instance in the flexible environment Yes No No No No
Shut down an instance Yes No No No No
Disable and re-enable the App Engine application Yes No No No No
Access handlers that have a login:admin restriction (first generation runtimes only) Yes No No No No
Update dispatch rules Yes No No No No
Update DoS settings Yes No No No No
Update cron schedules No No No No No
Update default cookie expiration Yes No No No No
Update referrers Yes No No No No
Update Email API Authorized Senders Yes No No No No

For details about the specific IAM permissions that are granted by each role, see the Roles section of the Admin API.

For an account that is responsible only for deploying new versions of an app, we recommend that you grant the following roles:

  • App Engine Deployer role (roles/appengine.deployer)
  • Service Account User role (roles/iam.serviceAccountUser)
    The Service Account User role enables the account to impersonate the default App Engine service account during the deployment process.
  • If the account uses gcloud commands to deploy, add these roles as well:

    • Storage Admin (roles/compute.storageAdmin)
    • Cloud Build Editor (roles/cloudbuild.builds.editor)

The App Engine Admin role can also deploy versions, but it includes additional administrative privileges. To deploy versions you also need the Service Account User role, and to deploy using gcloud commands you need the the Storage Admin role and Cloud Build editor role as well.

For details about how to grant the required permissions, see Creating a user account.

Separation of deployment and traffic routing duties

Many organizations prefer to separate the task of deploying an application version from the task of ramping up traffic to the newly created version, and to have these tasks done by different job functions. The App Engine Deployer and App Engine Service Admin roles provide this separation:

  • App Engine Deployer plus Service Account User roles - Accounts are limited to deploying new versions and deleting old versions that are not serving traffic. The account with these roles won't be able to configure traffic to any version nor change application-level settings such as dispatch rules or authentication domain.

  • App Engine Service Admin role - Accounts cannot deploy a new version of an app nor change application-level settings. However, those accounts have privileges to change the properties of existing services and versions, including changing which versions can serve traffic. The App Engine Service Admin role is ideal for an Operations/IT department that handles ramping up traffic to newly deployed versions.

Limitations of the predefined roles

None of the App Engine predefined roles grant access to the following:

  • Create App Engine applications.
  • View and download application logs.
  • View Monitoring charts in the Cloud Console.
  • Enable and Disable billing.
  • Run security scans in Cloud Security Scanner.
  • Access configuration or data stored in Datastore, Task Queues, Memcache, Cloud Search or any other Cloud Platform storage product.