After you create an App Engine application, the App Engine default service account is created and used as the identity of the App Engine service. The App Engine default service account is associated with your GCP project and executes tasks on behalf of your apps running in App Engine.
By default, the App Engine default service account has the Editor role in the project. This means that any user account with sufficient permissions to deploy changes to the GCP project can also run code with read/write access to all resources within that project.
You can change the permissions for your service accounts in GCP Console. For example, you can downgrade the permissions used by the App Engine default service account by changing its role from Editor to whichever role(s) that best represent the access needs for your App Engine application.
To change the permissions for your service accounts:
Open the GCP Console:
In the Members list, locate the ID of the App Engine default service account.
The App Engine default service account uses the member ID:
You can then use the dropdown menu to modify the roles assigned to the service account.
Using the default service account
Your App Engine app uses the credentials of the App Engine service account by default. For more information, see Granting your app access to Cloud services.
If you delete your App Engine default service account, your App Engine application might break and lose access to other GCP services, such as Cloud Datastore.
You can restore a deleted App Engine default service account using the
gcloud beta app repair command:
# Set your gcloud project gcloud config set project <project-id> # Restore your default service account gcloud beta app repair