Roles that Grant Access to App Engine

Roles determine which services and actions are available to a user account or service account. The following types of roles grant access to App Engine:

Primitive roles which apply to all services and resources in a project, including but not limited App Engine. For example, an account with the Editor role can change App Engine settings as well as Cloud Storage settings.
App Engine predefined roles, which provide granular access to App Engine. Each service in your Google Cloud project provides its own predefined roles. For example, an account that only has the App Engine Deployer role can deploy App Engine apps but cannot view or create objects in Cloud Storage. Such an account would also need a specific Cloud Storage predefined role to create or view objects in Cloud Storage.
Custom roles, which provide granular access according to a list of permissions you specify.

You can use primitive roles when you are working on smaller projects that have less complex needs. For more fine-tuned access controls, use predefined roles.

Primitive roles

Primitive roles and apply to all services and resources in a project. For example, an account in the Editor role can change App Engine settings as well as Cloud Storage settings.

Role	Cloud Console permissions	Tools permissions
`Owner`	Required to create App Engine applications. All viewer and editor privileges, plus the ability to view deployed source code, invite users, change user roles, and delete an application. Has admin privileges to all resources in the project.	Required to create App Engine applications. Deploy application code and update all configurations.
`Editor`	View application information and edit application settings. Has admin privileges to all resources in the project.	Deploy application code, update indexes/queues/crons.
`Viewer`	View application information. Has admin privileges to all resources in the project.	Request logs

Predefined App Engine roles

The predefined roles for App Engine provide you with finer grained options for access control.

These roles only provide access to App Engine. If your project includes other services, such as Cloud Storage or Cloud SQL, you will need to assign additional predefined roles to enable access to the other services.

The following table lists each App Engine role with its targeted user. Use the comparison table to view all role capabilities.

Role	Capabilities	Target User
App Engine Admin	Read/Write/Modify access to all application configuration and settings.	Application owner/administrator On-call engineer Sys Admin
App Engine Service Admin	Read-only access to all application configuration and settings. Write access to service-level and version-level settings, including traffic configuration. Cannot deploy versions of apps, see separation of duties below for details.	Release engineer DevOps On-call engineer Sys Admin
App Engine Deployer	Read-only access to all application configuration and settings. Write access only to deploy and create a new version. Delete old versions that are not serving traffic. Cannot modify an existing version, nor change traffic configuration. Note: The App Engine Deployer role alone grants adequate permission to deploy using the Admin API. To use other App Engine tooling, like `gcloud` commands, you must also have the Storage Admin role. See the deployments section below for more information about the required roles.	Deployment account Release engineer
App Engine Viewer	Read-only access to all application configuration and settings.	User needing visibility into application, but not to modify it. Audit job checking App Engine configuration for policy compliance.
App Engine Code Viewer	Read-only access to all application configuration, settings, and deployed source code.	User needing visibility into application and its source code, but not to modify it. DevOps user needing to diagnose production issues.

Comparison of App Engine predefined roles

The following table provides a complete comparison of the capabilities of each predefined App Engine role.

Capability	App Engine Admin	App Engine Service Admin	App Engine Deployer	App Engine Viewer	App Engine Code Viewer
List all services, versions and instances	Yes	Yes	Yes	Yes	Yes
View all application, service, version, and instance settings	Yes	Yes	Yes	Yes	Yes
View runtime metrics such as resource usage, load information, and error information	Yes	Yes	Yes	Yes	Yes
View app source code	No	No	No	No	Yes
Deploy a new version of an app	Yes	No	Yes	No	No
Split or migrate traffic	Yes	Yes	No	No	No
Start and stop a version	Yes	Yes	No	No	No
Delete a version	Yes	Yes	Yes	No	No
Delete an entire service	Yes	Yes	No	No	No
Use SSH to connect to a VM instance in the flexible environment	Yes	No	No	No	No
Shut down an instance	Yes	No	No	No	No
Disable and re-enable the App Engine application	Yes	No	No	No	No
Access handlers that have a login:admin restriction	Yes	No	No	No	No
Update dispatch rules	Yes	No	No	No	No
Update DoS settings	Yes	No	No	No	No
Update cron schedules	No	No	No	No	No
Update default cookie expiration	Yes	No	No	No	No
Update referrers	Yes	No	No	No	No
Update Email API Authorized Senders	Yes	No	No	No	No

For details about the specific IAM permissions that are granted by each role, see the Roles section of the Admin API.

Recommended role for application deployment

The predefined App Engine Deployer role is the recommended role for an account that is responsible for only deploying a new version of an app. The App Engine Admin role is an alternative that includes additional administrative privileges, including the ability to deploy versions.

With either role, an account is granted adequate permission to use the Admin API to deploy apps. To grant permission to use the gcloud commands or other App Engine tooling, you must also give the account the Storage Admin role.

For details about how to grant the required permissions, see Deploying using IAM Roles.

Separation of deployment and traffic routing duties

Many organizations prefer to separate the task of deploying an application version from the task of ramping up traffic to the newly created version, and to have these tasks done by different job functions. The App Engine Deployer and App Engine Service Admin roles provide this separation:

App Engine Deployer role - Accounts are limited to deploying new versions and deleting old versions that are not serving traffic. The account with the App Engine Deployer role won't be able to configure traffic to any version nor change application-level settings such as dispatch rules or authentication domain.
App Engine Service Admin role - Accounts cannot deploy a new version of an app nor change application-level settings. However, those accounts have privileges to change the properties of existing services and versions, including changing which versions can serve traffic. The App Engine Service Admin role is ideal for an Operations/IT department that handles ramping up traffic to newly deployed versions.

Limitations of the predefined roles

None of the predefined roles listed above grant access to the following:

Create App Engine applications.
View and download application logs.
View Monitoring charts in the Cloud Console.
Enable and Disable billing.
Set up a daily Spending Limit (formerly known as Budget) for App Engine and view dollar amount spent.
Run security scans in Cloud Security Scanner.
Access configuration or data stored in Datastore, Task Queues, Memcache, Cloud Search or any other Cloud Platform storage product.

このページは役立ちましたか？評価をお願いいたします。

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

最終更新日: 12月 4, 2019