Read/Write/Modify access to all application configuration and settings.
To deploy new versions, a principal must have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account, and the Cloud Build Editor
(roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.applications.update
appengine.instances.*
appengine.instances.delete
appengine.instances.enableDebug
appengine.instances.get
appengine.instances.list
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
appengine.operations.*
appengine.operations.get
appengine.operations.list
appengine.runtimes.actAsAdmin
appengine.services.*
appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.projectsettings.get
artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.uploadArtifacts
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Creator
(roles/appengine.appCreator)
Ability to create the App Engine resource for the project.
Lowest-level resources where you can grant this role:
Project
appengine.applications.create
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Viewer
(roles/appengine.appViewer)
Read-only access to all application configuration and settings.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
artifactregistry.projectsettings.get
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Code Viewer
(roles/appengine.codeViewer)
Read-only access to all application configuration, settings, and deployed
source code.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
artifactregistry.projectsettings.get
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Managed VM Debug Access
(roles/appengine.debugger)
Ability to read or manage v2 instances.
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.*
appengine.instances.delete
appengine.instances.enableDebug
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Deployer
(roles/appengine.deployer)
Read-only access to all application configuration and settings.
To deploy new versions, you must also have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account, and the Cloud
Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Cannot modify existing versions other than deleting versions that are not receiving traffic.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
artifactregistry.projectsettings.get
artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.uploadArtifacts
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Memcache Data Admin
(roles/appengine.memcacheDataAdmin)
Can get, set, delete, and flush App Engine Memcache items.
appengine.applications.get
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Service Admin
(roles/appengine.serviceAdmin)
Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version.
Lowest-level resources where you can grant this role:
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-03-06 UTC。"],[[["Roles define the access levels for user and service accounts in App Engine, including basic, predefined, and custom options."],["Basic roles provide broad access across all project services, while predefined App Engine roles offer granular access specifically within App Engine."],["Predefined roles, such as App Engine Deployer, Admin, and Viewer, grant varying levels of permissions, from deploying apps to read-only access."],["For deploying new versions, the recommended setup includes the App Engine Deployer role, and Service Account User role, along with additional roles if using the gcloud commands, in order to impersonate the default App Engine service account during deployment."],["Separation of deployment and traffic management can be achieved using App Engine Deployer roles for deployments and App Engine Service Admin roles for controlling traffic and existing service settings."]]],[]]
