App Engine includes a service agent named App Engine standard environment Service Agent . This service agent enables your services to act on your behalf when accessing other Google Cloud resources. It is essential to keep the service agent unmodified.
Note that the service agent is not listed on the Service Accounts page in the Google Cloud console and is unrelated to the App Engine default service account.
The service agent for your Google Cloud project is automatically created after you
deploy your first service—for example, after you run the gcloud app
deploy
command for the first time to deploy an app in the standard
environment.
The service agent uses the predefined IAM role App Engine standard environment Service Agent, which includes a set of permissions needed by App Engine to manage your apps. This role is granted to the service agent automatically when the service agent is created.
For example, the permissions allow your Google Cloud project to use the Blobstore API, or to obtain an access token that your App Engine instances use to access other Google Cloud resources, such as a Cloud Storage bucket.
Important restrictions:
- Do not revoke the roles that are granted to the service agent.
- Do not grant the related App Engine standard environment Service Agent role to any other account. Note that the permissions in this role can change without notice.
Verify the service agent
To verify that the service agent has its required role in your Google Cloud project, perform the following steps:
In the Google Cloud console, go to the Permissions page.
In the upper-right corner of the Permissions page, select the Include Google-provided role grants checkbox.
In the Principals list, locate the service agent with the following ID:
service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com
.Verify that the service agent has been granted the App Engine standard environment Service Agent role.
Restore required role for the service agent
If you accidentally remove the required App Engine standard environment Service Agent role binding for the service agent from your Google Cloud project, restore it by performing the following steps:
In the Google Cloud console, go to the Permissions page.
Click Add.
Enter the service agent ID in the following format:
service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com
.Select the App Engine standard environment Service Agent role.
Click Save.