Google-managed service agent

App Engine includes a service agent named App Engine standard environment Service Agent . This service agent enables your services to act on your behalf when accessing other Google Cloud resources. It is essential to keep the service agent unmodified.

Note that the service agent is not listed on the Service Accounts page in the Google Cloud console and is unrelated to the App Engine default service account.

The service agent for your Google Cloud project is automatically created after you deploy your first service—for example, after you run the gcloud app deploy command for the first time to deploy an app in the standard environment.

The service agent uses the predefined IAM role App Engine standard environment Service Agent, which includes a set of permissions needed by App Engine to manage your apps. This role is granted to the service agent automatically when the service agent is created.

For example, the permissions allow your Google Cloud project to use the Blobstore API, or to obtain an access token that your App Engine instances use to access other Google Cloud resources, such as a Cloud Storage bucket.

Important restrictions:

Verify the service agent

To verify that the service agent has its required role in your Google Cloud project, perform the following steps:

  1. In the Google Cloud console, go to the Permissions page.

    Go to Permissions

  2. In the upper-right corner of the Permissions page, select the Include Google-provided role grants checkbox.

  3. In the Principals list, locate the service agent with the following ID:
    service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com.

  4. Verify that the service agent has been granted the App Engine standard environment Service Agent role.

Restore required role for the service agent

If you accidentally remove the required App Engine standard environment Service Agent role binding for the service agent from your Google Cloud project, restore it by performing the following steps:

  1. In the Google Cloud console, go to the Permissions page.

    Go to Permissions

  2. Click Add.

  3. Enter the service agent ID in the following format:
    service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com.

  4. Select the App Engine standard environment Service Agent role.

  5. Click Save.