Stay organized with collections
Save and categorize content based on your preferences.
App Engine includes a
service agent named
App Engine standard environment Service Agent
. This service agent enables your services to act on your behalf
when accessing other Google Cloud resources. It is essential to keep the
service agent unmodified.
Note that the service agent is not listed on the Service Accounts page in
the Google Cloud console and is unrelated to the
App Engine default service account.
The service agent for your Google Cloud project is automatically created after you
deploy your first service—for example, after you run the gcloud app
deploy command for the first time to deploy an app in the standard
environment.
The service agent uses the predefined IAM role
App Engine standard environment Service
Agent,
which includes a set of permissions needed by App Engine to manage your
apps. This role is granted to the service agent automatically when the service
agent is created.
For example, the permissions allow your Google Cloud project
to use the Blobstore API, or
to obtain an access token that your App Engine instances use to access
other Google Cloud resources, such as a Cloud Storage bucket.
Important restrictions:
Do not revoke the roles that are granted to the service agent.
In the upper-right corner of the Permissions page, select the
Include Google-provided role grants checkbox.
In the Principals list, locate the service
agent with the following ID: service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com.
Verify that the service agent has been
granted the
App Engine standard environment Service Agent role.
Restore required role for the service agent
If you accidentally remove the required
App Engine standard environment Service Agent role
binding for the service agent from your Google Cloud project, restore it by performing the
following steps:
In the Google Cloud console, go to the Permissions page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eApp Engine utilizes a service agent, distinct from the default service account, to enable your services to access other Google Cloud resources on your behalf.\u003c/p\u003e\n"],["\u003cp\u003eIt is crucial that the service agent's default role and permissions remain untouched, as modifications or removal can cause deployment failures.\u003c/p\u003e\n"],["\u003cp\u003eThe service agent is automatically created upon your initial deployment to the App Engine standard environment, using the "App Engine standard environment Service Agent" role.\u003c/p\u003e\n"],["\u003cp\u003eYou can verify the service agent's role in the Google Cloud console's Permissions page by searching for the service agent's unique ID and ensuring it has the proper role.\u003c/p\u003e\n"],["\u003cp\u003eIf the service agent's role is accidentally removed, it can be restored by manually re-adding it on the Permissions page in the Google Cloud console.\u003c/p\u003e\n"]]],[],null,["# Google-managed service agent\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\nApp Engine includes a\n[service agent](/iam/docs/service-account-types#service-agents) named\n\n*App Engine standard environment Service Agent*\n. This service agent enables your services to act on your behalf\nwhen accessing other Google Cloud resources. It is essential to keep the\nservice agent unmodified.\n| **Warning:** If you remove the default role binding or modify the permissions granted to the service agent on your Google Cloud project, any deployment to your app in the App Engine standard environment might fail.\n\nNote that the service agent is not listed on the **Service Accounts** page in\nthe Google Cloud console and is unrelated to the\n[App Engine default service account](/appengine/docs/standard/default-service-account).\n\nThe service agent for your Google Cloud project is automatically created after you\ndeploy your first service---for example, after you run the `gcloud app\ndeploy` command for the first time to deploy an app in the standard\nenvironment.\n\nThe service agent uses the predefined IAM role\n[App Engine standard environment Service\nAgent](/iam/docs/understanding-roles#appengine.serviceAgent),\nwhich includes a set of permissions needed by App Engine to manage your\napps. This role is granted to the service agent automatically when the service\nagent is created.\n\nFor example, the permissions allow your Google Cloud project\nto use the Blobstore API, or\nto obtain an access token that your App Engine instances use to access\nother Google Cloud resources, such as a Cloud Storage bucket.\n\n**Important restrictions**:\n\n- Do not revoke the roles that are granted to the service agent.\n- Do not grant the related [App Engine standard environment Service Agent role](/iam/docs/understanding-roles#appengine.serviceAgent) to any other account. Note that the permissions in this role can change without notice.\n\nVerify the service agent\n------------------------\n\nTo verify that the service agent has its required role in your\nGoogle Cloud project, perform the following steps:\n\n1. In the Google Cloud console, go to the **Permissions** page.\n\n [Go to Permissions](https://console.cloud.google.com/iam-admin/iam)\n2. In the upper-right corner of the **Permissions** page, select the\n **Include Google-provided role grants** checkbox.\n\n3. In the **Principals** list, locate the service\n agent with the following ID: \n\n\n `service-`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`@gcp-gae-service.iam.gserviceaccount.com`.\n\n4. Verify that the service agent has been\n granted the\n **App Engine standard environment Service Agent** role.\n\nRestore required role for the service agent\n-------------------------------------------\n\nIf you accidentally remove the required\n**App Engine standard environment Service Agent** role\n\nbinding for the service agent from your Google Cloud project, restore it by performing the\nfollowing steps:\n\n1. In the Google Cloud console, go to the **Permissions** page.\n\n [Go to Permissions](https://console.cloud.google.com/iam-admin/iam)\n2. Click **Add**.\n\n3. Enter the service agent ID in the following format: \n\n\n `service-`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`@gcp-gae-service.iam.gserviceaccount.com`.\n\n4. Select the **App Engine standard environment Service Agent** role.\n\n5. Click **Save**."]]
