Notice: Over the next few months, we're reorganizing the App Engine documentation site to make it easier to find content and better align with the rest of Google Cloud products. The same content will be available, but the navigation will now match the rest of the Cloud products. If you have feedback or questions as you navigate the site, click Send Feedback.

Google-managed service agent

App Engine includes a Google-managed service account named App Engine standard environment Service Agent . This service agent enables your services to act on your behalf when accessing other Google Cloud resources and should not be modified or deleted from your Google Cloud project.

Note that the Google-managed service agent is not listed on the Service Accounts page in the Google Cloud console and is unrelated to the App Engine default service account.

The Google-managed service agent is automatically created in your Google Cloud project when you deploy your first service. For example, when you run the gcloud app deploy command for the first time to deploy an app in the standard environment.

The Google-managed service agent uses the predefined IAM role of App Engine standard environment Service Agent, which includes a set of permissions needed by App Engine to manage your apps.

For example, the permissions allow your Google Cloud project to use the Blobstore API, or to obtain an access token that your App Engine instances use to access other Google Cloud resources, such as a Cloud Storage bucket.

Important restrictions:

Verify the service agent

To verify that the service agent exists in your Google Cloud project, perform the following steps:

  1. In the Google Cloud console, go to the Permissions page.

    Go to Permissions

  2. In the upper-right corner of the Permissions page, select the Include Google-provided role grants checkbox.

  3. In the Principals list, locate the service agent with the following ID:
    service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com.

  4. Verify that the service agent has been granted the App Engine standard environment Service Agent role.

Restore a deleted service agent

If you accidentally delete the App Engine standard environment Service Agent , restore it by performing the following steps:

  1. In the Google Cloud console, go to the Permissions page.

    Go to Permissions

  2. Click Add.

  3. Enter the service agent ID in the following format:
    service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com.

  4. Select the App Engine standard environment Service Agent role.

  5. Click Save.