Stay organized with collections Save and categorize content based on your preferences.
Access control determines who has permission to access services and resources in a Google Cloud project. In App Engine, there are a few separate use cases for setting up access control:
Granting team members access to your Google Cloud project so they can set up services and deploy apps.
Granting your app access to Google Cloud services, such as Cloud Storage. All Cloud services require authentication and authorization for every API call, including calls from your App Engine app.
Granting your users access to resources in a Google Cloud project. While this use case isn't common, there may be cases in which your app needs to request access to a Cloud resource on behalf of a user. For example, your app may need to access data that belongs to your users.
This page provides an overview of setting up access control in each use case.
For background information on how Google Cloud Platform handles access control, see the overview of Identity and Access Management (IAM).
Granting access to team membersTo give a developer access to your Google Cloud project, create one or both of the following:
A user account, which is associated with a Google account and is intended to represent a specific individual on your project.
A user account can be used to authenticate from the following tools:
A service account, which is intended to represent an application or a process instead of a person. Use service accounts in your automated build, test, and deployment processes, especially if multiple developers can run these processes.
A service account can be used to authenticate from the following tools:
Open the IAM page in the Google Cloud console.
Click Select a project, choose a project, and click Open.
Click Add.
Enter an email address.
Select roles that grant access to App Engine features.
If the user also needs access to other Cloud services, select roles that grant access to other Cloud services.
Click Save.
The user can now sign into Google Cloud console as well as authorize the gcloud CLI.
You can also create user accounts from gcloud, the REST API, or client libraries.
Creating a service accountOpen the Service Accounts page in the Google Cloud console.
Select your project and click Open.
Click Create Service Account.
Enter a service account name. This should be a user-friendly name for display.
Click Create.
Select roles that grant access to App Engine features.
If the service account also needs access to other Cloud services, select roles that grant access to other Cloud services.
Click Continue.
Optionally, specify user accounts who can manage the service account. You can also specify user accounts who can use the service account to indirectly access all the resources to which the service account has access.
Click Save.
A list of existing service accounts appears.
Optionally, if you need to use your service account outside of Google Cloud, follow the instructions to create a service account key.
Every call to a Cloud service needs to be authenticated and authorized, including calls from an App Engine app to other Cloud services such as Cloud Storage.
By default, calls from your App Engine app to services in the same project are authorized. Here's how the default flow works:
To initiate calls to a Cloud service, your app creates a client object, which contains the credentials and other data your app needs to interact with the service. If you don't specify credentials in the client's constructor, the client looks for credentials in the app's environment.
Here's an example of creating a client for Cloud Storage:
Go Java Node.js PHP Python RubyThis service account is created by Google when you create an App Engine app and is given full permissions to manage and use all Cloud services in a Google Cloud project.
You can override this default flow by doing any of the following:
Set the GOOGLE_APPLICATION_CREDENTIALS environment variable. If this variable is set, Cloud services use the credentials specified by the variable instead of the default service account.
Specify credentials when you instantiate the Client object for a Cloud service. For example, if your app is calling a Cloud service in a different project, you may need to pass credentials manually.
If you set the GOOGLE_APPLICATION_CREDENTIALS environment variable or pass credentials in your code, we recommend that you store your credentials in one of the following ways:
To learn about the advantages of each approach, see Choosing a secret management solution.
Granting users access to Cloud resourcesIf you want your app to read user data from another Google service, you'll need to set up OAuth 2.0 for Web Server Applications. For example, if you want to pull a user's data from Google Drive and bring it into your app, use OAuth 2.0 for Web Server Applications to share specific data while keeping other data, such as usernames and passwords, private.
If you have a Google Workspace (formerly G Suite) domain, an administrator of the domain can authorize an application to access user data on behalf of users in the Google Workspace domain. For example, an application that uses the Google Calendar API to add events to the calendars of all users in a Google Workspace domain would use a service account to access the Google Calendar API on behalf of users.
Authorizing a service account to access data on behalf of users in a domain is sometimes referred to as "delegating domain-wide authority" to a service account. This still uses OAuth 2.0, and requires a Google Workspace domain administrator to authorize domain-wide authority to the service account.
Specifying a service accountApp Engine lets you use two types of service accounts:
The App Engine default service account is the default identity for all versions of your App Engine app if a user-managed service account isn't specified.
Depending on your organization policy configuration, the default service account might automatically be granted the Editor role on your project. We strongly recommend that you disable the automatic role grant by enforcing the iam.automaticIamGrantsForDefaultServiceAccounts organization policy constraint. If you created your organization after May 3, 2024, this constraint is enforced by default.
If you disable the automatic role grant, you must decide which roles to grant to the default service accounts, and then grant these roles yourself.
If the default service account already has the Editor role, we recommend that you replace the Editor role with less permissive roles.To safely modify the service account's roles, use Policy Simulator to see the impact of the change, and then grant and revoke the appropriate roles.
The user-managed service account is a service account you create in Identity and Access Management (IAM). You can specify a user-managed service account for a version, and it will be used when accessing other App Engine services and executing tasks for that version.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["Access control in Google Cloud, including App Engine, involves managing permissions for team members, the app itself, and end-users to access services and resources."],["Team members can gain access to a Google Cloud project through user accounts, intended for individuals, or service accounts, designed for applications or processes."],["App Engine apps require authentication and authorization to access other Google Cloud services, typically utilizing a default service account with project-wide permissions unless alternative credentials are provided."],["End-users can be granted access to specific Cloud resources via OAuth 2.0, allowing the app to access user data securely, or through domain-wide delegation for Google Workspace domains."],["App Engine apps use either the default service account, provided automatically, or a user-managed service account, created manually, for identity when interacting with other App Engine services and tasks."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4