Stay organized with collections Save and categorize content based on your preferences.
App Engine apps require a service account in order to access other Google Cloud services and execute tasks. By default, the App Engine default service account is used as the identity of your App Engine app. You may also specify a different user-managed service account to be used as the identity for a specific version of your App Engine app. This allows you to grant different privileges to each version, based on the specific tasks it performs, and avoid granting more privileges than necessary.
This guide covers how to specify a different user-managed service account when deploying a new version. If you don't need to create a distinct service account when deploying a specific version of your app, you can continue to use the default service account by not specifying a service account.
Creating a user-managed service accountTo create a user-managed service account, see these instructions. When defining the Identity and Access Management (IAM) roles to grant your service account, you can refer to Roles that Grant Access to App Engine.
If you need to review IAM concepts before creating your service account, see IAM concepts overview and service accounts guides.
Warning: Do not remove the existing App Engine standard environment service agent in your project. The service agent delegates the user-managed service account as the identity for your app. If you remove the service agent, you will see IAM permission errors.After you create your user-managed service account, you can update the app-level default service account for your application by using one of the following methods:
Important: Only versions deployed after the update will use the new app-level default service account. All previously deployed versions will not use the new app-level default service account until you re-deploy that version. gcloudRun the gcloud app update command.
gcloud app update --service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
Replace:
SERVICE_ACCOUNT_NAME with the name of the service account that you created.PROJECT_ID with ID of the Google Cloud project in which you want to assign the service account.Each new version that you deploy after this update uses the new app-level default service account unless you explicitly assign a version-specific service account.
ConsoleGo to the App Engine Application Settings tab in the console and click Edit Application Settings.
Choose an app-level default service account from Select a Service account and click Save.
You will be redirected to the Application Settings tab where you can view the email address of your updated app-level default service account. Example: SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com.
Each new version that you deploy after this update uses the new app-level default service account unless you explicitly assign a version-specific service account.
app.yaml file and in the gcloud CLI, the gcloud setting is used. gcloud
Run the gcloud app deploy command and specify your service account:
gcloud app deploy --service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
In your appengine-web.xml file, specify your service account by adding the <service-account> element:
<service-account>SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com</service-account>
Follow best practices for working with service accounts.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["App Engine apps use a service account to access other Google Cloud services, with the App Engine default service account being the default identity."],["You can use a user-managed service account instead of the default for a specific version of your App Engine app, allowing for tailored privileges."],["User-managed service accounts can be specified when deploying a new version of your app via the `gcloud app deploy` command or within the `appengine-web.xml` file."],["It is important not to remove the App Engine standard environment service agent in your project, as it delegates the user-managed service account as the identity for your app."],["When specifying a user-managed service account, if it's set in both the `app.yaml` file and through the `gcloud` CLI, the `gcloud` setting will be prioritized."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4