In addition to the App Engine default service account, the App Engine standard environment includes a App Engine standard environment service agent. The service agent enables your Google Cloud project to interact with the resources of your app separately from other Google Cloud services.
Google automatically creates this account when you deploy a project's first app
to the App Engine standard environment using App Engine tooling,
such as the gcloud app deploy
command.
The service agent is not listed on the Service Accounts page of the Google Cloud console and has the following restrictions:
- Do not revoke the roles that are granted to the service agent.
- Do not grant the related App Engine standard environment service agent role to any other account because the permissions that the role includes can change without notice.
Verifying the App Engine standard environment service agent
To verify that the service agent exists in your Google Cloud project, perform the following steps:
Open the Google Cloud console:
In the upper-right corner of the Permissions page, select the Include Google-provided role grants checkbox.
In the Principals list, locate the ID of the App Engine standard environment service agent, which uses the ID
service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com
.Verify that the service agent has been granted the App Engine standard environment Service Agent role.
Service Agent role
The service agent has the App Engine standard environment Service Agent role. The role includes a set of permissions needed by App Engine to manage your standard environment apps. For example, this role includes permissions to perform the following tasks:
- Get an access token for App Engine instances to access other Google Cloud resources, such as a Cloud Storage bucket.
- Use the Blobstore API from App Engine legacy bundled services.
The App Engine standard environment Service Agent role is reserved for the service agent. Do not grant this IAM role to any other account, because the permissions that the role includes can change without notice.
Restoring a deleted service agent
If you accidentally delete the App Engine standard environment service agent, restore it by performing the following steps:
Open the Google Cloud console:
Click Add.
Enter the service agent ID using the format
service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com
.Select the App Engine standard environment Service Agent role.
Click Save.