- Building Google Cloud Platform Solutions
- Ted Hunter Steven Porter Legorie Rajan PS
- 330字
- 2025-04-04 14:47:41
App Engine service accounts
For applications running on App Engine, Google provides the App Engine app default service account, named <PROJECT_ID>.@appspot.gserviceaccount.com. This account is created on a per-project basis and lives alongside your other service accounts. App Engine services use this service account by default when interacting with other Google Cloud services, such as Cloud Storage and Datastore, in the form of application default credentials. As we covered in Chapter 3, APIs, CLIs, IAM, and Billing, application default credentials provide a standardized method for authenticating services running in different environments, including local development machines and App Engine.
Do not delete the App Engine default service account. Though this service account is exposed to users as any other service account, it behaves somewhat differently from user-generated service accounts. App Engine depends on the existence and proper configuration of this service account to function correctly. Google protects this service account by forcing the user to consent to App Engine no longer functioning once it is deleted.
By default, the App Engine default service account has the project editor role. This allows App Engine services to interact with any other project resource and Google Cloud services. Teams may choose to restrict App Engine application permissions to a subset of actions by replacing the project editor role with only permissions that are needed. Be aware that removing the project editor role from the App Engine default service account currently requires the project editor role to deploy services to the flexible environment.