Python 2.7 has reached end of support
and will bedeprecatedon January 31, 2026. After deprecation, you won't be able to deploy Python 2.7
applications, even if your organization previously used an organization policy to
re-enable deployments of legacy runtimes. Your existing Python
2.7 applications will continue to run and receive traffic after theirdeprecation date. We recommend that
youmigrate to the latest supported version of Python.
Stay organized with collectionsSave and categorize content based on your preferences.
After you create an App Engine application, theApp Engine default service accountis created and used as the identity of your
App Engine app. The App Engine default service account is
associated with your Google Cloud project and executes tasks on behalf of your
apps running in App Engine.
Viewing the App Engine default service account
To view your service accounts:
In the Google Cloud console, go to theService accountspage.
If you disable the automatic role grant, you must decide which roles to grant to the default
service accounts, and thengrant these
rolesyourself.
If the default service account already has the Editor role, we recommend that you replace the
Editor role with less permissive roles.To safely modify the service account's roles, usePolicy Simulatorto see the impact of
the change, and thengrant and revoke the
appropriate roles.
Changing service account permissions
You can use the Google Cloud console to grant or remove roles from the
default service account. For example, you can
downgrade the permissions used by the App Engine default service account
by changing its role from Editor to whichever role(s) that best represent the
access needs for your App Engine app.
To modify roles for the App Engine default service account:
Locate the App Engine default service account in the
Principals list. The App Engine default service account appears in
the list if roles have been automatically or manually granted to the
service account.
Select the edit button to modify the roles assigned to the service account.
If you delete your App Engine default service account, your
App Engine application might break and lose access to other
Google Cloud services, such as Datastore.
You can restore App Engine default service accounts that have been deleted
within the last 30 days by following the steps inundeleting a service account.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe App Engine default service account is automatically created when you create an App Engine application and is used as the identity for your app.\u003c/p\u003e\n"],["\u003cp\u003eYou can view the App Engine default service account's email address in the Google Cloud console's Service Accounts page, which follows the format \u003ccode\u003eYOUR_PROJECT_ID@appspot.gserviceaccount.com\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eIt's highly recommended to disable the automatic grant of the Editor role to the default service account, which can be done by enforcing the \u003ccode\u003eiam.automaticIamGrantsForDefaultServiceAccounts\u003c/code\u003e organization policy constraint, and instead manually grant necessary roles.\u003c/p\u003e\n"],["\u003cp\u003eDeleting the App Engine default service account will cause your App Engine application to break and lose access to other Google Cloud services, but it can be restored if deleted within the last 30 days.\u003c/p\u003e\n"],["\u003cp\u003eYou can modify the roles assigned to the App Engine default service account, such as downgrading from Editor to more specific roles, via the IAM page in the Google Cloud console.\u003c/p\u003e\n"]]],[],null,["# Using the Default App Engine Service Account\n\nAfter you create an App Engine application, the\n*[App Engine default service account](/iam/docs/service-account-types#default)*\nis created and used as the identity of your\nApp Engine app. The App Engine default service account is\nassociated with your Google Cloud project and executes tasks on behalf of your\napps running in App Engine.\n\nViewing the App Engine default service account\n----------------------------------------------\n\nTo view your service accounts:\n\n1. In the Google Cloud console, go to the **Service accounts** page.\n\n [Go to Service accounts](https://console.cloud.google.com/iam-admin/serviceaccounts)\n2. Select your project.\n\n3. In the list, locate the email address of the App Engine default service account: \n\n\n \u003cvar translate=\"no\"\u003eYOUR_PROJECT_ID\u003c/var\u003e`@appspot.gserviceaccount.com`\n\nModifying the default service account\n-------------------------------------\n\n\nDepending on your organization policy configuration, the default service account might\nautomatically be granted the [Editor role](/iam/docs/roles-overview#basic) on your\nproject. We strongly recommend that you disable the automatic role grant by [enforcing the `iam.automaticIamGrantsForDefaultServiceAccounts` organization policy\nconstraint](/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_default_grants). If you created your organization after May 3, 2024, this\nconstraint is enforced by default.\n\n\nIf you disable the automatic role grant, you must decide which roles to grant to the default\nservice accounts, and then [grant these\nroles](/iam/docs/granting-changing-revoking-access) yourself.\n\n\nIf the default service account already has the Editor role, we recommend that you replace the\nEditor role with less permissive roles.To safely modify the service account's roles, use [Policy Simulator](/policy-intelligence/docs/simulate-iam-policies) to see the impact of\nthe change, and then [grant and revoke the\nappropriate roles](/iam/docs/granting-changing-revoking-access).\n\n\u003cbr /\u003e\n\n| **Warning:** Deleting the App Engine default service account breaks any current and future App Engine applications in your Google Cloud project. For example, your application will lose access to other Google Cloud services such as Datastore. If needed, you can [restore a deleted default\n| service account](#repair-service-account).\n\n### Changing service account permissions\n\nYou can use the Google Cloud console to grant or remove roles from the\ndefault service account. For example, you can\ndowngrade the permissions used by the App Engine default service account\nby changing its role from Editor to whichever role(s) that best represent the\naccess needs for your App Engine app.\n\nTo modify roles for the App Engine default service account:\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n2. Select your project.\n\n3. Locate the App Engine default service account in the\n Principals list. The App Engine default service account appears in\n the list if roles have been automatically or manually granted to the\n service account.\n\n4. Select the edit button to modify the roles assigned to the service account.\n\n| **Note:** You cannot remove application access to its task queues and cron jobs.\n\nUsing the default service account\n---------------------------------\n\nYour App Engine app uses the credentials of the App Engine\nservice account by default. For more information, see [Granting your app access\nto Cloud services](/appengine/docs/legacy/standard/python/access-control\n\n#apps).\n\nRestoring a deleted default service account\n-------------------------------------------\n\nIf you delete your App Engine default service account, your\nApp Engine application might break and lose access to other\nGoogle Cloud services, such as Datastore.\n\nYou can restore App Engine default service accounts that have been deleted\nwithin the last 30 days by following the steps in\n[undeleting a service account](/iam/docs/service-accounts-delete-undelete#undeleting).\n\nMore information about service accounts\n---------------------------------------\n\n- [Default service accounts](/iam/docs/service-account-types#default)\n\n- [Managing service accounts](/iam/docs/creating-managing-service-accounts)"]]
