App Engine roles and permissions

This page lists the IAM roles and permissions for App Engine. To search through all roles and permissions, see the role and permission index .

App Engine roles

Role

Permissions

App Engine Admin

( roles/ appengine.appAdmin )

Read/Write/Modify access to all application configuration and settings.

To deploy new versions, a principal must have the Service Account User ( roles/iam.serviceAccountUser ) role on the assigned App Engine service account , and the Cloud Build Editor ( roles/cloudbuild.builds.editor ), and Cloud Storage Object Admin ( roles/storage.objectAdmin ) roles on the project.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine. applications. listRuntimes

appengine.applications.update

appengine.instances.*

appengine.instances.delete
appengine. instances. enableDebug
appengine.instances.get
appengine.instances.list

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.runtimes.actAsAdmin

appengine.services.*

appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry. projectsettings. get

artifactregistry. repositories. deleteArtifacts

artifactregistry. repositories. downloadArtifacts

artifactregistry. repositories. uploadArtifacts

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Creator

( roles/ appengine.appCreator )

Ability to create the App Engine resource for the project.

Lowest-level resources where you can grant this role:

Project

appengine.applications.create

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Viewer

( roles/ appengine.appViewer )

Read-only access to all application configuration and settings.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine. applications. listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

artifactregistry. projectsettings. get

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Code Viewer

( roles/ appengine.codeViewer )

Read-only access to all application configuration, settings, and deployed source code.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine. applications. listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine. versions. getFileContents

appengine.versions.list

artifactregistry. projectsettings. get

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Managed VM Debug Access

( roles/ appengine.debugger )

Ability to read or manage v2 instances.

appengine.applications.get

appengine. applications. listRuntimes

appengine.instances.*

appengine.instances.delete
appengine. instances. enableDebug
appengine.instances.get
appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.get

appengine.versions.list

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Deployer

( roles/ appengine.deployer )

Read-only access to all application configuration and settings.

To deploy new versions, you must also have the Service Account User ( roles/iam.serviceAccountUser ) role on the assigned App Engine service account , and the Cloud Build Editor ( roles/cloudbuild.builds.editor ), and Cloud Storage Object Admin ( roles/storage.objectAdmin ) roles on the project.

Cannot modify existing versions other than deleting versions that are not receiving traffic.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine. applications. listRuntimes

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.get

appengine.services.list

appengine.versions.create

appengine.versions.delete

appengine.versions.get

appengine.versions.list

artifactregistry. projectsettings. get

artifactregistry. repositories. deleteArtifacts

artifactregistry. repositories. downloadArtifacts

artifactregistry. repositories. uploadArtifacts

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Memcache Data Admin

( roles/ appengine.memcacheDataAdmin )

Can get, set, delete, and flush App Engine Memcache items.

appengine.applications.get

appengine.memcache.addKey

appengine.memcache.flush

appengine.memcache.get

appengine.memcache.update

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Service Admin

( roles/ appengine.serviceAdmin )

Read-only access to all application configuration and settings.

Write access to module-level and version-level settings. Cannot deploy a new version.

Lowest-level resources where you can grant this role:

Project

appengine.applications.get

appengine. applications. listRuntimes

appengine.instances.delete

appengine.instances.get

appengine.instances.list

appengine.operations.*

appengine.operations.get
appengine.operations.list

appengine.services.*

appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry. projectsettings. get

resourcemanager.projects.get

resourcemanager.projects.list

App Engine Standard Environment Service Agent

( roles/ appengine.serviceAgent )

Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts.

appengine.versions.delete

appengine.versions.get

appengine.versions.list

appengine.versions.update

artifactregistry. aptartifacts. create

artifactregistry. dockerimages.*

artifactregistry. dockerimages. get
artifactregistry. dockerimages. list

artifactregistry. files. download

artifactregistry.files.get

artifactregistry.files.list

artifactregistry. kfpartifacts. create

artifactregistry.locations.*

artifactregistry.locations.get
artifactregistry. locations. list

artifactregistry. mavenartifacts.*

artifactregistry. mavenartifacts. get
artifactregistry. mavenartifacts. list

artifactregistry.npmpackages.*

artifactregistry. npmpackages. get
artifactregistry. npmpackages. list

artifactregistry.packages.get

artifactregistry.packages.list

artifactregistry. projectsettings. get

artifactregistry. pythonpackages.*

artifactregistry. pythonpackages. get
artifactregistry. pythonpackages. list

artifactregistry. repositories. create

artifactregistry. repositories. downloadArtifacts

artifactregistry. repositories. get

artifactregistry. repositories. list

artifactregistry. repositories. listEffectiveTags

artifactregistry. repositories. listTagBindings

artifactregistry. repositories. readViaVirtualRepository

artifactregistry. repositories. uploadArtifacts

artifactregistry.tags.create

artifactregistry.tags.get

artifactregistry.tags.list

artifactregistry.tags.update

artifactregistry.versions.get

artifactregistry.versions.list

artifactregistry. yumartifacts. create

compute.addresses.create

compute. addresses. createInternal

compute.addresses.delete

compute. addresses. deleteInternal

compute.addresses.get

compute.addresses.list

compute.globalOperations.get

compute.networks.get

compute.regionOperations.get

compute.subnetworks.get

compute.subnetworks.use

compute.zoneOperations.get

datastore.databases.get

datastore.entities.create

datastore.entities.delete

datastore.entities.get

datastore.entities.list

datastore.entities.update

datastore.indexes.list

datastore.namespaces.*

datastore.namespaces.get
datastore.namespaces.list

datastore.statistics.*

datastore.statistics.get
datastore.statistics.list

iam. serviceAccounts. getAccessToken

iam. serviceAccounts. getOpenIdToken

iam.serviceAccounts.signBlob

serviceusage.consumerpolicy.*

serviceusage. consumerpolicy. analyze
serviceusage. consumerpolicy. get
serviceusage. consumerpolicy. update

serviceusage. effectivepolicy. get

serviceusage.groups.*

serviceusage.groups.list
serviceusage. groups. listExpandedMembers
serviceusage. groups. listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

storage.buckets.create

storage.buckets.get

App Engine permissions

Permission

Included in roles

`appengine.applications.create`

Owner ( roles/ owner )

App Engine Creator ( roles/ appengine.appCreator )

Service agent roles

Firebase Service Management Service Agent ( roles/ firebase.managementServiceAgent )

`appengine.applications.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Viewer ( roles/ appengine.appViewer )

App Engine Code Viewer ( roles/ appengine.codeViewer )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

App Engine Deployer ( roles/ appengine.deployer )

App Engine Memcache Data Admin ( roles/ appengine.memcacheDataAdmin )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Cloud Scheduler Admin ( roles/ cloudscheduler.admin )

Cloud Scheduler Job Runner ( roles/ cloudscheduler.jobRunner )

Cloud Scheduler Viewer ( roles/ cloudscheduler.viewer )

Web Security Scanner Editor ( roles/ cloudsecurityscanner.editor )

Cloud Datastore Import Export Admin ( roles/ datastore.importExportAdmin )

Cloud Datastore Index Admin ( roles/ datastore.indexAdmin )

Cloud Datastore Owner ( roles/ datastore.owner )

Cloud Datastore User ( roles/ datastore.user )

Cloud Datastore Viewer ( roles/ datastore.viewer )

Firebase Admin ( roles/ firebase.admin )

Firebase Develop Admin ( roles/ firebase.developAdmin )

Firebase Admin SDK Administrator Service Agent ( roles/ firebase.sdkAdminServiceAgent )

Firebase Extensions API Service Agent ( roles/ firebasemods.serviceAgent )

Data Scientist ( roles/ iam.dataScientist )

Databases Admin ( roles/ iam.databasesAdmin )

Support User ( roles/ iam.supportUser )

Security Center Admin ( roles/ securitycenter.admin )

Security Center Admin Editor ( roles/ securitycenter.adminEditor )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )
Datapipelines Service Agent ( roles/ datapipelines.serviceAgent )
DLP API Service Agent ( roles/ dlp.serviceAgent )
Firebase Service Management Service Agent ( roles/ firebase.managementServiceAgent )
Cloud Web Security Scanner Service Agent ( roles/ websecurityscanner.serviceAgent )
Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`appengine. applications. listRuntimes`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Viewer ( roles/ appengine.appViewer )

App Engine Code Viewer ( roles/ appengine.codeViewer )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

App Engine Deployer ( roles/ appengine.deployer )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Support User ( roles/ iam.supportUser )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.applications.update`

Owner ( roles/ owner )

Editor ( roles/ editor )

App Engine Admin ( roles/ appengine.appAdmin )

Service agent roles

Firebase Service Management Service Agent ( roles/ firebase.managementServiceAgent )
Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.instances.delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine. instances. enableDebug`

Owner ( roles/ owner )

Editor ( roles/ editor )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.instances.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Viewer ( roles/ appengine.appViewer )

App Engine Code Viewer ( roles/ appengine.codeViewer )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

App Engine Deployer ( roles/ appengine.deployer )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Support User ( roles/ iam.supportUser )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.instances.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Viewer ( roles/ appengine.appViewer )

App Engine Code Viewer ( roles/ appengine.codeViewer )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

App Engine Deployer ( roles/ appengine.deployer )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.memcache.addKey`

Owner ( roles/ owner )

Editor ( roles/ editor )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Memcache Data Admin ( roles/ appengine.memcacheDataAdmin )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.memcache.flush`

Owner ( roles/ owner )

Editor ( roles/ editor )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Memcache Data Admin ( roles/ appengine.memcacheDataAdmin )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.memcache.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Memcache Data Admin ( roles/ appengine.memcacheDataAdmin )

Support User ( roles/ iam.supportUser )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.memcache.getKey`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Support User ( roles/ iam.supportUser )

`appengine.memcache.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

`appengine.memcache.update`

Owner ( roles/ owner )

Editor ( roles/ editor )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Memcache Data Admin ( roles/ appengine.memcacheDataAdmin )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.operations.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Viewer ( roles/ appengine.appViewer )

App Engine Code Viewer ( roles/ appengine.codeViewer )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

App Engine Deployer ( roles/ appengine.deployer )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Support User ( roles/ iam.supportUser )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )
Firebase Service Management Service Agent ( roles/ firebase.managementServiceAgent )
Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`appengine.operations.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Viewer ( roles/ appengine.appViewer )

App Engine Code Viewer ( roles/ appengine.codeViewer )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

App Engine Deployer ( roles/ appengine.deployer )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.runtimes.actAsAdmin`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

Support User ( roles/ iam.supportUser )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.services.delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.services.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Viewer ( roles/ appengine.appViewer )

App Engine Code Viewer ( roles/ appengine.codeViewer )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

App Engine Deployer ( roles/ appengine.deployer )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Support User ( roles/ iam.supportUser )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.services.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Viewer ( roles/ appengine.appViewer )

App Engine Code Viewer ( roles/ appengine.codeViewer )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

App Engine Deployer ( roles/ appengine.deployer )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Service agent roles

Firebase Service Management Service Agent ( roles/ firebase.managementServiceAgent )
Cloud Composer API Service Agent ( roles/ composer.serviceAgent )

`appengine.services.update`

Owner ( roles/ owner )

Editor ( roles/ editor )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )
Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`appengine.versions.create`

Owner ( roles/ owner )

Editor ( roles/ editor )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Deployer ( roles/ appengine.deployer )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )
Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )

`appengine.versions.delete`

Owner ( roles/ owner )

Editor ( roles/ editor )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Deployer ( roles/ appengine.deployer )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Service agent roles

Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )
Cloud Composer API Service Agent ( roles/ composer.serviceAgent )
App Engine Standard Environment Service Agent ( roles/ appengine.serviceAgent )

`appengine.versions.get`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Viewer ( roles/ appengine.appViewer )

App Engine Code Viewer ( roles/ appengine.codeViewer )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

App Engine Deployer ( roles/ appengine.deployer )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Support User ( roles/ iam.supportUser )

Service agent roles

Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )
Cloud Composer API Service Agent ( roles/ composer.serviceAgent )
App Engine Standard Environment Service Agent ( roles/ appengine.serviceAgent )

`appengine. versions. getFileContents`

Owner ( roles/ owner )

App Engine Code Viewer ( roles/ appengine.codeViewer )

`appengine.versions.list`

Owner ( roles/ owner )

Editor ( roles/ editor )

Viewer ( roles/ viewer )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Viewer ( roles/ appengine.appViewer )

App Engine Code Viewer ( roles/ appengine.codeViewer )

App Engine Managed VM Debug Access ( roles/ appengine.debugger )

App Engine Deployer ( roles/ appengine.deployer )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Security Admin ( roles/ iam.securityAdmin )

Security Auditor ( roles/ iam.securityAuditor )

Security Reviewer ( roles/ iam.securityReviewer )

Support User ( roles/ iam.supportUser )

Service agent roles

Cloud Deployment Manager Service Agent ( roles/ clouddeploymentmanager.serviceAgent )
Cloud Composer API Service Agent ( roles/ composer.serviceAgent )
App Engine Standard Environment Service Agent ( roles/ appengine.serviceAgent )

`appengine.versions.update`

Owner ( roles/ owner )

Editor ( roles/ editor )

App Engine Admin ( roles/ appengine.appAdmin )

App Engine Service Admin ( roles/ appengine.serviceAdmin )

Service agent roles

Cloud Composer API Service Agent ( roles/ composer.serviceAgent )
App Engine Standard Environment Service Agent ( roles/ appengine.serviceAgent )