Console
    Contact Us Start free

    App Engine roles and permissions

    This page lists the IAM roles and permissions for App Engine. To search through all roles and permissions, see the role and permission index .

    App Engine roles

    Role
    Permissions

    ( roles/ appengine.appAdmin )

    Read/Write/Modify access to all application configuration and settings.

    To deploy new versions, a principal must have the Service Account User ( roles/iam.serviceAccountUser ) role on the assigned App Engine service account , and the Cloud Build Editor ( roles/cloudbuild.builds.editor ), and Cloud Storage Object Admin ( roles/storage.objectAdmin ) roles on the project.

    Lowest-level resources where you can grant this role:

    • Project

    appengine.applications.get

    appengine. applications. listRuntimes

    appengine.applications.update

    appengine.instances.*

    • appengine.instances.delete
    • appengine. instances. enableDebug
    • appengine.instances.get
    • appengine.instances.list

    appengine.memcache.addKey

    appengine.memcache.flush

    appengine.memcache.get

    appengine.memcache.update

    appengine.operations.*

    • appengine.operations.get
    • appengine.operations.list

    appengine.runtimes.actAsAdmin

    appengine.services.*

    • appengine.services.delete
    • appengine.services.get
    • appengine.services.list
    • appengine.services.update

    appengine.versions.create

    appengine.versions.delete

    appengine.versions.get

    appengine.versions.list

    appengine.versions.update

    artifactregistry. projectsettings. get

    artifactregistry. repositories. deleteArtifacts

    artifactregistry. repositories. downloadArtifacts

    artifactregistry. repositories. uploadArtifacts

    resourcemanager.projects.get

    resourcemanager.projects.list

    ( roles/ appengine.appCreator )

    Ability to create the App Engine resource for the project.

    Lowest-level resources where you can grant this role:

    • Project

    appengine.applications.create

    resourcemanager.projects.get

    resourcemanager.projects.list

    ( roles/ appengine.appViewer )

    Read-only access to all application configuration and settings.

    Lowest-level resources where you can grant this role:

    • Project

    appengine.applications.get

    appengine. applications. listRuntimes

    appengine.instances.get

    appengine.instances.list

    appengine.operations.*

    • appengine.operations.get
    • appengine.operations.list

    appengine.services.get

    appengine.services.list

    appengine.versions.get

    appengine.versions.list

    artifactregistry. projectsettings. get

    resourcemanager.projects.get

    resourcemanager.projects.list

    ( roles/ appengine.codeViewer )

    Read-only access to all application configuration, settings, and deployed source code.

    Lowest-level resources where you can grant this role:

    • Project

    appengine.applications.get

    appengine. applications. listRuntimes

    appengine.instances.get

    appengine.instances.list

    appengine.operations.*

    • appengine.operations.get
    • appengine.operations.list

    appengine.services.get

    appengine.services.list

    appengine.versions.get

    appengine. versions. getFileContents

    appengine.versions.list

    artifactregistry. projectsettings. get

    resourcemanager.projects.get

    resourcemanager.projects.list

    ( roles/ appengine.debugger )

    Ability to read or manage v2 instances.

    appengine.applications.get

    appengine. applications. listRuntimes

    appengine.instances.*

    • appengine.instances.delete
    • appengine. instances. enableDebug
    • appengine.instances.get
    • appengine.instances.list

    appengine.operations.*

    • appengine.operations.get
    • appengine.operations.list

    appengine.services.get

    appengine.services.list

    appengine.versions.get

    appengine.versions.list

    resourcemanager.projects.get

    resourcemanager.projects.list

    ( roles/ appengine.deployer )

    Read-only access to all application configuration and settings.

    To deploy new versions, you must also have the Service Account User ( roles/iam.serviceAccountUser ) role on the assigned App Engine service account , and the Cloud Build Editor ( roles/cloudbuild.builds.editor ), and Cloud Storage Object Admin ( roles/storage.objectAdmin ) roles on the project.

    Cannot modify existing versions other than deleting versions that are not receiving traffic.

    Lowest-level resources where you can grant this role:

    • Project

    appengine.applications.get

    appengine. applications. listRuntimes

    appengine.instances.get

    appengine.instances.list

    appengine.operations.*

    • appengine.operations.get
    • appengine.operations.list

    appengine.services.get

    appengine.services.list

    appengine.versions.create

    appengine.versions.delete

    appengine.versions.get

    appengine.versions.list

    artifactregistry. projectsettings. get

    artifactregistry. repositories. deleteArtifacts

    artifactregistry. repositories. downloadArtifacts

    artifactregistry. repositories. uploadArtifacts

    resourcemanager.projects.get

    resourcemanager.projects.list

    ( roles/ appengine.memcacheDataAdmin )

    Can get, set, delete, and flush App Engine Memcache items.

    appengine.applications.get

    appengine.memcache.addKey

    appengine.memcache.flush

    appengine.memcache.get

    appengine.memcache.update

    resourcemanager.projects.get

    resourcemanager.projects.list

    ( roles/ appengine.serviceAdmin )

    Read-only access to all application configuration and settings.

    Write access to module-level and version-level settings. Cannot deploy a new version.

    Lowest-level resources where you can grant this role:

    • Project

    appengine.applications.get

    appengine. applications. listRuntimes

    appengine.instances.delete

    appengine.instances.get

    appengine.instances.list

    appengine.operations.*

    • appengine.operations.get
    • appengine.operations.list

    appengine.services.*

    • appengine.services.delete
    • appengine.services.get
    • appengine.services.list
    • appengine.services.update

    appengine.versions.delete

    appengine.versions.get

    appengine.versions.list

    appengine.versions.update

    artifactregistry. projectsettings. get

    resourcemanager.projects.get

    resourcemanager.projects.list

    ( roles/ appengine.serviceAgent )

    Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts.

    appengine.versions.delete

    appengine.versions.get

    appengine.versions.list

    appengine.versions.update

    artifactregistry. aptartifacts. create

    artifactregistry. dockerimages.*

    • artifactregistry. dockerimages. get
    • artifactregistry. dockerimages. list

    artifactregistry. files. download

    artifactregistry.files.get

    artifactregistry.files.list

    artifactregistry. kfpartifacts. create

    artifactregistry.locations.*

    • artifactregistry.locations.get
    • artifactregistry. locations. list

    artifactregistry. mavenartifacts.*

    • artifactregistry. mavenartifacts. get
    • artifactregistry. mavenartifacts. list

    artifactregistry.npmpackages.*

    • artifactregistry. npmpackages. get
    • artifactregistry. npmpackages. list

    artifactregistry.packages.get

    artifactregistry.packages.list

    artifactregistry. projectsettings. get

    artifactregistry. pythonpackages.*

    • artifactregistry. pythonpackages. get
    • artifactregistry. pythonpackages. list

    artifactregistry. repositories. create

    artifactregistry. repositories. downloadArtifacts

    artifactregistry. repositories. get

    artifactregistry. repositories. list

    artifactregistry. repositories. listEffectiveTags

    artifactregistry. repositories. listTagBindings

    artifactregistry. repositories. readViaVirtualRepository

    artifactregistry. repositories. uploadArtifacts

    artifactregistry.tags.create

    artifactregistry.tags.get

    artifactregistry.tags.list

    artifactregistry.tags.update

    artifactregistry.versions.get

    artifactregistry.versions.list

    artifactregistry. yumartifacts. create

    datastore.databases.get

    datastore.entities.create

    datastore.entities.delete

    datastore.entities.get

    datastore.entities.list

    datastore.entities.update

    datastore.indexes.list

    datastore.namespaces.*

    • datastore.namespaces.get
    • datastore.namespaces.list

    datastore.statistics.*

    • datastore.statistics.get
    • datastore.statistics.list

    iam. serviceAccounts. getAccessToken

    iam. serviceAccounts. getOpenIdToken

    iam.serviceAccounts.signBlob

    serviceusage.services.enable

    serviceusage.services.get

    storage.buckets.create

    storage.buckets.get

    App Engine permissions

    Permission
    Included in roles

    Owner ( roles/ owner )

    App Engine Creator ( roles/ appengine.appCreator )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Viewer ( roles/ appengine.appViewer )

    App Engine Code Viewer ( roles/ appengine.codeViewer )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    App Engine Deployer ( roles/ appengine.deployer )

    App Engine Memcache Data Admin ( roles/ appengine.memcacheDataAdmin )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Cloud Scheduler Admin ( roles/ cloudscheduler.admin )

    Cloud Scheduler Job Runner ( roles/ cloudscheduler.jobRunner )

    Cloud Scheduler Viewer ( roles/ cloudscheduler.viewer )

    Web Security Scanner Editor ( roles/ cloudsecurityscanner.editor )

    Cloud Datastore Import Export Admin ( roles/ datastore.importExportAdmin )

    Cloud Datastore Index Admin ( roles/ datastore.indexAdmin )

    Cloud Datastore Owner ( roles/ datastore.owner )

    Cloud Datastore User ( roles/ datastore.user )

    Cloud Datastore Viewer ( roles/ datastore.viewer )

    Firebase Admin ( roles/ firebase.admin )

    Firebase Develop Admin ( roles/ firebase.developAdmin )

    Firebase Admin SDK Administrator Service Agent ( roles/ firebase.sdkAdminServiceAgent )

    Firebase Extensions API Service Agent ( roles/ firebasemods.serviceAgent )

    Data Scientist ( roles/ iam.dataScientist )

    Databases Admin ( roles/ iam.databasesAdmin )

    Support User ( roles/ iam.supportUser )

    Security Center Admin ( roles/ securitycenter.admin )

    Security Center Admin Editor ( roles/ securitycenter.adminEditor )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Viewer ( roles/ appengine.appViewer )

    App Engine Code Viewer ( roles/ appengine.codeViewer )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    App Engine Deployer ( roles/ appengine.deployer )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Support User ( roles/ iam.supportUser )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    App Engine Admin ( roles/ appengine.appAdmin )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Viewer ( roles/ appengine.appViewer )

    App Engine Code Viewer ( roles/ appengine.codeViewer )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    App Engine Deployer ( roles/ appengine.deployer )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Support User ( roles/ iam.supportUser )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Viewer ( roles/ appengine.appViewer )

    App Engine Code Viewer ( roles/ appengine.codeViewer )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    App Engine Deployer ( roles/ appengine.deployer )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Security Admin ( roles/ iam.securityAdmin )

    Security Auditor ( roles/ iam.securityAuditor )

    Security Reviewer ( roles/ iam.securityReviewer )

    Support User ( roles/ iam.supportUser )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Memcache Data Admin ( roles/ appengine.memcacheDataAdmin )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Memcache Data Admin ( roles/ appengine.memcacheDataAdmin )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Memcache Data Admin ( roles/ appengine.memcacheDataAdmin )

    Support User ( roles/ iam.supportUser )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    Support User ( roles/ iam.supportUser )

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    Security Admin ( roles/ iam.securityAdmin )

    Security Auditor ( roles/ iam.securityAuditor )

    Security Reviewer ( roles/ iam.securityReviewer )

    Support User ( roles/ iam.supportUser )

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Memcache Data Admin ( roles/ appengine.memcacheDataAdmin )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Viewer ( roles/ appengine.appViewer )

    App Engine Code Viewer ( roles/ appengine.codeViewer )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    App Engine Deployer ( roles/ appengine.deployer )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Support User ( roles/ iam.supportUser )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Viewer ( roles/ appengine.appViewer )

    App Engine Code Viewer ( roles/ appengine.codeViewer )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    App Engine Deployer ( roles/ appengine.deployer )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Security Admin ( roles/ iam.securityAdmin )

    Security Auditor ( roles/ iam.securityAuditor )

    Security Reviewer ( roles/ iam.securityReviewer )

    Support User ( roles/ iam.supportUser )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    Support User ( roles/ iam.supportUser )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Viewer ( roles/ appengine.appViewer )

    App Engine Code Viewer ( roles/ appengine.codeViewer )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    App Engine Deployer ( roles/ appengine.deployer )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Support User ( roles/ iam.supportUser )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Viewer ( roles/ appengine.appViewer )

    App Engine Code Viewer ( roles/ appengine.codeViewer )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    App Engine Deployer ( roles/ appengine.deployer )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Security Admin ( roles/ iam.securityAdmin )

    Security Auditor ( roles/ iam.securityAuditor )

    Security Reviewer ( roles/ iam.securityReviewer )

    Support User ( roles/ iam.supportUser )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Deployer ( roles/ appengine.deployer )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Deployer ( roles/ appengine.deployer )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Viewer ( roles/ appengine.appViewer )

    App Engine Code Viewer ( roles/ appengine.codeViewer )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    App Engine Deployer ( roles/ appengine.deployer )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Support User ( roles/ iam.supportUser )

    Service agent roles

    Owner ( roles/ owner )

    App Engine Code Viewer ( roles/ appengine.codeViewer )

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    Viewer ( roles/ viewer )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Viewer ( roles/ appengine.appViewer )

    App Engine Code Viewer ( roles/ appengine.codeViewer )

    App Engine Managed VM Debug Access ( roles/ appengine.debugger )

    App Engine Deployer ( roles/ appengine.deployer )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Security Admin ( roles/ iam.securityAdmin )

    Security Auditor ( roles/ iam.securityAuditor )

    Security Reviewer ( roles/ iam.securityReviewer )

    Support User ( roles/ iam.supportUser )

    Service agent roles

    Owner ( roles/ owner )

    Editor ( roles/ editor )

    App Engine Admin ( roles/ appengine.appAdmin )

    App Engine Service Admin ( roles/ appengine.serviceAdmin )

    Service agent roles

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: