App Engine roles and permissions
App Engine Admin
(roles/)
Read/Write/Modify access to all application configuration and settings.
To deploy new versions, a principal must have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account, and the Cloud Build Editor
(roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Lowest-level resources where you can grant this role:
- Project
appengine.applications.get
appengine.
appengine.applications.update
appengine.instances.*
appengine.instances.deleteappengine.instances. enableDebug appengine.instances.getappengine.instances.list
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
appengine.operations.*
appengine.operations.getappengine.operations.list
appengine.runtimes.actAsAdmin
appengine.services.*
appengine.services.deleteappengine.services.getappengine.services.listappengine.services.update
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
recommender.locations.*
recommender.locations.getrecommender.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Creator
(roles/)
Ability to create the App Engine resource for the project.
Lowest-level resources where you can grant this role:
- Project
appengine.applications.create
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Viewer
(roles/)
Read-only access to all application configuration and settings.
Lowest-level resources where you can grant this role:
- Project
appengine.applications.get
appengine.
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.getappengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
artifactregistry.
recommender.locations.*
recommender.locations.getrecommender.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Code Viewer
(roles/)
Read-only access to all application configuration, settings, and deployed source code.
Lowest-level resources where you can grant this role:
- Project
appengine.applications.get
appengine.
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.getappengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.
appengine.versions.list
artifactregistry.
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Managed VM Debug Access
(roles/)
Ability to read or manage v2 instances.
appengine.applications.get
appengine.
appengine.instances.*
appengine.instances.deleteappengine.instances. enableDebug appengine.instances.getappengine.instances.list
appengine.operations.*
appengine.operations.getappengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Deployer
(roles/)
Read-only access to all application configuration and settings.
To deploy new versions, you must also have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account, and the Cloud
Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Cannot modify existing versions other than deleting versions that are not receiving traffic.
Lowest-level resources where you can grant this role:
- Project
appengine.applications.get
appengine.
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.getappengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
recommender.locations.*
recommender.locations.getrecommender.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Memcache Data Admin
(roles/)
Can get, set, delete, and flush App Engine Memcache items.
appengine.applications.get
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Service Admin
(roles/)
Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version.
Lowest-level resources where you can grant this role:
- Project
appengine.applications.get
appengine.
appengine.instances.delete
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.getappengine.operations.list
appengine.services.*
appengine.services.deleteappengine.services.getappengine.services.listappengine.services.update
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.
recommender.locations.*
recommender.locations.getrecommender.locations.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Standard Environment Service Agent
(roles/)
Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts.
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.
artifactregistry.
artifactregistry.dockerimages. get artifactregistry.dockerimages. list
artifactregistry.
artifactregistry.files.get
artifactregistry.files.list
artifactregistry.
artifactregistry.locations.*
artifactregistry.locations.getartifactregistry.locations. list
artifactregistry.
artifactregistry.mavenartifacts. get artifactregistry.mavenartifacts. list
artifactregistry.npmpackages.*
artifactregistry.npmpackages. get artifactregistry.npmpackages. list
artifactregistry.packages.get
artifactregistry.packages.list
artifactregistry.
artifactregistry.
artifactregistry.pythonpackages. get artifactregistry.pythonpackages. list
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.
artifactregistry.tags.create
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.tags.update
artifactregistry.versions.get
artifactregistry.versions.list
artifactregistry.
compute.addresses.create
compute.
compute.addresses.delete
compute.
compute.addresses.get
compute.addresses.list
compute.globalOperations.get
compute.networks.get
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.use
compute.zoneOperations.get
datastore.databases.get
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
datastore.entities.update
datastore.indexes.list
datastore.namespaces.*
datastore.namespaces.getdatastore.namespaces.list
datastore.statistics.*
datastore.statistics.getdatastore.statistics.list
iam.
iam.
iam.serviceAccounts.signBlob
serviceusage.consumerpolicy.*
serviceusage.consumerpolicy. analyze serviceusage.consumerpolicy. get serviceusage.consumerpolicy. update
serviceusage.
serviceusage.groups.*
serviceusage.groups.listserviceusage.groups. listExpandedMembers serviceusage.groups. listMembers
serviceusage.services.enable
serviceusage.services.get
serviceusage.values.test
storage.buckets.create
storage.buckets.get