Go 1.11 has reached end of support
and will be deprecated
on January 31, 2026. After deprecation, you won't be able to deploy Go 1.11
applications, even if your organization previously used an organization policy to
re-enable deployments of legacy runtimes. Your existing Go
1.11 applications will continue to run and receive traffic after their
deprecation date. We
recommend that you migrate to the latest supported version of Go.
Stay organized with collections
Save and categorize content based on your preferences.
App Engine apps require a service account in order to access other Google Cloud
services and execute tasks. By default, the
App Engine default service account
is used as the identity of your App Engine app. You may also specify a
different user-managed service
account to be used as the
identity for a specific version of your App Engine app. This allows you
to grant different privileges to each version, based on the specific tasks it
performs, and avoid granting more privileges than necessary.
This guide covers how to specify a different user-managed service account when
deploying a new version. If you don't need to create a distinct service account
when deploying a specific version of your app, you can continue to use the
default service account by not specifying a service account.
After you create your user-managed service account, you can update the
app-level default service account for your application by using one of the
following methods:
SERVICE_ACCOUNT_NAME with the name of the service account that you created.
PROJECT_ID with ID of the Google Cloud project in which you want to assign the
service account.
Each new version that you deploy after this update uses the new app-level default service
account unless you explicitly assign a version-specific service account.
Console
Go to the App Engine Application Settings tab in the console and click
Edit Application Settings.
Choose an app-level default service account from Select a Service account
and click Save.
You will be redirected to the Application Settings tab where you can view the email
address of your updated app-level default service account. Example:
SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com.
Each new version that you deploy after this update uses the new app-level default service
account unless you explicitly assign a version-specific service account.
Specifying a service account when deploying your app
gcloud
Run the gcloud app deploy command and specify your service account:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eApp Engine apps use a service account to access other Google Cloud services, with the option to use the default or a user-managed service account.\u003c/p\u003e\n"],["\u003cp\u003eUser-managed service accounts allow for granting specific privileges to each App Engine app version, enhancing security by limiting unnecessary permissions.\u003c/p\u003e\n"],["\u003cp\u003eTo deploy a new version with a specific service account, you can use the \u003ccode\u003egcloud app deploy\u003c/code\u003e command with the \u003ccode\u003e--service-account\u003c/code\u003e flag, or set the \u003ccode\u003eservice_account\u003c/code\u003e element in your \u003ccode\u003eapp.yaml\u003c/code\u003e file.\u003c/p\u003e\n"],["\u003cp\u003eCreating a user-managed service account requires defining the appropriate Identity and Access Management (IAM) roles for the account, and you should avoid removing the App Engine service agent.\u003c/p\u003e\n"],["\u003cp\u003eIf both methods of service account specification are defined, the \u003ccode\u003egcloud\u003c/code\u003e setting takes precedence over \u003ccode\u003eapp.yaml\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,[]]