[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-21。"],[[["\u003cp\u003eApp Engine apps use a service account to access other Google Cloud services, with the option to use the default or a user-managed service account.\u003c/p\u003e\n"],["\u003cp\u003eUser-managed service accounts allow for granting specific privileges to each App Engine app version, enhancing security by limiting unnecessary permissions.\u003c/p\u003e\n"],["\u003cp\u003eTo deploy a new version with a specific service account, you can use the \u003ccode\u003egcloud app deploy\u003c/code\u003e command with the \u003ccode\u003e--service-account\u003c/code\u003e flag, or set the \u003ccode\u003eservice_account\u003c/code\u003e element in your \u003ccode\u003eapp.yaml\u003c/code\u003e file.\u003c/p\u003e\n"],["\u003cp\u003eCreating a user-managed service account requires defining the appropriate Identity and Access Management (IAM) roles for the account, and you should avoid removing the App Engine service agent.\u003c/p\u003e\n"],["\u003cp\u003eIf both methods of service account specification are defined, the \u003ccode\u003egcloud\u003c/code\u003e setting takes precedence over \u003ccode\u003eapp.yaml\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Using user-managed service accounts\n\nApp Engine apps require a service account in order to access other Google Cloud\nservices and execute tasks. By default, the\n\n[App Engine default service account](/appengine/docs/legacy/standard/go111/service-account)\n\nis used as the identity of your App Engine app. You may also specify a\ndifferent [user-managed service\naccount](/iam/docs/service-account-types#user-created) to be used as the\nidentity for a specific version of your App Engine app. This allows you\nto grant different privileges to each version, based on the specific tasks it\nperforms, and avoid granting more privileges than necessary.\n\nThis guide covers how to specify a different user-managed service account when\ndeploying a new version. If you don't need to create a distinct service account\nwhen deploying a specific version of your app, you can continue to use the\ndefault service account by not specifying a service account.\n\nCreating a user-managed service account\n---------------------------------------\n\nTo create a user-managed service account, see\n[these instructions](/appengine/docs/legacy/standard/go111/access-control#service_account).\nWhen defining the Identity and Access Management (IAM) roles to grant your service\naccount, you can refer to\n[Roles that Grant Access to App Engine](/appengine/docs/legacy/standard/go111/roles).\n\nIf you need to review IAM concepts before creating your service account, see\n[IAM concepts overview](/iam/docs/overview) and\n[service accounts](/iam/docs/service-accounts) guides.\n| **Warning:** Do not remove the existing App Engine standard environment service agent in your project. The [service agent](/iam/docs/service-agents) delegates the user-managed service account as the identity for your app. If you remove the service agent, you will see IAM permission errors.\n\nAfter you create your user-managed service account, you can update the\napp-level default service account for your application by using one of the\nfollowing methods:\n**Important:** Only versions deployed after the update will use the new app-level default service account. All previously deployed versions will not use the new app-level default service account until you re-deploy that version. \n\n### gcloud\n\nRun the `gcloud app update` command. \n\n gcloud app update --service-account=\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e@\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.iam.gserviceaccount.com\n\nReplace:\n\n- `SERVICE_ACCOUNT_NAME` with the name of the service account that you created.\n- `PROJECT_ID` with ID of the Google Cloud project in which you want to assign the service account.\n\nEach new version that you deploy after this update uses the new app-level default service\naccount unless you explicitly assign a version-specific service account.\n\n### Console\n\n1. Go to the App Engine **Application Settings** tab in the console and click\n **Edit Application Settings**.\n\n [Go to Application Settings](https://console.cloud.google.com/appengine/settings)\n2. Choose an app-level default service account from **Select a Service account**\n and click **Save**.\n\n You will be redirected to the **Application Settings** tab where you can view the email\n address of your updated app-level default service account. Example:\n \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e`@`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`.iam.gserviceaccount.com`.\n\n Each new version that you deploy after this update uses the new app-level default service\n account unless you explicitly assign a version-specific service account.\n\nSpecifying a service account when deploying your app\n----------------------------------------------------\n\n**Note:** If a user-managed service account is specified in both the `app.yaml` file and in the gcloud CLI, the `gcloud` setting is used. \n\n### gcloud\n\nRun the `gcloud app deploy` command and specify your service account: \n\n gcloud app deploy --service-account=\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e@\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.iam.gserviceaccount.com\n\n### app.yaml\n\nIn your\n\n[`app.yaml`](/appengine/docs/legacy/standard/go111/config/appref)\n\nfile, specify your service account by adding the\n\n[`service_account`](/appengine/docs/legacy/standard/go111/config/appref#service-account)\n\nelement: \n\n service_account: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSERVICE_ACCOUNT_NAME\u003c/span\u003e\u003c/var\u003e@\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.iam.gserviceaccount.com\n\nNext steps\n----------\n\nFollow [best practices for working with service accounts](/iam/docs/best-practices-service-accounts)."]]