Java 8 has reached end of support
and will be deprecated
on January 31, 2026. After deprecation, you won't be able to deploy Java 8
applications, even if your organization previously used an organization policy to
re-enable deployments of legacy runtimes. Your existing Java
8 applications will continue to run and receive traffic after their
deprecation date. We recommend that
you migrate to the latest supported version of Java.
Stay organized with collections
Save and categorize content based on your preferences.
Roles determine which services and actions are available to a user account or
service account. The following types of roles grant access to App Engine:
Basic roles which apply to all services and resources in a
project, including but not limited App Engine. For example, an account
with the Editor role can change App Engine settings as well as Cloud
Storage settings.
Predefined App Engine roles, which provide
granular access to App Engine. Each service in your
Google Cloud project provides its own predefined roles. For example, an
account that only has the App Engine Deployer role
can deploy App Engine apps but cannot view or create objects
in Cloud Storage. Such an account would also need a specific Cloud Storage
predefined role
to create or view objects in Cloud Storage.
Custom roles,
which provide granular access according to a list of permissions you specify.
You can use basic roles when you are working on smaller projects that have
less complex needs. For more fine-tuned access controls, use predefined roles.
Basic roles
Basic roles apply to all services and resources in a project. For example, an
account in the Editor role can change App Engine settings as well as
Cloud Storage settings.
Role
Google Cloud console permissions
Tools permissions
Owner
Required to create App Engine applications. All viewer and editor
privileges, plus the ability to view deployed
source code, invite users, change user roles, and delete an application.
Required to create App Engine applications. Can also deploy
application code and update all configurations.
Editor
View application information and edit application settings.
Read/Write/Modify access to all application configuration and settings.
To deploy new versions, a principal must have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account, and the Cloud Build Editor
(roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.applications.update
appengine.instances.*
appengine.instances.delete
appengine.instances.enableDebug
appengine.instances.get
appengine.instances.list
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
appengine.operations.*
appengine.operations.get
appengine.operations.list
appengine.runtimes.actAsAdmin
appengine.services.*
appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.projectsettings.get
artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.uploadArtifacts
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Creator
(roles/appengine.appCreator)
Ability to create the App Engine resource for the project.
Lowest-level resources where you can grant this role:
Project
appengine.applications.create
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Viewer
(roles/appengine.appViewer)
Read-only access to all application configuration and settings.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
artifactregistry.projectsettings.get
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Code Viewer
(roles/appengine.codeViewer)
Read-only access to all application configuration, settings, and deployed
source code.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.getFileContents
appengine.versions.list
artifactregistry.projectsettings.get
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Managed VM Debug Access
(roles/appengine.debugger)
Ability to read or manage v2 instances.
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.*
appengine.instances.delete
appengine.instances.enableDebug
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Deployer
(roles/appengine.deployer)
Read-only access to all application configuration and settings.
To deploy new versions, you must also have the
Service Account User
(roles/iam.serviceAccountUser) role on the assigned App Engine
service account, and the Cloud
Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin
(roles/storage.objectAdmin) roles on the project.
Cannot modify existing versions other than deleting versions that are not receiving traffic.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
artifactregistry.projectsettings.get
artifactregistry.repositories.deleteArtifacts
artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.uploadArtifacts
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Memcache Data Admin
(roles/appengine.memcacheDataAdmin)
Can get, set, delete, and flush App Engine Memcache items.
appengine.applications.get
appengine.memcache.addKey
appengine.memcache.flush
appengine.memcache.get
appengine.memcache.update
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Service Admin
(roles/appengine.serviceAdmin)
Read-only access to all application configuration and settings.
Write access to module-level and version-level settings. Cannot deploy a new version.
Lowest-level resources where you can grant this role:
Project
appengine.applications.get
appengine.applications.listRuntimes
appengine.instances.delete
appengine.instances.get
appengine.instances.list
appengine.operations.*
appengine.operations.get
appengine.operations.list
appengine.services.*
appengine.services.delete
appengine.services.get
appengine.services.list
appengine.services.update
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
artifactregistry.projectsettings.get
resourcemanager.projects.get
resourcemanager.projects.list
App Engine Standard Environment Service Agent
(roles/appengine.serviceAgent)
Give App Engine Standard Envirnoment service account access to managed resources. Includes access to service accounts.
The predefined roles for App Engine provide you with finer grained
options for access control.
These roles only provide access to App Engine. If your project includes
other services, such as Cloud Storage or Cloud SQL, you will need to assign
additional roles to enable access to the other services.
Comparison of App Engine predefined roles
The following table provides a complete comparison of the capabilities of each
predefined App Engine role.
Capability
App Engine Admin
App Engine Service Admin
App Engine Deployer
App Engine Viewer
App Engine Code Viewer
List all services, versions and instances
Yes
Yes
Yes
Yes
Yes
View all application, service, version, and instance settings
Yes
Yes
Yes
Yes
Yes
View runtime metrics such as resource usage, load information, and error information
Yes
Yes
Yes
Yes
Yes
View app source code
No
No
No
No
Yes
Deploy a new version of an app
Yes, if you also grant the Service Account User role
No
Yes, if you also grant the Service Account User role
Separation of deployment and traffic routing duties
Many organizations prefer to separate the task of deploying an application
version from the task of ramping up traffic to the newly created version, and to
have these tasks done by different job functions. The App Engine Deployer and
App Engine Service Admin roles provide this separation:
App Engine Deployer plus Service Account User roles - Accounts are limited to
deploying new versions and deleting old versions that are not serving traffic.
The account with these roles won't be able to configure traffic to any version
nor change application-level settings such as dispatch rules or authentication
domain.
App Engine Service Admin role - Accounts cannot deploy a new version of
an app nor change application-level settings. However, those accounts have
privileges to change the properties of existing services and versions,
including changing which versions can serve traffic. The App Engine Service
Admin role is ideal for an Operations/IT department that handles ramping up
traffic to newly deployed versions.
Limitations of the predefined roles
None of the App Engine predefined roles grant access to the following:
View and download application logs.
View Monitoring charts in the Google Cloud console.
Enable and Disable billing.
Run security scans in Cloud Security Scanner.
Access configuration or data stored in Datastore, Task Queues, Cloud
Search or any other Cloud Platform storage product.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eRoles in App Engine determine the services and actions a user or service account can access, with options including basic roles, predefined App Engine roles, and custom roles for varying levels of access.\u003c/p\u003e\n"],["\u003cp\u003eBasic roles like Owner, Editor, and Viewer apply broadly across a project, whereas predefined App Engine roles offer granular control specifically for App Engine, and custom roles are tailored to specific permission lists.\u003c/p\u003e\n"],["\u003cp\u003eThe App Engine Admin role provides comprehensive read, write, and modify access, but deploying new versions requires additional roles such as Service Account User, Cloud Build Editor, and Cloud Storage Object Admin.\u003c/p\u003e\n"],["\u003cp\u003eThe App Engine Deployer role allows for the deployment of new versions but requires additional roles like Service Account User, Cloud Build Editor, and Storage Object Admin when using \u003ccode\u003egcloud\u003c/code\u003e or other tooling; it also cannot modify or split traffic, serving as a role for deployment-focused accounts.\u003c/p\u003e\n"],["\u003cp\u003eFor organizations that separate deployment and traffic management, the App Engine Deployer role handles deployments, and the App Engine Service Admin role manages traffic routing and version properties, providing a clear division of responsibilities.\u003c/p\u003e\n"]]],[],null,["# Roles that Grant Access to App Engine\n\nRoles determine which services and actions are available to a user account or\nservice account. The following types of roles grant access to App Engine:\n\n- [Basic roles](#basic_roles) which apply to all services and resources in a\n project, including but not limited App Engine. For example, an account\n with the Editor role can change App Engine settings as well as Cloud\n Storage settings.\n\n- [Predefined App Engine roles](#predefined_roles), which provide\n granular access to App Engine. Each service in your\n Google Cloud project provides its own predefined roles. For example, an\n account that only has the App Engine Deployer role\n can deploy App Engine apps but cannot view or create objects\n in Cloud Storage. Such an account would also need a specific [Cloud Storage\n predefined role](/iam/docs/understanding-roles#cloud-storage-roles)\n to create or view objects in Cloud Storage.\n\n- [Custom roles](/iam/docs/understanding-custom-roles),\n which provide granular access according to a list of permissions you specify.\n\nYou can use basic roles when you are working on smaller projects that have\nless complex needs. For more fine-tuned access controls, use predefined roles.\n\nBasic roles\n-----------\n\nBasic roles apply to all services and resources in a project. For example, an\naccount in the Editor role can change App Engine settings as well as\nCloud Storage settings.\n\nPredefined App Engine roles\n---------------------------\n\nThe predefined roles for App Engine provide you with finer grained\noptions for access control.\n\n*These roles only provide access to App Engine.* If your project includes\nother services, such as Cloud Storage or Cloud SQL, you will need to assign\n[additional roles](/iam/docs/understanding-roles#predefined_roles) to enable access to the other services.\n\n### Comparison of App Engine predefined roles\n\nThe following table provides a complete comparison of the capabilities of each\npredefined App Engine role.\n\n| **Note:** The predefined roles are enforced in the [Google Cloud console](https://console.cloud.google.com/iam-admin/iam), the [Admin API](/appengine/docs/admin-api/access-control), and other tooling that requires access, including the [deployment commands](/appengine/docs/legacy/standard/java/tools/uploadinganapp).\n\nFor details about the specific IAM permissions that are granted by each role,\nsee the [Roles](/appengine/docs/admin-api/access-control#roles) section of the\nAdmin API.\n\nRecommended role for application deployment\n-------------------------------------------\n\nFor an account that is responsible *only* for deploying new versions of an app,\nwe recommend that you grant the following roles:\n\n- App Engine Deployer role (`roles/appengine.deployer`)\n- Service Account User role (`roles/iam.serviceAccountUser`)\n\n The [Service Account User role](/iam/docs/service-account-permissions#user-role)\n enables the account to impersonate the default App Engine service account\n during the deployment process.\n-\n If the account uses `gcloud` commands or other App Engine\n [tooling](/appengine/docs/legacy/standard/java/tools/uploadinganapp) to deploy, add these roles as well:\n\n - Storage Object Admin (`roles/storage.objectAdmin`)\n - Cloud Build Editor (`roles/cloudbuild.builds.editor`)\n\n| **Note:** If you have granted an account the App Engine Admin role, you don't need to grant it the App Engine Deployer role, because the Admin role holds the same relevant permissions as the Deployer role, along with additional administrative privileges. We recommend using the App Engine Deployer role for accounts that are responsible only for deploying new versions.\n\nFor details about how to grant the required permissions, see\n[Creating a user account](/appengine/docs/legacy/standard/java/access-control#user_account).\n\n### Separation of deployment and traffic routing duties\n\nMany organizations prefer to separate the task of deploying an application\nversion from the task of ramping up traffic to the newly created version, and to\nhave these tasks done by different job functions. The App Engine Deployer and\nApp Engine Service Admin roles provide this separation:\n\n- App Engine Deployer plus Service Account User roles - Accounts are limited to deploying new versions and deleting old versions that are not serving traffic. The account with these roles won't be able to configure traffic to any version nor change application-level settings such as dispatch rules or authentication domain.\n- App Engine Service Admin role - Accounts cannot deploy a new version of an app nor change application-level settings. However, those accounts have privileges to change the properties of existing services and versions, including changing which versions can serve traffic. The App Engine Service Admin role is ideal for an Operations/IT department that handles ramping up traffic to newly deployed versions.\n\n\n| **Note** : Accounts with the App Engine Deployer role can overwrite a version that is serving traffic by deploying a new version with the same name (using the `--version` flag).\n\n\u003cbr /\u003e\n\n### Limitations of the predefined roles\n\nNone of the App Engine predefined roles grant access to the following:\n\n- View and download application logs.\n- View Monitoring charts in the Google Cloud console.\n- Enable and Disable billing.\n- Run security scans in Cloud Security Scanner.\n- Access configuration or data stored in Datastore, Task Queues, Cloud Search or any other Cloud Platform storage product."]]