Java 8 has reached end of support
and will be deprecated
on January 31, 2026. After deprecation, you won't be able to deploy Java 8
applications, even if your organization previously used an organization policy to
re-enable deployments of legacy runtimes. Your existing Java
8 applications will continue to run and receive traffic after their
deprecation date. We recommend that
you migrate to the latest supported version of Java.
Stay organized with collections
Save and categorize content based on your preferences.
After you create an App Engine application, the
App Engine default service account
is created and used as the identity of your
App Engine app. The App Engine default service account is
associated with your Google Cloud project and executes tasks on behalf of your
apps running in App Engine.
Viewing the App Engine default service account
To view your service accounts:
In the Google Cloud console, go to the Service accounts page.
If you disable the automatic role grant, you must decide which roles to grant to the default
service accounts, and then grant these
roles yourself.
If the default service account already has the Editor role, we recommend that you replace the
Editor role with less permissive roles.To safely modify the service account's roles, use Policy Simulator to see the impact of
the change, and then grant and revoke the
appropriate roles.
Changing service account permissions
You can use the Google Cloud console to grant or remove roles from the
default service account. For example, you can
downgrade the permissions used by the App Engine default service account
by changing its role from Editor to whichever role(s) that best represent the
access needs for your App Engine app.
To modify roles for the App Engine default service account:
Locate the App Engine default service account in the
Principals list. The App Engine default service account appears in
the list if roles have been automatically or manually granted to the
service account.
Select the edit button to modify the roles assigned to the service account.
If you delete your App Engine default service account, your
App Engine application might break and lose access to other
Google Cloud services, such as Datastore.
You can restore App Engine default service accounts that have been deleted
within the last 30 days by following the steps in
undeleting a service account.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThe App Engine default service account is automatically created when an App Engine application is created, acting as the identity for the app and executing tasks.\u003c/p\u003e\n"],["\u003cp\u003eThe default service account may be granted the Editor role automatically, however, it is recommended to disable this automatic grant and manually assign less permissive roles if needed.\u003c/p\u003e\n"],["\u003cp\u003eYou can modify the roles assigned to the App Engine default service account via the Google Cloud console's IAM page to adjust its permissions, downgrading it if necessary.\u003c/p\u003e\n"],["\u003cp\u003eDeleting the App Engine default service account can cause the application to malfunction and lose access to other Google Cloud services, so care should be taken when managing it.\u003c/p\u003e\n"],["\u003cp\u003eIf accidentally deleted, the App Engine default service account can be restored within 30 days by following the standard service account undeletion process.\u003c/p\u003e\n"]]],[],null,["# Using the Default App Engine Service Account\n\nAfter you create an App Engine application, the\n*[App Engine default service account](/iam/docs/service-account-types#default)*\nis created and used as the identity of your\nApp Engine app. The App Engine default service account is\nassociated with your Google Cloud project and executes tasks on behalf of your\napps running in App Engine.\n\nViewing the App Engine default service account\n----------------------------------------------\n\nTo view your service accounts:\n\n1. In the Google Cloud console, go to the **Service accounts** page.\n\n [Go to Service accounts](https://console.cloud.google.com/iam-admin/serviceaccounts)\n2. Select your project.\n\n3. In the list, locate the email address of the App Engine default service account: \n\n\n \u003cvar translate=\"no\"\u003eYOUR_PROJECT_ID\u003c/var\u003e`@appspot.gserviceaccount.com`\n\nModifying the default service account\n-------------------------------------\n\n\nDepending on your organization policy configuration, the default service account might\nautomatically be granted the [Editor role](/iam/docs/roles-overview#basic) on your\nproject. We strongly recommend that you disable the automatic role grant by [enforcing the `iam.automaticIamGrantsForDefaultServiceAccounts` organization policy\nconstraint](/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_default_grants). If you created your organization after May 3, 2024, this\nconstraint is enforced by default.\n\n\nIf you disable the automatic role grant, you must decide which roles to grant to the default\nservice accounts, and then [grant these\nroles](/iam/docs/granting-changing-revoking-access) yourself.\n\n\nIf the default service account already has the Editor role, we recommend that you replace the\nEditor role with less permissive roles.To safely modify the service account's roles, use [Policy Simulator](/policy-intelligence/docs/simulate-iam-policies) to see the impact of\nthe change, and then [grant and revoke the\nappropriate roles](/iam/docs/granting-changing-revoking-access).\n\n\u003cbr /\u003e\n\n| **Warning:** Deleting the App Engine default service account breaks any current and future App Engine applications in your Google Cloud project. For example, your application will lose access to other Google Cloud services such as Datastore. If needed, you can [restore a deleted default\n| service account](#repair-service-account).\n\n### Changing service account permissions\n\nYou can use the Google Cloud console to grant or remove roles from the\ndefault service account. For example, you can\ndowngrade the permissions used by the App Engine default service account\nby changing its role from Editor to whichever role(s) that best represent the\naccess needs for your App Engine app.\n\nTo modify roles for the App Engine default service account:\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n2. Select your project.\n\n3. Locate the App Engine default service account in the\n Principals list. The App Engine default service account appears in\n the list if roles have been automatically or manually granted to the\n service account.\n\n4. Select the edit button to modify the roles assigned to the service account.\n\n| **Note:** You cannot remove application access to its task queues and cron jobs.\n\nUsing the default service account\n---------------------------------\n\nYour App Engine app uses the credentials of the App Engine\nservice account by default. For more information, see [Granting your app access\nto Cloud services](/appengine/docs/legacy/standard/java/access-control\n\n#apps).\n\nRestoring a deleted default service account\n-------------------------------------------\n\nIf you delete your App Engine default service account, your\nApp Engine application might break and lose access to other\nGoogle Cloud services, such as Datastore.\n\nYou can restore App Engine default service accounts that have been deleted\nwithin the last 30 days by following the steps in\n[undeleting a service account](/iam/docs/service-accounts-delete-undelete#undeleting).\n\nMore information about service accounts\n---------------------------------------\n\n- [Default service accounts](/iam/docs/service-account-types#default)\n\n- [Managing service accounts](/iam/docs/creating-managing-service-accounts)"]]
