Java 8 has reached end of support and will be deprecated on January 31, 2026. After deprecation, you won't be able to deploy Java 8 applications, even if your organization previously used an organization policy to re-enable deployments of legacy runtimes. Your existing Java 8 applications will continue to run and receive traffic after their deprecation date. We recommend that you migrate to the latest supported version of Java.

Using the Default App Engine Service Account

After you create an App Engine application, the App Engine default service account is created and used as the identity of your App Engine app. The App Engine default service account is associated with your Google Cloud project and executes tasks on behalf of your apps running in App Engine.

Viewing the App Engine default service account

To view your service accounts:

In the Google Cloud console, go to the Service accounts page.

Go to Service accounts
Select your project.
In the list, locate the email address of the App Engine default service account:

YOUR_PROJECT_ID@appspot.gserviceaccount.com

Modifying the default service account

Depending on your organization policy configuration, the default service account might automatically be granted the Editor role on your project. We strongly recommend that you disable the automatic role grant by enforcing the iam.automaticIamGrantsForDefaultServiceAccounts organization policy constraint. If you created your organization after May 3, 2024, this constraint is enforced by default.

If you disable the automatic role grant, you must decide which roles to grant to the default service accounts, and then grant these roles yourself.

If the default service account already has the Editor role, we recommend that you replace the Editor role with less permissive roles.To safely modify the service account's roles, use Policy Simulator to see the impact of the change, and then grant and revoke the appropriate roles.

Changing service account permissions

You can use the Google Cloud console to grant or remove roles from the default service account. For example, you can downgrade the permissions used by the App Engine default service account by changing its role from Editor to whichever role(s) that best represent the access needs for your App Engine app.

To modify roles for the App Engine default service account:

In the Google Cloud console, go to the IAM page.

Go to IAM
Select your project.
Locate the App Engine default service account in the Principals list. The App Engine default service account appears in the list if roles have been automatically or manually granted to the service account.
Select the edit button to modify the roles assigned to the service account.

Using the default service account

Your App Engine app uses the credentials of the App Engine service account by default. For more information, see Granting your app access to Cloud services.

Restoring a deleted default service account

If you delete your App Engine default service account, your App Engine application might break and lose access to other Google Cloud services, such as Datastore.

You can restore App Engine default service accounts that have been deleted within the last 30 days by following the steps in undeleting a service account.