3

I would like to set separate permissions for different applications that run on GCP AppEngine.

I think, that the way to do this is by using specialized service accounts for each application.

As far as I understand, all applications run with the AppEngine default service account project@appspot.gserviceaccount.com

Is there a way to explicitly set a service account for an application which is running on AppEngine in GCP? Then I would be able to create separate service accounts with fine access restrictions.

Haplo
  • 584
  • 7
  • 11

3 Answers3

2

tldr; you can do gcloud beta app deploy --service-account=<your_service_account> app.yaml

AppEngine app's identity are not restricted to the AppEngine default service account anymore. You can deploy with custom service account for each AppEngine app now by following https://cloud.google.com/appengine/docs/standard/python/user-managed-service-accounts#app.yaml.

This works for both AppEngine Standard and Flexible.

Yifan Guo
  • 146
  • 1
  • 5
  • Just a note that you may have to update your gcloud versions first. See [the install docs](https://cloud.google.com/appengine/docs/standard/python3/setting-up-environment). For me, this required `gcloud components update` and then using the *beta* flag: `gcloud beta app deploy [app.yaml]`. Either the `--service-acount` switch or a `service_account` param in the yaml worked with the *beta*. – modulus0 Jan 26 '22 at 04:55
  • even forcing a custom service account in gcloud beta command above, still the error 500:AppEngine service account cannot be generated for s~project – Gustavo Castanheira May 17 '22 at 15:32
  • user-managed service account for AppEngine is now generally available. – SANN3 May 19 '22 at 06:45
1

I am assuming you mean App Engine Standard. You only have one App Engine Standard per project.

You can have multiple services under App Engine.

You will need to create a service account and then load the service account inside your code. You can then change the default service account to have the minimum permissions required to function. Make sure you research what you are doing before changing permissions. You can break App Engine by being too restrictive.

However, that brings up security issues on how you manage and distribute the service account keys.

If you mean App Engine Flexible. Google does not even show the Flexible service account in the console as Google does not want you to modify it.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • App Engine flexible also uses the same default service account for the app. The other hidden service account it _also_ uses is used behind the scenes for orchestration. See https://cloud.google.com/appengine/docs/flexible/java/access-control#service_account_for_app_engine. – jon_wu Aug 11 '19 at 18:05
  • @jon_wu - Why did you post this comment to my answer? Your link has good information but does not apply to or improve upon my answer. Your comment probably should be moved to the question that was asked. – John Hanley Aug 11 '19 at 18:42
  • 1
    Your answer makes it sound like the default service account does not apply to App Engine flexible and instead uses a different hidden one. It would be helpful to clarify the answer to describe both service accounts per my comment above. – jon_wu Aug 11 '19 at 20:30
  • @jon_wu - Please create a new question. – John Hanley Aug 11 '19 at 21:41
  • This answer is outdated, AppEngine now supports user-managed service accounts. – SANN3 May 19 '22 at 06:44
0

You have to just add the following code in your app.yaml file

service_account: {SERVICE_ACCOUNT_YOU_WANT_TO_USE_TO_ACCESS_APP_ENGINE}

Kavin Kumar
  • 1
  • 1