The Google App Engine Admin API uses Google Cloud Identity and Access Management (IAM) for access control.
Access control in Google App Engine Admin API can be configured at the project level. Access to Cloud Platform projects and the resources within them can be granted to user accounts, domains, groups, or service accounts. For example:
- Grant access to all the resources within a project to an individual member or to all the members of a service account.
- Grant access on a per-role basis, rather than for the whole project so that project members are provided limited capabilities. For example, read-only access to resources, or ability to deploy new versions, but not configure traffic to those versions.
For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management documentation.
Every Admin API method requires the caller to have the necessary permissions. See the following section for a list of all the permissions and roles that the Admin API IAM supports.
Permissions and roles
This section summarizes the permissions and roles that Admin API IAM supports.
For details about the App Engine roles, see App Engine Access Control.
Required permissions
The following table lists the permissions that the caller must have to call each method:
| Method | Required Permission(s) |
|---|---|
apps.get |
appengine.applications.get on the requested Application resource. |
apps.patch |
appengine.applications.update on the requested Application resource. |
apps.repair |
appengine.applications.update on the requested Application resource. |
apps.services.delete |
appengine.services.delete on the requested Service resource. |
apps.services.get |
appengine.services.get on the requested Service resource. |
apps.services.list |
appengine.services.list on the requested Application resource. |
apps.services.patch |
appengine.services.update on the requested Service resource. |
apps.services.versions.create |
appengine.versions.create on the requested Service resource. |
apps.services.versions.delete |
appengine.versions.delete on the requested Version resource. |
apps.services.versions.get |
appengine.versions.get on the requested Version resource. |
apps.services.versions.list |
appengine.versions.list on the requested Service resource. |
apps.services.versions.patch |
appengine.versions.update on the requested Version resource. |
apps.services.versions.instances.debug |
appengine.instances.enableDebug on the requested Instance resource. |
apps.services.versions.instances.delete |
appengine.instances.delete on the requested Instance resource. |
apps.services.versions.instances.get |
appengine.instances.get on the requested Instance resource. |
apps.services.versions.instances.list |
appengine.instances.list on the requested Version resource. |
apps.operations.get |
appengine.operations.get on the requested Operation resource. |
apps.operations.list |
appengine.operations.list on the requested Operation resource. |
Roles
The following table lists the Google App Engine Admin API IAM roles with a corresponding list of all the permissions included in each role. Note that every permission is applicable to a particular resource type.
| Role | Includes permissions |
|---|---|
|
App Engine Admin:
Read/Write/Modify access to all application configuration and settings. |
appengine.applications.get |
appengine.applications.update | |
appengine.services.delete | |
appengine.services.get | |
appengine.services.list | |
appengine.services.update | |
appengine.versions.create | |
appengine.versions.delete | |
appengine.versions.get | |
appengine.versions.list | |
appengine.versions.update | |
appengine.instances.delete | |
appengine.instances.enableDebug | |
appengine.instances.get | |
appengine.instances.list | |
appengine.instances.update | |
appengine.operations.cancel | |
appengine.operations.delete | |
appengine.operations.get | |
appengine.operations.list | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
|
App Engine Deployer:
Read-only access to all application configuration and settings. Write access to service-level and version-level settings. Cannot deploy a new version. |
appengine.applications.get |
appengine.services.create | |
appengine.services.get | |
appengine.services.list | |
appengine.versions.create | |
appengine.versions.delete | |
appengine.versions.get | |
appengine.versions.list | |
appengine.instances.get | |
appengine.instances.list | |
appengine.operations.get | |
appengine.operations.list | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
|
App Engine Service Admin:
Read-only access to all application configuration and settings. Write access only to create a new version; cannot modify existing versions other than deleting versions that are not receiving traffic. Cannot change the default version. |
appengine.applications.get |
appengine.services.delete | |
appengine.services.get | |
appengine.services.list | |
appengine.services.update | |
appengine.versions.delete | |
appengine.versions.get | |
appengine.versions.list | |
appengine.versions.update | |
appengine.instances.get | |
appengine.instances.list | |
appengine.instances.delete | |
appengine.operations.get | |
appengine.operations.list | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
|
App Engine Viewer:
Read-only access to all application configuration and settings. |
appengine.applications.get |
appengine.services.get | |
appengine.services.list | |
appengine.versions.get | |
appengine.versions.list | |
appengine.instances.get | |
appengine.instances.list | |
appengine.operations.get | |
appengine.operations.list | |
resourcemanager.projects.get | |
resourcemanager.projects.list | |
|
App Engine Code Viewer:
Read-only access to all application configuration and settings, and to deployed source code. |
appengine.applications.get |
appengine.services.get | |
appengine.services.list | |
appengine.versions.get | |
appengine.versions.getFileContents | |
appengine.versions.list | |
appengine.instances.get | |
appengine.instances.list | |
appengine.operations.get | |
appengine.operations.list | |
resourcemanager.projects.get | |
resourcemanager.projects.list |
Note that the roles roles/owner, roles/editor, and roles/viewer include
permissions for other Google Cloud Platform services as well. For more information about
these primative roles, see
Access Control.
Controlling access via the Cloud Platform Console
You can use the Cloud Platform Console to manage access control for your Cloud Platform projects.
Setting project-wide access controls
To grant members access to a Cloud Platform project and its resources, see Granting, Changing, and Revoking Access to Project Members.
Setting service account access controls
You can create a service account in a Cloud Platform project to grant your app programmatic access to Cloud Platform services. For example, use a service account to allow one Cloud Platform project to send HTTP request with the Google App Engine Admin API to another Cloud Platform project.
To create service accounts and grant access, see the following IAM topics:
