BERJAYA

Granting Project Access

Grant and control access to your Google Cloud Platform project and its resources by assigning roles. You can assign roles to project members and to service accounts.

A service account represents a Google Cloud service identity, such as App Engine, and can be used to access other services.

Choosing the right access control

Assign roles to project members and service accounts to define the degree of access to your GCP project. You can use Identity and Access Management (IAM) roles for more fine-tuned access controls. For details about the various App Engine roles, see Access Control.

In general, the primitive roles of Owner, Editor, and Viewer are simpler to use, but the predefined roles have more fine-grained options for access. If you are just experimenting with App Engine, the simplest approach to access control is to grant the Editor role to all people involved with the project, following the instructions below on Setting permissions. Keep in mind that only an Owner can create App Engine applications in the project and add other people to the project.

When your project is ready for more complex roles:

Identify all the different job functions that need access to the project.
Set up a Google Group for each of these job functions.
Add members as desired to each Google Group.
Follow the instructions below on setting permissions below to add each Google Group as member of the project and set roles on each group.

Setting permissions

To add a project member and set permissions:

In the Google Cloud Platform Console, visit the IAM & Admin Permissions page for your project.

Go to the IAM & Admin Permissions page
Click Add member to add new members to the project and set their roles using the dropdown menu. You can add an individual user email or if you use Google Groups to manage group roles, you can supply a Google Group email (example-google-group@googlegroups.com).
Assign a role.
- For more generalized control, use a primitive role: Owner, Editor, Viewer
- For more fine-tuned control, use an App Engine predefined role: App Engine Admin, App Engine Service Admin, App Engine Deployer, App Engine Viewer.

To see descriptions and a comparison matrix of all the App Engine roles, and to read about limitations, go to Access Control.

There are other roles in the dropdown menu that apply to other Google Cloud Platform products. For more information on these roles, see Predefined roles.

Deploying using IAM roles

You can grant the ability to deploy new versions of apps to your GCP project by assigning the appropriate IAM roles to a user account.

The App Engine Deployer role is the recommended role for a user account that is responsible for only deploying apps. The App Engine Admin role can also deploy apps but allows additional privileges. Depending on which configuration files must be deployed, you might also need to grant additional roles to an account as explained in the steps below.

Configuring traffic

By default, a user account with the App Engine Deployer role is not allowed to migrate or split traffic to any version of an app. However, if a deployment targets an existing version that is currently serving traffic, the updated version of that app will retain the original traffic settings of the overwritten version.

For example, if version 20201155example is currently serving traffic in your app, when you run the gcloud app deploy --version 20201155example command, the updated version will overwrite the existing version and then begin serving traffic.

If a user account should be responsible for configuring traffic, consider using either the App Engine Admin or App Engine Service Admin role.

Before you begin

Before any user account can deploy apps using an IAM role:

The owner of the GCP project must first create the App Engine application.

To grant a user account the ability to deploy to App Engine:

In the Google Cloud Platform Console, visit the IAM & Admin permissions page for your project:

Go to the Permissions page
Click Add member to add the user account to the project and then select all of the roles for that account by using the dropdown menu:
- Required roles to allow an account to deploy to App Engine:
  1. Set the one of the following roles:
    - Use the App Engine > App Engine Deployer role to allow the account to deploy a version of an app.
    - To also allow the dos.yaml or dispatch.yaml files to be deployed with an app, use the App Engine > App Engine Admin role instead.
    The user account now has adequate permission to use the Admin API to deploy apps.
  2. To allow use of App Engine tooling to deploy apps, you must also give the user account the Storage > Storage Admin role so that the tooling has permission to upload to Cloud Storage.
- Optional. Give the user account the following roles to grant permission for uploading additional configuration files:
  - Datastore > Datastore Index Admin role: Permissions for uploading index.yaml files.
  - Cloud Scheduler > Cloud Scheduler Admin role: Permissions for uploading cron.yaml files.
  - Cloud Tasks > Cloud Tasks Queue Admin role: Permissions for uploading queue.yaml files.

The user account can now deploy apps to the App Engine application in the associated GCP project. For details about how to deploy apps, see Deploying your app.

Troubleshooting IAM-related deployment failures

If you configured permissions as instructed above but accounts remain unable to deploy apps, you should verify that the App Engine application has been created.

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated July 8, 2019.

Jun	JUL	Aug
	16
2018	2019	2020