Python 2.7 has reached end of supportand will bedeprecatedon January 31, 2026. After deprecation, you won't be able to deploy Python 2.7applications, even if your organization previously used an organization policy tore-enable deployments of legacy runtimes. Your existing Python2.7 applications will continue to run and receive traffic after theirdeprecation date. We recommend thatyoumigrate to the latest supported version of Python.

Using the Default App Engine Service Account

After you create an App Engine application, theApp Engine default service accountis created and used as the identity of yourApp Engine app. The App Engine default service account isassociated with your Google Cloud project and executes tasks on behalf of yourapps running in App Engine.

Viewing the App Engine default service account

To view your service accounts:

  1. In the Google Cloud console, go to theService accounts page.

    Go to Service accounts

  2. Select your project.

  3. In the list, locate the email address of the App Engine default service account:

    YOUR_PROJECT_ID@appspot.gserviceaccount.com

Modifying the default service account

Depending on your organization policy configuration, the default service account might automatically be granted theEditor role on your project. We strongly recommend that you disable the automatic role grant by enforcing theiam.automaticIamGrantsForDefaultServiceAccounts organization policy constraint. If you created your organization after May 3, 2024, this constraint is enforced by default.

If you disable the automatic role grant, you must decide which roles to grant to the default service accounts, and thengrant these roles yourself.

If the default service account already has the Editor role, we recommend that you replace the Editor role with less permissive roles.To safely modify the service account's roles, usePolicy Simulator to see the impact of the change, and thengrant and revoke the appropriate roles.

Warning: Deleting the App Engine default service account breaks any currentand future App Engine applications in your Google Cloud project. Forexample, your application will lose access to other Google Cloud servicessuch as Datastore. If needed, you canrestore a deleted defaultservice account.

Changing service account permissions

You can use the Google Cloud console to grant or remove roles from thedefault service account. For example, you candowngrade the permissions used by the App Engine default service accountby changing its role from Editor to whichever role(s) that best represent theaccess needs for your App Engine app.

To modify roles for the App Engine default service account:

  1. In the Google Cloud console, go to theIAM page.

    Go to IAM

  2. Select your project.

  3. Locate the App Engine default service account in thePrincipals list. The App Engine default service account appears inthe list if roles have been automatically or manually granted to theservice account.

  4. Select the edit button to modify the roles assigned to the service account.

Note: You cannot remove application access to its task queues and cron jobs.

Using the default service account

Your App Engine app uses the credentials of the App Engineservice account by default. For more information, seeGranting your app accessto Cloud services.

Restoring a deleted default service account

If you delete your App Engine default service account, yourApp Engine application might break and lose access to otherGoogle Cloud services, such as Datastore.

You can restore App Engine default service accounts that have been deletedwithin the last 30 days by following the steps inundeleting a service account.

More information about service accounts

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.