Python 2.7 has reached end of supportand will bedeprecatedon January 31, 2026. After deprecation, you won't be able to deploy Python 2.7applications, even if your organization previously used an organization policy tore-enable deployments of legacy runtimes. Your existing Python2.7 applications will continue to run and receive traffic after theirdeprecation date. We recommend thatyoumigrate to the latest supported version of Python.

Using user-managed service accounts

App Engine apps require a service account in order to access other Google Cloudservices and execute tasks. By default, theApp Engine default service accountis used as the identity of your App Engine app. You may also specify adifferentuser-managed serviceaccount to be used as theidentity for a specific version of your App Engine app. This allows youto grant different privileges to each version, based on the specific tasks itperforms, and avoid granting more privileges than necessary.

This guide covers how to specify a different user-managed service account whendeploying a new version. If you don't need to create a distinct service accountwhen deploying a specific version of your app, you can continue to use thedefault service account by not specifying a service account.

Creating a user-managed service account

To create a user-managed service account, seethese instructions.When defining the Identity and Access Management (IAM) roles to grant your serviceaccount, you can refer toRoles that Grant Access to App Engine.

If you need to review IAM concepts before creating your service account, seeIAM concepts overview andservice accounts guides.

Warning: Do not remove the existing App Engine standard environment service agent in your project.Theservice agent delegates the user-managed serviceaccount as the identity for your app. If you remove the service agent, you willsee IAM permission errors.

After you create your user-managed service account, you can update theapp-level default service account for your application by using one of thefollowing methods:

Important: Only versions deployed after the update will use the new app-leveldefault service account. All previously deployed versions will not use the new app-leveldefault service account until you re-deploy that version.

gcloud

Run thegcloud app update command.

gcloudappupdate--service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

Replace:

  • SERVICE_ACCOUNT_NAME with the name of the service account that you created.
  • PROJECT_ID with ID of the Google Cloud project in which you want to assign theservice account.

Each new version that you deploy after this update uses the new app-level default serviceaccount unless you explicitly assign a version-specific service account.

Console

  1. Go to the App EngineApplication Settings tab in the console and clickEdit Application Settings.

    Go to Application Settings

  2. Choose an app-level default service account fromSelect a Service account and clickSave.

    You will be redirected to theApplication Settings tab where you can view the emailaddress of your updated app-level default service account. Example:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com.

    Each new version that you deploy after this update uses the new app-level default serviceaccount unless you explicitly assign a version-specific service account.

Specifying a service account when deploying your app

Note: If a user-managed service account is specified in both theapp.yaml fileand in the gcloud CLI, thegcloud setting is used.

Next steps

Followbest practices for working with service accounts.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.