Python 2.7 has reached end of supportand will bedeprecatedon January 31, 2026. After deprecation, you won't be able to deploy Python 2.7applications, even if your organization previously used an organization policy tore-enable deployments of legacy runtimes. Your existing Python2.7 applications will continue to run and receive traffic after theirdeprecation date. We recommend thatyoumigrate to the latest supported version of Python.

The App Engine standard environment service agent

In addition to theApp Engine default serviceaccount, theApp Engine standard environment includes aApp Engine standard environment service agent. The service agentenables your Google Cloud project to interact with the resources of your appseparately from other Google Cloud services.

Google automatically creates this account when you deploy a project's first appto the App Engine standard environment using App Engine tooling,such as thegcloud app deploy command.

The service agent is not listed on the ServiceAccounts page of the Google Cloud console and has the following restrictions:

Warning: Removing the service agent removesthe binding for the service agent from your Google Cloud project. If youremove the binding or change the permissions for the service agent,any deployment to your app in the standard environment might fail.

Verifying the App Engine standard environment service agent

To verify that the service agent existsin your Google Cloud project, perform the following steps:

  1. Open the Google Cloud console:

    Go to the Permissionspage

  2. In the upper-right corner of thePermissions page, select theInclude Google-provided role grants checkbox.

  3. In thePrincipals list, locate the ID of the App Engine standard environment serviceagent, which uses the ID
    service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com.

  4. Verify that the service agent has beengranted theApp Engine standard environment Service Agent role.

Service Agent role

The service agent has theApp Engine standard environment Service Agent role.The role includes a set of permissions needed by Python 2 standard environment to manage your standard environment apps. For example,this role includes permissions to perform the following tasks:

  • Get an access token for App Engine instances to access other Google Cloud resources, such as a Cloud Storage bucket.
  • Use theBlobstore API from App Engine legacy bundled services.

The App Engine standard environment Service Agent role is reserved for theservice agent. Do not grant thisIAM role to any other account, because thepermissions that the role includes can change without notice.

Restoring a deleted service agent

If you accidentally delete the App Engine standard environment service agent,restore it by performing the following steps:

  1. Open the Google Cloud console:

    Go to the Permissionspage

  2. ClickAdd.

  3. Enter the service agent ID using the format
    service-PROJECT_NUMBER@gcp-gae-service.iam.gserviceaccount.com.

  4. Select theApp Engine standard environment Service Agent role.

  5. ClickSave.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.