Menu
I'm wondering if I can configure a GAE Flexible "service" to use a specific service account ID instead of the default service account ID, which all services run as.
Why? I want to isolate each service's permissions, but also simplify the service code by allowing it to still use the Application Default credentials method of calling Google APIs.
Is there an app.yaml configuration/environment variable where I can control this?
I didn't see the answer here https://cloud.google.com/appengine/docs/flexible/java/migrating or https://cloud.google.com/appengine/docs/flexible/java/authorizing-apps
I also found this https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#using which tells me how to do what I want at the compute engine level, but I don't see how to apply it at the GAE Flex managed level.
If this is not possible, what is the next best alternative?
460
In the Google Cloud console, go to the IAM page. Select your project. Locate the App Engine default service account in the Principals list. The App Engine default service account appears in the list if roles have been automatically or manually granted to the service account.
The default service account is a fallback, it is the SA that gets used if a pod does not specify one. So the default service account should have no privileges whatsoever.
This isn't possible at the moment. The best way to go forward with this would be to open a feature request here.
125
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
