If I create custom service account with limited permissions, can I set this new service account to be the Application Default Credential?
By default inside app engine there is environment variable GOOGLE_APPLICATION_CREDENTIALS, that is set to the (ADC), which is the default service account credentials. Can I modify this?
I am aware that I can set this environment variable to point to my custom service account credentials file locally, but I do not see a clear way to do this in app engine.
ADC is not a credential. ADC is a method of finding credentials.
Google Cloud Application Default Credentials
App Engine Standard uses one default service account per project. All App Engine Standard services in a project use the same service account. You can modify the default service account but you cannot change the default service account to use a different service account (as you can with Compute Engine).
If you decide to create a new service account for usage within your application, do not store the service account in your application. This means forget about GOOGLE_APPLICATION_CREDENTIALS
. Instead, store the service account in Google Secret Manager (better) or Google Cloud Storage (OK with the right permissions). Load the service account JSON data during application startup.
just a follow up question: when I do "gcloud app deploy" this will set the default service account regardless of how I'm authenticated to gcloud correct? in other words, if I "gcloud auth login" as any service account, this service account will not be used inside app engine?
@Arximede Your
app deploy
will not change the App Engine service account. The credentials that you use to publish an application do not affect the credentials the application uses. Your credentials are separate from Google App Engine credentials.