I would like to set separate permissions for different applications that run on GCP AppEngine.
I think, that the way to do this is by using specialized service accounts for each application.
As far as I understand, all applications run with the AppEngine default service account [email protected]
Is there a way to explicitly set a service account for an application which is running on AppEngine in GCP? Then I would be able to create separate service accounts with fine access restrictions.
I am assuming you mean App Engine Standard. You only have one App Engine Standard per project.
You can have multiple services under App Engine.
You will need to create a service account and then load the service account inside your code. You can then change the default service account to have the minimum permissions required to function. Make sure you research what you are doing before changing permissions. You can break App Engine by being too restrictive.
However, that brings up security issues on how you manage and distribute the service account keys.
If you mean App Engine Flexible. Google does not even show the Flexible service account in the console as Google does not want you to modify it.