Golang deployments on App Engine ( Flexi)
Ankit Mihari
Ankit Mihari
edgaral...@google.com
1) This might be too vague of a question to answer correctly but if you are looking to migrate from the Standard to Flexible environment, I recommend to review this article regarding the difference between both environment and adjustment to do:
https://cloud.google.com/appengine/docs/flexible/go/migrating
2) Regarding your security guidelines details with custom service account, not to sure about the question here, if there is one, you can set the permissions on the custom service account as needed.
The Flexible environment does include an additional service account in order to be able to execute flexible environment specific tasks on behalf of your application. The default service account(both) are automatically created for you when deploying the first application and used by the application to authenticate access to resources within the same project. You are unable to modify the permissions on the App Engine *Flexible* default service account as stated here:
https://cloud.google.com/appengine/docs/flexible/python/service-account
Here is another article with more details regarding service accounts, mainly the App Engine Default service account where you can downgrade it’s access by modifying it’s permissions:
https://cloud.google.com/appengine/docs/flexible/python/access-control#using_service_accounts
3) You are able to give Project A service account access to Project B by adding the service account that need to be authenticated into the Project B. Here is an example of the steps to do so:
https://stackoverflow.com/questions/35479025/cross-project-management-using-service-account
In Project B, you are able to give that service account the permissions you want it to have in Project B. You can use the default service account or a newly created one depending on your use case. You can do all this from the Google Cloud Console.