Hi, we are using Bitbucket Pipelines for our CI/CD engine, and it works 
great with Google App Engine. However, there appears to be one significant 
security flaw with GCP. 

We need to permission a service account to deploy our application and the 
only permission that appears to work is Project Owner. The keys are 
secured, but if, somehow, someone were to gain access to this service 
account, they could delete our entire project, which also includes our 
database and a few other mission critical resources. 

It would be much safer if we could deploy our application with granular 
permissions like GAE Deployer and GCS Admin, which we have tried to use 
unsuccessfully. We also tried to create a custom App Engine role, which 
granted all permissions, but the permissions still failed us. Does anyone 
have any suggestions?


You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.
  • [google-appengine] GA... Mike Hardy

Reply via email to