That's right, the App Engine Flexible environment service account's permissions can't be modified [1]. There's currently a feature request [2] with a similar question, and it has multiple suggestions made by other customers facing the same issue. We recommend following the feature request once in a while for updates as this exact method isn't supported yet.
[1]https://cloud.google.com/appengine/docs/flexible/python/service-account [2]https://issuetracker.google.com/35894490 On Tuesday, August 21, 2018 at 1:57:05 PM UTC-4, Eric Hauser wrote: > > The standard method of storing a secret in GCS encrypted via KMS generally > works fine. However, the Service Account documentation for App Engine Flex > states ( > https://cloud.google.com/appengine/docs/flexible/python/service-account): > > "Do not modify the permissions of the App Engine flexible environment > service account." > > What's the recommended way to give a Flex container the ability to decrypt > a secret if you can't grant permissions to a KMS key? > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/767b6cd1-3305-41c0-be88-25bee72c94fa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
