gae/ERR/2025_001
Product: App Engine
Rule class: GAE application deployment potentially fail if default service account has been deleted
Description
App Engine default service account (@appspot.gserviceaccount.com) by default is used for GAE applications deployment when user-defined service account is not declared
If it’s recently deleted, recover the SA otherwise use user-defined service account
Sample logging query to find deleted GAE default service account:
protoPayload.methodName="google.iam.admin.v1.DeleteServiceAccount"
resource.labels.email_id="[PROJECT_ID]@appspot.gserviceaccount.com"
resource.type="service_account"
Remediation
The App Engine default service account was recently deleted (within 30 days). Please follow the steps at https://cloud.google.com/iam/docs/service-accounts-delete-undelete#undeleting to recover it
Otherwise, please use user-defined service account https://cloud.google.com/appengine/docs/legacy/standard/python/user-managed-service-accounts