diff --git a/mmv1/products/appengine/api.yaml b/mmv1/products/appengine/api.yaml
index bcae708c9d30..58b9aa31eefc 100644
--- a/mmv1/products/appengine/api.yaml
+++ b/mmv1/products/appengine/api.yaml
@@ -898,6 +898,11 @@ objects:
         name: 'runtimeMainExecutablePath'
         description: |
           The path or name of the app's main executable.
+      - !ruby/object:Api::Type::String
+          name: 'serviceAccount'
+          description: |
+            The identity that the deployed version will run as. Admin API will use the App Engine Appspot service account as
+            default if this field is neither provided in app.yaml file nor through CLI flag.
       - !ruby/object:Api::Type::NestedObject
         name: 'apiConfig'
         description: |
diff --git a/mmv1/products/appengine/terraform.yaml b/mmv1/products/appengine/terraform.yaml
index 9037e98fe757..c03d89fb1226 100644
--- a/mmv1/products/appengine/terraform.yaml
+++ b/mmv1/products/appengine/terraform.yaml
@@ -146,6 +146,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides
         vars:
           bucket_name: "appengine-static-content"
           project: "appeng-flex"
+          account_id: "my-account"
         test_env_vars:
           org_id: :ORG_ID
           billing_account: :BILLING_ACCT
diff --git a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb
index 58408825a71f..876e70921536 100644
--- a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb
+++ b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb
@@ -17,10 +17,28 @@ resource "google_project_service" "service" {
   disable_dependent_services = false
 }
 
+resource "google_service_account" "custom_service_account" {
+  project      = google_project_service.service.project
+  account_id   = "<%= ctx[:vars]['account_id'] %>"
+  display_name = "Custom Service Account"
+}
+
 resource "google_project_iam_member" "gae_api" {
   project = google_project_service.service.project
   role    = "roles/compute.networkUser"
-  member  = "serviceAccount:service-${google_project.my_project.number}@gae-api-prod.google.com.iam.gserviceaccount.com"
+  member  = "serviceAccount:${google_service_account.custom_service_account.email}"
+}
+
+resource "google_project_iam_member" "logs_writer" {
+  project = google_project_service.service.project
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.custom_service_account.email}"
+}
+
+resource "google_project_iam_member" "storage_viewer" {
+  project = google_project_service.service.project
+  role    = "roles/storage.objectViewer"
+  member  = "serviceAccount:${google_service_account.custom_service_account.email}"
 }
 
 resource "google_app_engine_flexible_app_version" "<%= ctx[:primary_resource_id] %>" {
@@ -71,6 +89,7 @@ resource "google_app_engine_flexible_app_version" "<%= ctx[:primary_resource_id]
   }
 
   noop_on_destroy = true
+  service_account = google_service_account.custom_service_account.email
 }
 
 resource "google_storage_bucket" "bucket" {