0
0
GcpHow-ToBeginner · 4 min read

How to Use Service Account with Cloud Run in GCP

To use a service account with Cloud Run, assign the service account to your Cloud Run service during deployment or update. This lets your service securely access other Google Cloud resources with the permissions granted to that account.
📐

Syntax

When deploying or updating a Cloud Run service, use the --service-account flag to specify the service account email. This tells Cloud Run to run your service with that account's identity and permissions.

Example command parts:

  • gcloud run deploy SERVICE_NAME: Deploy or update your Cloud Run service.
  • --image IMAGE_URL: Specify the container image to run.
  • --service-account SERVICE_ACCOUNT_EMAIL: Assign the service account.
bash
gcloud run deploy SERVICE_NAME \
  --image IMAGE_URL \
  --service-account SERVICE_ACCOUNT_EMAIL
💻

Example

This example deploys a Cloud Run service named my-service using a container image and assigns the service account my-service-account@my-project.iam.gserviceaccount.com. This service account must exist and have the needed permissions.

bash
gcloud run deploy my-service \
  --image gcr.io/my-project/my-image:latest \
  --service-account my-service-account@my-project.iam.gserviceaccount.com \
  --region us-central1 \
  --platform managed
Output
Deploying service [my-service] in project [my-project] region [us-central1] Done. Service URL: https://my-service-abcdefg-uc.a.run.app
⚠️

Common Pitfalls

Common mistakes when using service accounts with Cloud Run include:

  • Not creating the service account before assigning it.
  • Assigning a service account without the required permissions for the resources your service needs.
  • Forgetting to redeploy the service after changing the service account.
  • Using the default Compute Engine service account unintentionally, which may have overly broad permissions.

Always verify the service account exists and has the minimum permissions your service requires.

bash
## Wrong: Deploying without specifying service account (uses default)
gcloud run deploy my-service \
  --image gcr.io/my-project/my-image:latest

## Right: Specify service account explicitly
gcloud run deploy my-service \
  --image gcr.io/my-project/my-image:latest \
  --service-account my-service-account@my-project.iam.gserviceaccount.com
📊

Quick Reference

CommandDescription
gcloud run deploy SERVICE_NAME --service-account SERVICE_ACCOUNT_EMAILDeploy Cloud Run service with specified service account
gcloud iam service-accounts create NAMECreate a new service account
gcloud projects add-iam-policy-binding PROJECT_ID --member=serviceAccount:SERVICE_ACCOUNT_EMAIL --role=ROLEGrant role to service account
gcloud run services describe SERVICE_NAMECheck current service account assigned to Cloud Run service

Key Takeaways

Assign a service account to Cloud Run using the --service-account flag during deployment.
Ensure the service account exists and has the correct permissions before use.
Avoid using default service accounts with broad permissions for security.
Redeploy your Cloud Run service after changing the service account.
Use IAM roles to grant only the permissions your service needs.

Related by keyword

How to Connect Cloud Run to Cloud SQL on GCPCloud SQLHow to Create a Service Account in GCP: Step-by-Step GuideIAMCloud Functions vs Cloud Run: Key Differences and When to Use EachCloud FunctionsCloud Scheduler vs Cloud Tasks in GCP: Key Differences and UsageOther ServicesHow to Connect Cloud Function to Cloud SQL in GCPCloud SQL

Up next

What is HTTP Trigger Cloud Function in GCP: Simple ExplanationWhat is a Pub/Sub Trigger Cloud Function in GCP?App Engine Standard vs Flexible: Key Differences and When to Use EachApp Engine vs Cloud Run: Key Differences and When to Use Each

More in Cloud Run

Cloud Run vs App Engine: Key Differences and When to Use EachCloud Run vs Cloud Functions: Key Differences and When to Use EachCloud Run vs GKE: Key Differences and When to Use EachHow to Configure Auto Scaling in Cloud Run on GCP