Service accounts

This page describes how to assign a user-created service account instead of using the default service account and permissions that are created automatically for Cloud Run services. For more information about the default service account Cloud Run uses, see Runtime service account.

Setting and updating service identity

Google recommends that you give each of your services a dedicated identity by assigning it a user-created service account instead of using a default service account. User-created service accounts allow you to control access by granting a minimal set of permissions using Identity and Access Management. You can only use service accounts in the same project as the Cloud Run (fully managed) service.

Permissions required for user-created service accounts

In order to deploy a service with a user-created service account, the user deploying the service must have the iam.serviceAccounts.actAs permission on that service account.

When a user creates a service account, that user is automatically granted this permission. Otherwise, a user with the correct permissions must grant the user deploying the service the iam.serviceAccounts.actAs permission. To learn how to grant permissions, see Granting, changing, and revoking access to resources.

Deploying a new service with a user-created service account

If you don't already have a user-created service account you want to use, learn how to create and manage service accounts.

You can set environment variables using the Cloud Console or the gcloud command line when you create a new service or deploy a new revision. Update the service account with your service account email associated with the new identity:

Console

  1. Go to Cloud Run

  2. Click Create Service if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click Edit and Deploy New Revision.

  3. Under Advanced Settings, click Container.

    image

  4. Click the Service account dropdown and select the desired service account.

  5. Click Create or Deploy.

gcloud

You can update an existing service to have a new runtime service account by using the following command:

gcloud run services update SERVICE --service-account SERVICE_ACCOUNT

Replace:

  • SERVICE with the name of your service.
  • SERVICE_ACCOUNT with the service account associated with the new identity: this value is the email address for the service account, for example, example@myproject.iam.gserviceaccount.com.

You can also set a service account during deployment using the command:

gcloud run deploy --image IMAGE_URL --service-account SERVICE_ACCOUNT

Replace:

  • IMAGE_URL with a reference to the container image, for example, gcr.io/myproject/my-image:latest.
  • SERVICE_ACCOUNT with the service account associated with the new identity: this value is the email address for the service account, for example, example@myservice.iam.gserviceaccount.com.

YAML

You can download and view existing service configuration using the gcloud run services describe --format export command, which yields cleaned results in YAML format. You can then modify the fields described below and upload the modified YAML using the gcloud beta run services replace command. Make sure you only modify fields as documented.

  1. To view and download the configuration:

    gcloud run services describe SERVICE --format export > service.yaml
  2. Update the serviceAccountName: attribute:

    apiVersion: serving.knative.dev/v1
    kind: Service
    metadata:
      name: SERVICE
    spec:
      template:
        spec:
          serviceAccountName: SERVICE_ACCOUNT

    Replace

    • SERVICE with the name of your Cloud Run service.
    • SERVICE_ACCOUNT with the service account associated with the new identity: this value is the email address for the service account, for example, example@myproject.iam.gserviceaccount.com.
  3. Replace the service with its new configuration using the following command:

    gcloud beta run services replace service.yaml