Service accounts on Cloud Run (fully managed)

This page describes how to assign a specific service account to your Cloud Run (fully managed) service.

Setting and updating service identity

It is recommended that you give each of your services a dedicated identity and restrict what it is able to access by granting it a minimal set of permissions using IAM. You can do this by assigning a named service account that has the correct IAM role(s). You can only use service accounts in the same project as the Cloud Run (fully managed) service.

Permissions required to use non-default identities

In order to deploy a service with a non-default service account, the deployer must have the iam.serviceAccounts.actAs permission on the service account being deployed.

If a user creates a service account, that user is automatically granted this permission; otherwise, a user with the correct permissions must grant the deployer this permission on the service account in order for the user to deploy.

Deploying a new service with a non-default identity

Before you deploy a service with a new identity, make sure that the service account you want to use is already created. If not, learn how to create and manage service accounts.

You can set environment variables using the Cloud Console or the gcloud command line when you create a new service or deploy a new revision:


  1. Go to Cloud Run

  2. Click CREATE SERVICE if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click EDIT & DEPLOY NEW REVISION.



  4. Click the Service account dropdown and select the desired service account.

  5. Click Create or Deploy.


You can update an existing service to have a new runtime service account by using the following command:

gcloud run services update SERVICE --service-account SERVICE_ACCOUNT_EMAIL


  • SERVICE with the name of your service.
  • SERVICE_ACCOUNT_EMAIL with the service account email associated with the new identity.

You can also set a service account during deployment using the command:

gcloud run deploy --image --service-account SERVICE_ACCOUNT_EMAIL


  • PROJECT-ID with your project name
  • IMAGE with the container image you are deploying
  • SERVICE_ACCOUNT_EMAIL with the service account associated with the new identity