소스 배포 중에 Cloud Run은 Cloud Run 서비스를 빌드하고 배포할 때 Cloud Build를 활용합니다.
이 페이지에서는 Cloud Build가 사용자를 대신하여 서비스 빌드를 실행할 때 사용할 사용자 지정 서비스 계정을 설정하는 방법을 보여줍니다.
이 가이드는 Google Cloud CLI를 사용하여 Cloud Run 서비스 또는 함수를 배포하고 Cloud Build에서 사용하는 빌드 서비스 계정을 맞춤설정해야 하는 플랫폼 개발자를 대상으로 합니다. 빌드 서비스 계정 gcloud CLI 플래그는 소스 배포(--source)에 지원되며 컨테이너 이미지 배포(--image)에는 지원되지 않습니다.
시작하기 전에
Cloud Build API를 사용 설정합니다.
gcloudservicesenablecloudbuild.googleapis.com
Cloud Build 서비스 계정으로 사용할 서비스 계정을 만들거나 기존 서비스 계정을 보유하고 있어야 합니다.
필요한 역할
개발자 또는 관리자가 배포자 계정과 Cloud Build 서비스 계정에 다음 IAM 역할을 부여해야 합니다.
클릭하여 배포자 계정에 필요한 역할 보기
소스에서 빌드하고 배포하는 데 필요한 권한을 얻으려면 관리자에게 다음 IAM 역할을 부여해 달라고 요청하세요.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[],[],null,["# Set build service account (source deploy)\n\nDuring source deployments, Cloud Run leverages Cloud Build\nwhen building and deploying your Cloud Run service.\n\nThis page shows how to set a\n[user-specified service account](/build/docs/cloud-build-service-account#user_access_to_triggers)\nfor Cloud Build to use when executing builds of the service on your behalf.\nThis guide is relevant for platform developers who are deploying\nCloud Run [services](/run/docs/deploying-source-code) or\n[functions](/run/docs/deploy-functions) using the Google Cloud CLI and need to\ncustomize the build service account used by Cloud Build. The build service\naccount gcloud CLI flag is supported for\n[source deployments](/run/docs/deploying-source-code) (`--source`), and not\nsupported for [container image deployments](/run/docs/deploying) (`--image`).\n\nBefore you begin\n----------------\n\n1. Enable the Cloud Build API:\n\n ```bash\n gcloud services enable cloudbuild.googleapis.com\n ```\n2. [Create a service account](/iam/docs/service-accounts-create), or have an\n existing service account, to use as the Cloud Build service\n account.\n\n### Required roles\n\nYou or your administrator must grant the deployer account and the\nCloud Build service account the following IAM roles. \n\n#### Click to view required roles for the deployer account\n\nTo get the permissions that you need to build and deploy from source,\nask your administrator to grant you the following IAM\nroles:\n\n- [Cloud Run Source Developer](/iam/docs/understanding-roles#run.sourceDeveloper) (`roles/run.sourceDeveloper`) on your project\n- [Service Usage Consumer](/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer) (`roles/serviceusage.serviceUsageConsumer`) on your project\n- [Service Account User](/iam/docs/understanding-roles#iam.serviceAccountUser) (`roles/iam.serviceAccountUser`) on the Cloud Run service identity \n\n#### Click to view required roles for the Cloud Build service account\n\nTo allow the Cloud Build service account to perform the build\nwhen deploying a function, ask your administrator to grant the\n[Cloud Run Builder](/iam/docs/understanding-roles#run.builder)\n(`roles/run.builder`) role to the Cloud Build service\naccount on the project.\n| **Note:** If you need to use a service account from a different project, you or your administrator must grant additional access to the service account. See [Cross-project set up](/build/docs/securing-builds/configure-user-specified-service-accounts#cross-project_set_up) for more details.\n\nFor a list of IAM roles and permissions that are associated with\nCloud Run, see\n[Cloud Run IAM roles](/run/docs/reference/iam/roles)\nand [Cloud Run IAM permissions](/run/docs/reference/iam/permissions).\nIf your Cloud Run service interfaces with\nGoogle Cloud APIs, such as Cloud Client Libraries, see the\n[service identity configuration guide](/run/docs/configuring/services/service-identity).\nFor more information about granting roles, see\n[deployment permissions](/run/docs/reference/iam/roles#additional-configuration)\nand [manage access](/iam/docs/granting-changing-revoking-access).\n\nSpecify a Cloud Build service account\n-------------------------------------\n\nBy default, if a Cloud Build service account isn't specified when\ndeploying a [service](/run/docs/deploying-source-code) or\n[function](/run/docs/deploy-functions#gcloud_1) from source,\nCloud Build uses the\n[default Cloud Build service account](/build/docs/cloud-build-service-account).\n\nAs a best practice for following the principle of least privilege to improve the\nsecurity posture of your service, we recommend that you specify your own service\naccount to run your builds when deploying a service from source. \n\n### gcloud\n\nTo specify the Cloud Build service account when deploying a\nservice from source code, use the `--build-service-account` flag: \n\n```bash\ngcloud run deploy SERVICE \\\n --source . \\\n --build-service-account projects/PROJECT_ID/serviceAccounts/BUILD_SERVICE_ACCOUNT\n```\n\nReplace:\n\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with name of your Cloud Run service.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e the project ID where the build service account is created.\n- \u003cvar translate=\"no\"\u003eBUILD_SERVICE_ACCOUNT\u003c/var\u003e with a user-specified service account.\n\nIf you are deploying a function, add the `--function` flag with the function\nentry point from your source code."]]