Optimizing service accounts with Recommender

This topic shows how to use Recommender to optimize service accounts for a Cloud Run service so the service account has the minimal set of required permissions. Recommender is a service that automatically provides recommendations and insights for using resources on Google Cloud, based on heuristic methods, machine learning, and current resource usage. Each recommendation includes a link you can click to put the recommendation into effect for your service.

Recommender automatically provides recommendations for a service after it has been deployed, after a period of time has elapsed, typically one day. After this period of time, recommendations for the service are displayed with the service in the Cloud Run service list in the Google Cloud Console and in the Recommendation Hub.

Recommendations are also available through the following:

Viewing and accepting available recommendations for Cloud Run

To view and accept a recommendation in the Cloud Run user interface:

  1. Go to Cloud Run

  2. Locate services in the list that have something in the Recommendations column.

  3. Click the Security icon for your service under the column heading Recommendations, to display the recommendation insight for your service.

  4. Read the insight about your service and the recommendation, then, if you accept the recommendation, click Create Service Account. This opens the user interface to create a new dedicated service account with the optimal set of permissions, and allows you to grant IAM roles. To determine which roles to assign, you must audit the dependencies of your Cloud Run service to ensure the new dedicated service account has the required access for all of these dependencies.

Viewing recommendations in Recommendation Hub

You can also view recommendations in the Recommendation Hub. For more information refer to the Recommendation Hub Getting started documentation.