Service identity

Runtime service account

During its execution, a Cloud Run revision uses a service account as its identity. For instance, when making requests to Google Cloud Platform services using the Google Cloud Client Libraries, Cloud Run revisions can automatically obtain and use tokens to authorize to the services this identity has permissions to use.

By default, Cloud Run revisions are using the Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com). You can change this identity.

Per-service identity

If you have multiple services all accessing different resources, you'll likely want to give each service its own identity. This can be done by deploying the service with a named service account that has the correct role. The service account being deployed must have been created in the same project as the service it is attached to.

Permissions required to use non-default identities

In order to deploy a service with non-default service account, the deployer must have the iam.serviceAccounts.actAs permission on the service account being deployed.

If a user creates a service account, that user is automatically granted this permission; otherwise, a user with the correct permissions must grant the deployer this permission on the service account in order for the user to deploy.

Deploying a new service with a non-default identity

Before you deploy a service with a new identity, make sure that the service account you want to use is already created. If not, learn how to create and manage service accounts.

Console UI

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Configure the service however you would like.

  3. Click SHOW OPTIONAL SETTINGS.

  4. Click the Service account dropdown and select the desired service account.

  5. Click Create.

GCloud

When deploying a service using gcloud beta run deploy , add the --service-account flag. For example:

gcloud beta run deploy ... --service-account SERVICE_ACCOUNT_EMAIL

where PROJECT ID is your project name, and SERVICE_ACCOUNT_EMAIL is the service account associated with the new identity.

Updating the identity of an existing service

You can also update existing service to have a new runtime service account.

Console UI

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Click the name of the desired service to go to its detail page.

  3. Click the EDIT pencil at the top of the detail page to edit the service.

  4. Click SHOW OPTIONAL SETTINGS.

  5. Click the Service account dropdown and select the desired service account.

  6. Click Save.

GCloud

When deploying a service using gcloud beta run deploy, add the --service-account flag:

gcloud beta run deploy ... --service-account SERVICE_ACCOUNT_EMAIL

where PROJECT-ID is your project name, and SERVICE_ACCOUNT_EMAIL is the service account associated with the new identity.

Fetching identity and access tokens

You can use the Compute Metadata Server to fetch identity tokens and access tokens.

Identity tokens

You use identity tokens when calling other Cloud Run services or any other service that can validate an identity token.

You can use the Compute Metadata Server to fetch identity tokens with a specific audience as follows:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]" \
  -H "Metadata-Flavor: Google"

Where AUDIENCE is the JWT Audience requested, for example: the URL of a service you're invoking, such as https://service.domain.com, or the OAuth Client ID of an IAP protected resource, such as 1234567890.apps.googleusercontent.com.

Access tokens

You use access tokens when calling Google APIs.

By default, access tokens have the cloud-platform scope, which allows access to all Google Cloud Platform APIs, assuming IAM also allows access. In order to access other Google or Google Cloud APIs, you will need to fetch an access token with the appropriate scope.

You can use the Compute Metadata Server to fetch access tokens.

If you need an access token with a specific scope, you can generate one as follows:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scopes=[SCOPES]" \
  -H "Metadata-Flavor: Google"

Where SCOPES is a comma separated list of OAuth scopes requested, for example: https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/spreadsheets.

Consult the full list of Google OAuth scopes to find which scopes you need.

Next steps

Learn how to manage access to or securely authenticate developers, services, and end-users to your services.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Run Documentation