Runtime service account
During service execution, Cloud Run uses the service account
PROJECT_NUMBERfirstname.lastname@example.org as its identity. For
instance, when making requests to Google Cloud Platform services using the
Google Cloud Client Libraries,
Cloud Run applications can automatically obtain and use tokens
to authorize to the services this identity has permissions to use.
Changing default permissions
By default, the runtime service account has the Editor role, which lets it access many Cloud Platform services. While this is the fastest way to develop services, it's likely too permissive for what your service needs in production, and you'll want to configure it for least privilege access.
Go to the Google Cloud Platform Console:
Select the Runtime Service Account (
PROJECT_NUMBERemail@example.com) from the table.
Click the pencil on the right side of the row to show the Edit permissions tab.
Add or remove roles in the role dropdown to provide least privilege access.
Remove the Editor role, then use the
gcloud projects add-iam-policy-binding command to add a new role:
# Remove the Editor role gcloud projects remove-iam-policy-binding PROJECT_ID\ --member="PROJECT_NUMBERfirstname.lastname@example.org" --role="roles/editor" # Add the desired role gcloud projects add-iam-policy-binding PROJECT_ID \ --member="PROJECT_NUMBERemail@example.com" --role="ROLE"
Where PROJECT_NUMBER is the project ID of the project you're using and ROLE is the new role to assign to the runtime service account.
Fetching identity and access tokens
You can use the Compute Metadata Server to fetch identity tokens and access tokens.
You use identity tokens when calling other Cloud Run services or any other service that can validate an identity token.
You can use the Compute Metadata Server to fetch identity tokens with a specific audience as follows:
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]" \ -H "Metadata-Flavor: Google"
AUDIENCE is the JWT Audience requested, for
example: the URL of a service you're invoking, such as
https://service.domain.com, or the OAuth Client ID of an IAP protected
resource, such as
You use access tokens when calling Google APIs.
By default, access tokens have the
cloud-platform scope, which allows access
to all Google Cloud Platform APIs, assuming IAM also allows access. In order to
access other Google or Google Cloud APIs, you will need to fetch an access token
with the appropriate scope.
You can use the Compute Metadata Server to fetch access tokens.
If you need an access token with a specific scope, you can generate one as follows:
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scopes=[SCOPES]" \ -H "Metadata-Flavor: Google"
SCOPES is a comma separated list of OAuth scopes
requested, for example:
Consult the full list of Google OAuth scopes to find which scopes you need.