Service identity

Runtime service account

During its execution, a Cloud Run revision uses a service account as its identity. For instance, when making requests to Google Cloud Platform services using the Google Cloud Client Libraries, Cloud Run revisions can automatically obtain and use tokens to authorize to the services this identity has permissions to use.

By default, Cloud Run revisions are using the Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com), which has the Project > Editor IAM role. This means that by default, your Cloud Run revisions have read and write access to all resources in your GCP project. While this is very convenient, we recommend granting more granular permissions to each of your Cloud Run services by assigning dedicated service accounts with more restricted IAM roles.

Using per-service identity

It is recommended that you give each of your services a dedicated identity and restrict what it is able to access by granting it a minimal set of permissions using IAM. You can do this by assigning a named service account that has the correct IAM role(s). You can only use service accounts in the same project as the Cloud Run (fully managed) service.

Permissions required to use non-default identities

In order to deploy a service with a non-default service account, the deployer must have the iam.serviceAccounts.actAs permission on the service account being deployed.

If a user creates a service account, that user is automatically granted this permission; otherwise, a user with the correct permissions must grant the deployer this permission on the service account in order for the user to deploy.

Deploying a new service with a non-default identity

Before you deploy a service with a new identity, make sure that the service account you want to use is already created. If not, learn how to create and manage service accounts.

You can set environment variables using the GCP Console or the gcloud command line when you create a new service or deploy a new revision:

Console UI

  1. Go to Cloud Run

  2. Click CREATE SERVICE if you are configuring a service account on a new service you are deploying to. If you are configuring a service account on an existing service, then click on the service, then click DEPLOY NEW REVISION.

  3. Click SHOW OPTIONAL SETTINGS.

    image

  4. Click the Service account dropdown and select the desired service account.

  5. Click Create or Deploy.

GCloud

You can update an existing service to have a new runtime service account by using the following command:

gcloud beta run services update SERVICE --service-account SERVICE_ACCOUNT_EMAIL
  

Replace

  • SERVICE with the name of your service.
  • SERVICE_ACCOUNT_EMAIL with the service account email associated with the new identity.

You can also set a service account during deployment using the command:

gcloud beta run deploy --image gcr.io/PROJECT-ID/IMAGE --service-account SERVICE_ACCOUNT_EMAIL

Replace

  • PROJECT-ID with your project name
  • IMAGE with the container image you are deploying
  • SERVICE_ACCOUNT_EMAIL with the service account associated with the new identity

Fetching identity and access tokens

When your code runs on Cloud Run (fully managed) it can use the Compute Metadata Server to fetch identity tokens and access tokens. You cannot query the metadata server directly from your local computer.

Identity tokens

You use identity tokens when calling other Cloud Run (fully managed) services or any other service that can validate an identity token.

You can use the Compute Metadata Server to fetch identity tokens with a specific audience as follows:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]" \
  -H "Metadata-Flavor: Google"

Where AUDIENCE is the JWT Audience requested, for example: the URL of a service you're invoking, such as https://service.domain.com, or the OAuth Client ID of an IAP protected resource, such as 1234567890.apps.googleusercontent.com.

Access tokens

You use access tokens when calling Google APIs.

By default, access tokens have the cloud-platform scope, which allows access to all Google Cloud Platform APIs, assuming IAM also allows access. In order to access other Google or Google Cloud APIs, you will need to fetch an access token with the appropriate scope.

You can use the Compute Metadata Server to fetch access tokens.

If you need an access token with a specific scope, you can generate one as follows:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scopes=[SCOPES]" \
  -H "Metadata-Flavor: Google"

Where SCOPES is a comma separated list of OAuth scopes requested, for example: https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/spreadsheets.

Consult the full list of Google OAuth scopes to find which scopes you need.

Next steps

Learn how to manage access to or securely authenticate developers, services, and end-users to your services.

Kunde den här sidan hjälpa dig? Berätta:

Skicka feedback om ...

Cloud Run Documentation