Console
    Contact Us Start free

    Configure service identity for services

    A Cloud Run service or revision has a service identity that is used as the authenticated account for accessing Google Cloud APIs from your Cloud Run instance container. To learn more about service identity, see the Introduction to service identity guide.

    How service identity is used

    In Cloud Run, the service identity is a service account that is both a resource and a principal .

    • Service identity as a resource: To attach a service account as the service identity, the deployer account must have access on the service identity resource. Certain operations, like creating or updating a service or revision, require the deployer account to have permissions on the service identity resource.
    • Service identity as a principal: To access Google Cloud APIs from a Cloud Run service or revision, you must grant the service identity the required roles or permissions for the operations you want your service or revision to perform.

    The next section covers the required roles for granting the deployer account access on the service identity resource and granting the roles or permissions that the service account principal needs.

    Required roles

    You or your administrator must grant IAM roles and permissions for the deployer account and the service identity.

    Click to view required roles for the service identity

    To allow the service identity to access Google Cloud APIs from Cloud Run, you or your administrator must grant the service identity the permissions or roles that are required by operations you want to perform. To accessing specific Cloud Client Libraries, refer to the Google Cloud documentation for the Google Cloud service.

    If a Cloud Run service or revision does not access other Google Cloud services, you don't need to grant the service identity any roles or permissions, and you can use the default service account that was assigned to the project.

    Get recommendations to create dedicated service accounts

    When you create a new service account from the Google Cloud console, the optional step "Grant this service account access to the project" is for any additional access required. For example, one Cloud Run service might invoke another private Cloud Run service , or it might access a Cloud SQL database , both which require specific IAM roles. Refer to the documentation on managing access for more information.

    The Recommender service also automatically supplies recommendations to create a dedicated service accounts with the minimal required set of permissions.

    Configure service identity

    If you haven't already created a service account, you can either create a user-managed service account in IAM , or in Cloud Run.

    To configure service identity, use either the Google Cloud console, the gcloud CLI, the API (YAML) when you create a new service or deploy a new revision , or Terraform:

    Console

    1. In the Google Cloud console, go to Cloud Run:

      Go to Cloud Run

    2. Select Servicesfrom the menu, and click Deploy containerto configure a new service. If you are configuring an existing service, click the service, then click Edit and deploy new revision.

    3. If you are configuring a new service, fill out the initial service settings page, then click Container(s), Volumes, Networking, Securityto expand the service configuration page.

    4. Click the Securitytab.

      image

      • Click the Service account dropdown and select an existing service account, or click Create a new service accountif applicable.

    5. Click Createor Deploy.

    gcloud

    If you haven't already created a service account, you can either create a user-managed service account in IAM .

    You can update an existing service to have a new service account by using the following command:

    gcloud  
run  
services  
update  
 SERVICE 
  
--service-account  
 SERVICE_ACCOUNT

    Replace the following:

    • SERVICE : the name of your service.
    • SERVICE_ACCOUNT : the service account associated with the new identity: this value is the email address for the service account—for example, example@myproject.iam.gserviceaccount.com .

    You can also set a service account during deployment using the command:

    gcloud  
run  
deploy  
--image  
 IMAGE_URL 
  
--service-account  
 SERVICE_ACCOUNT

    Replace the following:

    • IMAGE_URL : a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest . If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format of LOCATION -docker.pkg.dev/ PROJECT_ID / REPO_NAME / PATH : TAG .
    • SERVICE_ACCOUNT : the service account associated with the new identity: this value is the email address for the service account—for example, example@myservice.iam.gserviceaccount.com .

    YAML

    If you haven't already created a service account, you can either create a user-managed service account in IAM .

    1. If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration :

      gcloud  
run  
services  
describe  
 SERVICE 
  
--format  
 export 
  
>  
service.yaml

    2. Update the serviceAccountName: attribute:

       apiVersion 
 : 
  
 serving.knative.dev/v1 
 kind 
 : 
  
 Service 
 metadata 
 : 
  
 name 
 : 
  
  SERVICE 
 
 spec 
 : 
  
 template 
 : 
  
 spec 
 : 
  
 serviceAccountName 
 : 
  
  SERVICE_ACCOUNT

      Replace the following:

      • SERVICE : the name of your Cloud Run service.
      • SERVICE_ACCOUNT : the service account associated with the new identity. This value is the email address for the service account—for example, SERVICE_ACCOUNT_NAME @ PROJECT_ID .iam.gserviceaccount.com .

    3. Create or update the service using the following command:

      gcloud  
run  
services  
replace  
service.yaml

    Terraform

    To learn how to apply or remove a Terraform configuration, see Basic Terraform commands .

    Add the following to a google_cloud_run_v2_service resource in your Terraform configuration:

    To create a service account, add the following resource to your to your existing main.tf file:

      resource 
  
 "google_service_account" 
  
 "cloudrun_service_identity" 
  
 { 
  
 account_id 
  
 = 
  
 "my-service-account" 
 }

    Create or update a Cloud Run service and include your service account:

      resource 
  
 "google_cloud_run_v2_service" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 "id-service" 
  
 location 
  
 = 
  
 "us-central1" 
  
 deletion_protection 
  
 = 
  
 false 
 # set to "true" in production 
  
 template 
  
 { 
  
 containers 
  
 { 
  
 image 
  
 = 
  
 "us-docker.pkg.dev/cloudrun/container/hello" 
  
 } 
  
 service_account 
  
 = 
  
 google_service_account.cloudrun_service_identity.email 
  
 } 
 }

    Use service accounts in other projects

    If you configure a service account from a different Google Cloud project than the Cloud Run resource, do the following:

    1. You or your administrator must grant the Service Account User role ( roles/iam.serviceAccountUser ) on the service account that you use as the service identity.

      Console

      1. Go to the Service accountspage of the Google Cloud console:

        Go to Service accounts

      2. Select the service account email address you are using as the service identity.

      3. Click the Permissionstab.

      4. Click the Grant accessbutton.

      5. Enter the deployer account email address that matches the principal you're granting the Admin or Developer role to.

      6. In the Select a roledrop-down, select the Service Accounts> Service Account Userrole.

      7. Click Save.

      gcloud

      Use the gcloud iam service-accounts add-iam-policy-binding command, replacing the highlighted variables with the appropriate values:

      gcloud  
iam  
service-accounts  
add-iam-policy-binding  
 \ 
  
 SERVICE_ACCOUNT_NAME 
@ SERVICE_ACCOUNT_PROJECT_ID 
.iam.gserviceaccount.com  
 \ 
  
--member = 
 " PRINCIPAL 
" 
  
 \ 
  
--role = 
 "roles/iam.serviceAccountUser"

      Replace the following:

      • SERVICE_ACCOUNT_NAME : the name of the service account that you are attaching the Cloud Run resource to
      • SERVICE_ACCOUNT_PROJECT_ID : the project ID where the service account is located

      • PRINCIPAL : the deployer account you are adding the binding for, using the format user|group|serviceAccount:email or domain:domain —for example:

        • user:test-user@gmail.com
        • group:admins@example.com
        • serviceAccount:test123@example.domain.com
        • domain:example.domain.com

    2. You or your administrator must grant the Cloud Run resource's service agent the Service Account Token Creator role ( roles/iam.serviceAccountTokenCreator ) on the service account you use as the service identity. The service agent follows the format of service- PROJECT_NUMBER @serverless-robot-prod.iam.gserviceaccount.com .

      Console

      1. Go to the Service accountspage of the Google Cloud console:

        Go to Service accounts

      2. Select the service account email address you are using as the service identity.

      3. Click the Permissionstab.

      4. Click the Grant accessbutton.

      5. Enter the service agent email address. For example: service- PROJECT_NUMBER @serverless-robot-prod.iam.gserviceaccount.com .

      6. In the Select a roledrop-down, select the Service Accounts> Service Account Token Creatorrole.

      7. Click Save.

      gcloud

      Use the gcloud iam service-accounts add-iam-policy-binding command:

      gcloud  
iam  
service-accounts  
add-iam-policy-binding  
 \ 
  
 SERVICE_ACCOUNT_NAME 
@ SERVICE_ACCOUNT_PROJECT_ID 
.iam.gserviceaccount.com  
 \ 
  
--member = 
 "serviceAccount:service- CLOUD_RUN_RESOURCE_PROJECT_NUMBER 
@serverless-robot-prod.iam.gserviceaccount.com" 
  
 \ 
  
--role = 
 "roles/iam.serviceAccountTokenCreator"

      Replace the following:

      • SERVICE_ACCOUNT_NAME : the name of the service account that you are attaching the Cloud Run resource to
      • SERVICE_ACCOUNT_PROJECT_ID : the project ID where the service account is located
      • CLOUD_RUN_RESOURCE_PROJECT_NUMBER : the project number where the Cloud Run is located

      The command prints the updated allow policy for the user-managed service account.

    3. The project containing this service account requires the org-policy iam.disableCrossProjectServiceAccountUsage to be set to false or unenforced at the folder level or inherited from project-level settings. By default, this is set to true .

      Console

      1. Go to the Organization policiespage in the Google Cloud console:

        Go to Organization policies

      2. From the project picker, select the organization and project for which you want to disable cross-project service account usage for.

      3. Select the disable cross-project service account usagepolicy.

      4. Click Manage policy.

      5. Under Policy source, select Override parent's policy.

      6. Click Add a rule.

      7. Under Enforcement, select Off.

      8. To enforce the policy, click Set policy.

      gcloud

      In the project that has the service account, ensure that the iam.disableCrossProjectServiceAccountUsage organization policy constraint is not enforced. This constraint is enforced by default.

      To disable this organization policy constraint, run:

      gcloud  
resource-manager  
org-policies  
disable-enforce  
iam.disableCrossProjectServiceAccountUsage  
--project = 
 SERVICE_ACCOUNT_PROJECT_ID

      Replace SERVICE_ACCOUNT_PROJECT_ID with the project ID that contains the service account.

    You can apply role memberships directly to the service account resource or inherit from higher levels in the resource hierarchy .

    What's next

    • For more information about service accounts, see the IAM service account and user-managed service account guides.
    • If your Cloud Run service, job, or worker pool accesses Google APIs or Google Cloud services, you must configure your service account as the service identity. Learn more .
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: