Access service account ID at runtime of google cloud run service

1
votes

Does anyone have an idea, how I can access the email address of the service account, which is running my cloud run service, at runtime?

When deploying the service to gcloud, I use a specific service account for running the service. During runtime I need the email/ID of this service account, in order to do blob signing using IAMCredentialsService.

Is there a possibility to get the service account ID somehow? The ComputeCredential object I have at hand doesn't provide this information. Right now I have to set an environment variable which contains the service account email address, which I can use at runtime within the service.

2
google-cloud-platformgoogle-compute-enginegoogle-cloud-run

2 Answers

3
votes

In your cloud run container, you need to reach this URL (a GET)

http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email

With this header

Metadata-Flavor: Google

If you have difficulty getting the value, provide your language and I will see if I can provide a code sample for you.

0
votes

See more in documentation https://cloud.google.com/run/docs/reference/container-contract#metadata-server

Container instance metadata server

Cloud Run container instances expose a metadata server that you can use to retrieve details about your container instance, such as the project ID, region, instance ID or service accounts. It can also be used to generate tokens for the runtime service account.

You can access this data from the metadata server using simple HTTP requests to the http://metadata.google.internal/ endpoint with the Metadata-Flavor: Google header: no client libraries are required. For more information, see Getting metadata.