I'm almost having an headache while trying to allow access on GCP Cloud Run for different users, for a specific service using permission attributes.
Let's consider I have different services running, and I want to assign my developers to use gcloud run deploy only on a bunch of them. In my case, this is like as following:
- backend-service > revisions can be deployed by backend-user only;
- frontend-service > revisions can be deployed by frontend-user only;
Both users have "Cloud Run Developer" role, and both services account have the "ServiceAccountUser" role as described here in GCP docs
The issue I'm facing however is when I try to restrict user permissions for a single resource.
Using the GCP web console, I've created a condition based on Resource > Name to be backend-service.
I instantly get this error when using gcloud run deploy:
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: Permission 'run.services.update' denied on resource 'namespaces/PROJECT_ID/services/SERVICE_NAME' (or resource may not exist).
make: *** [deploy] Error 1
As I could not find anything related to IAM permission conditions related to Cloud Run (they're not even listed afaik) I tried changing the Resource > Name condition value to namespaces/PROJECT_ID/services/SERVICE_NAME, but that didn't work too.
As a side note, when checking permissions inside Cloud Run Web Console it shows Condition on Cloud Run Developer
{
"expression": "resource.name == \"backend-service\"",
"title": "BackendService"
}
