Creating a custom service account for Cloud Run using the gcloud CLI

0
votes

Background

By default, Cloud Run uses the Compute Engine default service account which grants a broad range of permissions which are not required by the container that I'm trying to run in it, and as a result I'd like to set up a new service account.

If I understand correctly, I'd need to do the following:

  1. Create a role with the desired set of permissions (using gcloud iam roles create)
  2. Create a service account (using gcloud iam service-accounts create)
  3. Bind the role permissions to the service account.
  4. Deploy an image with the service account set up in step 2 (using gcloud run deploy --service-account).

The aforementioned documentation doesn't mention how to achieve step 3. I found the gcloud iam service-accounts add-iam-policy-binding command, but I see this is a three way binding between an user (member), a service account and a role, whereas what I've described above seems to require only a two-way binding with the permission grant to the Cloud Run service occurring in the fourth step.

Questions

  1. Do I have the right understanding with regards to the steps required to set up a custom service account for Cloud Run to use?
  2. Assuming I have understood this correctly, what would be the correct way to set up the binding of permissions with the service account?
google-cloud-platformgcloudgoogle-iam
Which Google Cloud run services does your Cloud Run app need to access? That part is missing from your question. - John Hanley
@JohnHanley Currently the app doesn't need any permissions at all as it fetches resources over HTTP, performs some computation and returns it. However, in the future, it may need access to storage.objects.create and storage.objects.delete. - user2064000