Set build service account (source deploy)

During the source deployment of a function, Cloud Run leverages Cloud Build when building and deploying your function.

This page shows how to set a user-specified service account for Cloud Build to use when executing builds of the function on your behalf. This guide is relevant for platform developers who are deploying functions in Cloud Run and need to customize the build service account used by Cloud Build.

Before you begin

Enable the Cloud Build API:

gcloud services enable cloudbuild.googleapis.com

Create a service account, or have an existing service account, to use as the service account for Cloud Build.

Required roles

To get the permissions that you need to deploy from source, ask your administrator to grant you the following IAM roles on your project:

Cloud Run Source Developer (roles/run.sourceDeveloper)
Service Account User (roles/iam.serviceAccountUser)

To allow the service account that is used for Cloud Build to perform the build when deploying a function, ask your administrator to grant you the following IAM roles on your service account:

Logs Writer (roles/logging.logWriter) — for storing build logs in Cloud Logging.
Artifact Registry Writer (roles/artifactregistry.writer) — for storing build images in Artifact Registry.
Storage Object Admin (roles/storage.objectAdmin) — for retrieving the function source from the Cloud Storage bucket, and to store build images in Artifact Registry.

For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.

Specify a Cloud Build service account

By default, if a Cloud Build service account isn't specified when deploying a function from source, Cloud Build uses the Cloud Build service account.

As a best practice for following the principle of least privilege to improve the security posture of your function, we recommend that you specify your own service account to run your builds when deploying a function from source.

gcloud

You can specify a service account to be used as the Cloud Build service account during deployment of a function.

To specify the Cloud Build service account when deploying a function from source code:

gcloud beta run deploy SERVICE \
  --source . \
  --function FUNCTION_ENTRY_POINT \
  --build-service-account BUILD_SERVICE_ACCOUNT

Replace:

SERVICE with name of your Cloud Run function.
FUNCTION_ENTRY_POINT with the entry point to your function in your source code. Omit the --function flag to specify a service that is deployed from source.
BUILD_SERVICE_ACCOUNT with a user-specified service account.