During source deployments, Cloud Run leverages Cloud Build when building and deploying your Cloud Run service.
This page shows how to set a
user-specified service account
for Cloud Build to use when executing builds of the service on your behalf.
This guide is relevant for platform developers who are deploying
Cloud Run services or
functions using the Google Cloud CLI and need to
customize the build service account used by Cloud Build. The build service
account gcloud CLI flag is supported for
source deployments (--source), and not
supported for container image deployments (--image).
Before you begin
Enable the Cloud Build API:
gcloud services enable cloudbuild.googleapis.com
Create a service account, or have an existing service account, to use as the Cloud Build service account.
Required roles
You or your administrator must grant the deployer account and the Cloud Build service account the following IAM roles.
Click to view required roles for the deployer account
To get the permissions that you need to build and deploy from source, ask your administrator to grant you the following IAM roles:
- Cloud Run Source Developer (
roles/run.sourceDeveloper) on your project - Service Usage Consumer (
roles/serviceusage.serviceUsageConsumer) on your project - Service Account User (
roles/iam.serviceAccountUser) on the Cloud Run service identity
Click to view required roles for the Cloud Build service account
To allow the Cloud Build service account to perform the build
when deploying a function, ask your administrator to grant the
Cloud Run Builder
(roles/run.builder) role to the Cloud Build service
account on the project.
For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.
Specify a Cloud Build service account
By default, if a Cloud Build service account isn't specified when deploying a service or function from source, Cloud Build uses the default Cloud Build service account.
As a best practice for following the principle of least privilege to improve the security posture of your service, we recommend that you specify your own service account to run your builds when deploying a service from source.
gcloud
To specify the Cloud Build service account when deploying a
service from source code, use the --build-service-account flag:
gcloud run deploy SERVICE \ --source . \ --build-service-account projects/PROJECT_ID/serviceAccounts/BUILD_SERVICE_ACCOUNT
Replace:
- SERVICE with name of your Cloud Run service.
- PROJECT_ID the project ID where the build service account is created.
- BUILD_SERVICE_ACCOUNT with a user-specified service account.
If you are deploying a function, add the --function flag with the function
entry point from your source code.