Fix GCP Cloud Run Run Iam Sa Errors
When working with GCP Cloud Run, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with run iam sa and shows the exact fix.
A Common Mistake
Running a Cloud Run service with the default compute service account instead of a dedicated service account with minimal permissions.
The incorrect command:
gcloud run deploy my-service --image=gcr.io/my-project/my-image --allow-unauthenticated
Error output:
Deployed with default compute SA ({PROJECT-NUMBER}-compute@developer.gserviceaccount.com).
This SA has the editor role on the project. If the container is compromised, the attacker gets edit access to all project resources. This is a critical security vulnerability.
The Correct Approach
The right way to configure run iam sa in GCP Cloud Run:
gcloud run deploy my-service --image=gcr.io/my-project/my-image --service-account=my-dedicated-sa@my-project.iam.gserviceaccount.com --allow-unauthenticated
Successful result:
Deployed with dedicated SA.
The SA only has roles/storage.objectViewer (needed to read config files from GCS). Compromise is contained to reading storage objects. The blast radius is minimized.
How to Prevent This
Create a dedicated service account per service with minimum required permissions. List SA permissions with gcloud projects get-iam-policy. The default compute SA has overly broad permissions. Use Workload Identity for accessing Google APIs from Cloud Run.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro