TL;DR

The"execute jobs on schedule" Cloud Run example creates permissions that are not needed, and binds project-level permissions where job-level binding would do.

Expected behavior

The example demonstrates the minimum permissions required to achieve the goal.

Observed behavior

It is unclear to the reader which permissions are required, or what they are used for.

Terraform Configuration

resource"google_cloud_run_v2_job_iam_binding""run_invoker_binding" {project=google_cloud_run_v2_job.default.projectlocation=google_cloud_run_v2_job.default.locationname=google_cloud_run_v2_job.default.namerole="roles/run.invoker"members=["serviceAccount:${google_service_account.cloud_run_invoker_sa.email}"]}

Terraform Version

❯ terraform versionTerraform v1.5.5on darwin_arm64+ provider registry.terraform.io/hashicorp/google v4.80.0+ provider registry.terraform.io/hashicorp/google-beta v4.80.0

Additional information

I also neededroles/iam.serviceAccountUser for the account that actually applies the Terraform, but all examples seem to imply owner permissions on the project, so it does not need to be included in the example.