Configure service identity for jobs

A Cloud Run job has a service identity that is usedas the authenticated account for accessing Google Cloud APIs from yourCloud Run instance container. To learn more about service identity,see theIntroduction to service identityguide.

How service identity is used

In Cloud Run, the service identity is a service account that isboth a resource and a principal.

  • Service identity as a resource: To attach a service account as theservice identity, thedeployer accountmust have access on the service identity resource. Certain operations, likecreating or updating a job, require the deployer account tohave permissions on the service identity resource.
  • Service identity as a principal: To access Google Cloud APIsfrom a Cloud Run job, you must grant theservice identity the required roles or permissions for the operations you wantyour job to perform.

The next section covers the required roles for granting the deployer accountaccess on the service identity resource and granting the roles or permissionsthat the service account principal needs.

Required roles

You or your administrator must grant IAM roles and permissionsfor the deployer account and the service identity.

Click to view required roles for the deployer account

To get the permissions that you need to attach a service account as the service identity on the job, you or your administrator must grant your deployer account theService Account User role (roles/iam.serviceAccountUser) on the service account that is used as the service identity.

This predefined role contains theiam.serviceAccounts.actAs permission, which is required to attach a service account on the job. You might also be able to get this permission by configuringcustom roles or using otherpredefined roles.

For instructions on how to grant the deployer account this role on the service identity, seedeployment permissions. If the service account is in a different project from the Cloud Run job, you or your administrator must also configure an IAM role for the Cloud Run service agent and set up an org policy. Seeuse service accounts in other projects for more details.

Note: Depending on the Cloud Run operation you need, refer to Cloud Run pages for the other roles that are needed for the deployer account.

Click to view required roles for the service identity

To allow the service identity to access Google Cloud APIs from Cloud Run, you or your administrator must grant the service identity thepermissions or roles that are required by operations you want to perform. To accessing specific Cloud Client Libraries, refer to the Google Cloud documentation for the Google Cloud service.

If a Cloud Run job does not access other Google Cloud services, you don't need to grant the service identity any roles or permissions, and you can use the default service account that was assigned to the project.

Get recommendations to create dedicated service accounts

When you create a new service account from the Google Cloud console, the optionalstep "Grant this service account access to the project" is for any additionalaccess required. For example, one Cloud Run service might invokeanotherprivate Cloud Run service,or it mightaccess a Cloud SQL database, bothwhich require specific IAM roles. Refer to the documentation onmanaging accessfor more information.

TheRecommender service also automaticallysupplies recommendations to create a dedicated service accounts with the minimalrequired set of permissions.

Configure service identity

To configure service identity in Cloud Run or specify, use eitherthe Google Cloud console, the gcloud CLI, or the API (YAML) whenyoucreate and execute a new job:

Console

  1. In the Google Cloud console, go to the Cloud RunJobs page:

    Go to Cloud Run

  2. ClickDeploy container to fill outthe initial job settings page. If you are configuring an existing job,select the job, then clickView and edit job configuration.

  3. ClickContainer(s), Volumes, Connections, Security to expand the job properties page.

  4. Click the Security tab.

    image

    • Click theService account dropdown and selectan existing service account, or clickCreate a new service account ifapplicable.

  5. ClickCreate orUpdate.

gcloud

You cancreate a new joband specify service account by using the following command:

gcloudrunjobscreateJOB_NAME--service-accountSERVICE_ACCOUNT

Replace the following:

  • JOB_NAME: the name of your service.
  • SERVICE_ACCOUNT: the service account associated with thenew identity. This value is the email address for the service account—forexample,example@myproject.iam.gserviceaccount.com.

You canupdate an existing jobto have a new service account by using the following command:

gcloudrunjobsupdateJOB_NAME--imageIMAGE_URL--service-accountSERVICE_ACCOUNT

Replace the following:

  • IMAGE_URL: a reference to thecontainer image—forexample,us-docker.pkg.dev/cloudrun/container/job:latest.
  • SERVICE_ACCOUNT: the service account associated with thenew identity. This value is the email address for the service account—forexample,SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com.

YAML

If you haven't already created a service account, you can either create auser-managed service account inIAM.

  1. If you are creating a new job, skip this step.If you are updating an existing job, download itsYAML configuration:

    gcloudrunjobsdescribeJOB_NAME--formatexport>job.yaml

  2. Update theserviceAccountName: attribute:

    apiVersion:run.googleapis.com/v1kind:Jobmetadata:name:JOB_NAMEspec:template:spec:template:spec:serviceAccountName:SERVICE_ACCOUNT

    Replace the following:

    • JOB_NAME: the name of your Cloud Run job.
    • SERVICE_ACCOUNT: the service account associated withthe new identity. This value is the email address for the serviceaccount—for example,SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com.

  3. Update the existing job configuration:

    gcloudrunjobsreplacejob.yaml

Terraform

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

Add the following to agoogle_cloud_run_v2_job resource in your Terraform configuration:

resource"google_cloud_run_v2_job""default"{name="JOB_NAME"location="REGION"template{template{containers{image="us-docker.pkg.dev/cloudrun/container/job"}service_account="SERVICE_ACCOUNT"}}}

Replace the following:

  • JOB_NAME: the name of your Cloud Run job.
  • REGION: the Google Cloud region. For example,europe-west1.
  • SERVICE_ACCOUNT: the service account associated withthe new identity. This value is the email address for the serviceaccount—for example,SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com.

Use service accounts in other projects

If you configure a service account from a different Google Cloud projectthan the Cloud Run resource, do the following:

  1. You or your administrator must grant theService Account User role (roles/iam.serviceAccountUser) on theservice account that you use as the service identity.

    Console

    1. Go to theService accounts page of the Google Cloud console:

      Go to Service accounts

    2. Select the service account email address you are using as the serviceidentity.

    3. Click thePrincipals with access tab.

    4. Click theGrant accessbutton.

    5. Enter the deployer account email address that matches the principalyou're granting the Admin or Developer role to.

    6. In theSelect a role drop-down, select theService Accounts >Service Account User role.

    7. ClickSave.

    gcloud

    Use thegcloud iam service-accounts add-iam-policy-binding command,replacing the highlighted variables with the appropriate values:

    gcloudiamservice-accountsadd-iam-policy-binding\SERVICE_ACCOUNT_NAME@SERVICE_ACCOUNT_PROJECT_ID.iam.gserviceaccount.com\--member="PRINCIPAL"\--role="roles/iam.serviceAccountUser"

    Replace the following:

    • SERVICE_ACCOUNT_NAME: the name of theservice account that you are attaching the Cloud Runresource to
    • SERVICE_ACCOUNT_PROJECT_ID: the project ID where theservice account is located

    • PRINCIPAL: the deployer account you are adding thebinding for, using the formatuser|group|serviceAccount:emailordomain:domain—for example:

      • user:test-user@gmail.com
      • group:admins@example.com
      • serviceAccount:test123@example.domain.com
      • domain:example.domain.com

  2. You or your administrator must grant the Cloud Run resource'sservice agent the Service Account Token Creator role(roles/iam.serviceAccountTokenCreator) on the service accountyou use as the service identity. The service agent follows the format ofservice-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com.

    Console

    1. Go to theService accounts page of the Google Cloud console:

      Go to Service accounts

    2. Select the service account email address you are using as the serviceidentity.

    3. Click thePermissions tab.

    4. Click theGrant accessbutton.

    5. Enter the service agent email address. For example:service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com.

    6. In theSelect a role drop-down, select theService Accounts >Service Account Token Creator role.

    7. ClickSave.

    gcloud

    Use thegcloud iam service-accounts add-iam-policy-binding command:

    gcloudiamservice-accountsadd-iam-policy-binding\SERVICE_ACCOUNT_NAME@SERVICE_ACCOUNT_PROJECT_ID.iam.gserviceaccount.com\--member="serviceAccount:service-CLOUD_RUN_RESOURCE_PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com"\--role="roles/iam.serviceAccountTokenCreator"

    Replace the following:

    • SERVICE_ACCOUNT_NAME: the name of theservice account that you are attaching the Cloud Runresource to
    • SERVICE_ACCOUNT_PROJECT_ID: the project ID where theservice account is located
    • CLOUD_RUN_RESOURCE_PROJECT_NUMBER:the project number where the Cloud Run is located

    The command prints the updated allow policy for the user-managed serviceaccount.

  3. The project containing this service account requires the org-policyiam.disableCrossProjectServiceAccountUsage to be set tofalse or unenforced at the folder level or inherited from project-levelsettings. By default, this is set totrue.

    Console

    1. Go to theOrganization policies page in the Google Cloud console:

      Go to Organization policies

    2. From the project picker, select the organization and project forwhich you want to disable cross-project service account usage for.

    3. Select thedisable cross-project service account usage policy.

    4. ClickManage policy.

    5. UnderPolicy source, selectOverride parent's policy.

    6. ClickAdd a rule.

    7. UnderEnforcement, selectOff.

    8. To enforce the policy, clickSet policy.

    gcloud

    In the project that has the service account, ensure that theiam.disableCrossProjectServiceAccountUsage organization policy constraintis not enforced. This constraint is enforced by default.

    To disable this organization policy constraint, run:

    gcloudresource-managerorg-policiesdisable-enforceiam.disableCrossProjectServiceAccountUsage--project=SERVICE_ACCOUNT_PROJECT_ID

    ReplaceSERVICE_ACCOUNT_PROJECT_ID with the project ID thatcontains the service account.

You can apply role memberships directly to the service account resource orinherit from higher levels in theresource hierarchy.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.