Configure service identity for services

A Cloud Run service or revision has a service identity that is usedas the authenticated account for accessing Google Cloud APIs from yourCloud Run instance container. To learn more about service identity,see theIntroduction to service identityguide.

How service identity is used

In Cloud Run, the service identity is a service account that isboth a resource and a principal.

  • Service identity as a resource: To attach a service account as theservice identity, thedeployer accountmust have access on the service identity resource. Certain operations, likecreating or updating a service or revision, require the deployer account tohave permissions on the service identity resource.
  • Service identity as a principal: To access Google Cloud APIsfrom a Cloud Run service or revision, you must grant theservice identity the required roles or permissions for the operations you wantyour service or revision to perform.

The next section covers the required roles for granting the deployer accountaccess on the service identity resource and granting the roles or permissionsthat the service account principal needs.

Required roles

You or your administrator must grant IAM roles and permissionsfor the deployer account and the service identity.

Click to view required roles for the deployer account

To get the permissions that you need to attach a service account as the service identity on the service or revision, you or your administrator must grant your deployer account theService Account User role (roles/iam.serviceAccountUser) on the service account that is used as the service identity.

This predefined role contains theiam.serviceAccounts.actAs permission, which is required to attach a service account on the service or revision. You might also be able to get this permission by configuringcustom roles or using otherpredefined roles.

For instructions on how to grant the deployer account this role on the service identity, seedeployment permissions. If the service account is in a different project from the Cloud Run service or revision, you or your administrator must also configure an IAM role for the Cloud Run service agent and set up an org policy. Seeuse service accounts in other projects for more details.

Note: Depending on the Cloud Run operation you need, refer to Cloud Run pages for the other roles that are needed for the deployer account.

Click to view required roles for the service identity

To allow the service identity to access Google Cloud APIs from Cloud Run, you or your administrator must grant the service identity thepermissions or roles that are required by operations you want to perform. To accessing specific Cloud Client Libraries, refer to the Google Cloud documentation for the Google Cloud service.

If a Cloud Run service or revision does not access other Google Cloud services, you don't need to grant the service identity any roles or permissions, and you can use the default service account that was assigned to the project.

Get recommendations to create dedicated service accounts

When you create a new service account from the Google Cloud console, the optionalstep "Grant this service account access to the project" is for any additionalaccess required. For example, one Cloud Run service might invokeanotherprivate Cloud Run service,or it mightaccess a Cloud SQL database, bothwhich require specific IAM roles. Refer to the documentation onmanaging accessfor more information.

TheRecommender service also automaticallysupplies recommendations to create a dedicated service accounts with the minimalrequired set of permissions.

Configure service identity

If you haven't already created a service account, you can either create auser-managed service account inIAM, or inCloud Run.

To configure service identity, use either the Google Cloud console,the gcloud CLI, the API (YAML) when youcreate a new service ordeploy a new revision, or Terraform:

Console

  1. In the Google Cloud console, go to Cloud Run:

    Go to Cloud Run

  2. SelectServices from the Cloud Run navigation menu, and clickDeploy container to configure a new service.If you are configuring an existing service, click theservice, then clickEdit and deploy new revision.

  3. If you are configuring a new service, fill out the initial servicesettings page, then clickContainer(s), Volumes, Networking, Security to expand theservice configuration page.

  4. Click the Security tab.

    image

    • Click theService account dropdown and selectan existing service account, or clickCreate a new service accountif applicable.

  5. ClickCreate orDeploy.

gcloud

You canupdate an existing serviceto have a new service account by using the following command:

gcloudrunservicesupdateSERVICE--service-accountSERVICE_ACCOUNT

Replace the following:

  • SERVICE: the name of your service.
  • SERVICE_ACCOUNT: the service account associated with thenew identity: this value is the email address for the service account—forexample,example@myproject.iam.gserviceaccount.com.

You can also set a service account duringdeploymentusing the command:

gcloudrundeploy--imageIMAGE_URL--service-accountSERVICE_ACCOUNT

Replace the following:

  • IMAGE_URL: a reference to the container image, forexample,us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry,therepositoryREPO_NAME mustalready be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG.
  • SERVICE_ACCOUNT: the service account associated with thenew identity: this value is the email address for the service account—forexample,example@myservice.iam.gserviceaccount.com.

YAML

  1. If you are creating a new service, skip this step.If you are updating an existing service, download itsYAML configuration:

    gcloudrunservicesdescribeSERVICE--formatexport>service.yaml

  2. Update theserviceAccountName: attribute:

    apiVersion:serving.knative.dev/v1kind:Servicemetadata:name:SERVICEspec:template:spec:serviceAccountName:SERVICE_ACCOUNT

    Replace the following:

    • SERVICE: the name of your Cloud Run service.
    • SERVICE_ACCOUNT: the service account associated withthe new identity. This value is the email address for the serviceaccount—for example,SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com.

  3. Create or update the service using the following command:

    gcloudrunservicesreplaceservice.yaml

Terraform

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

Add the following to agoogle_cloud_run_v2_service resource in your Terraform configuration:

To create a service account, add the following resource to your to your existingmain.tf file:

resource"google_service_account""cloudrun_service_identity"{account_id="my-service-account"}

Create or update a Cloud Run service and include your service account:

resource"google_cloud_run_v2_service""default"{name="id-service"location="us-central1"deletion_protection=false # set to "true" in productiontemplate{containers{image="us-docker.pkg.dev/cloudrun/container/hello"}service_account=google_service_account.cloudrun_service_identity.email}}

Use service accounts in other projects

If you configure a service account from a different Google Cloud projectthan the Cloud Run resource, do the following:

  1. You or your administrator must grant theService Account User role (roles/iam.serviceAccountUser) on theservice account that you use as the service identity.

    Console

    1. Go to theService accounts page of the Google Cloud console:

      Go to Service accounts

    2. Select the service account email address you are using as the serviceidentity.

    3. Click thePrincipals with access tab.

    4. Click theGrant accessbutton.

    5. Enter the deployer account email address that matches the principalyou're granting the Admin or Developer role to.

    6. In theSelect a role drop-down, select theService Accounts >Service Account User role.

    7. ClickSave.

    gcloud

    Use thegcloud iam service-accounts add-iam-policy-binding command,replacing the highlighted variables with the appropriate values:

    gcloudiamservice-accountsadd-iam-policy-binding\SERVICE_ACCOUNT_NAME@SERVICE_ACCOUNT_PROJECT_ID.iam.gserviceaccount.com\--member="PRINCIPAL"\--role="roles/iam.serviceAccountUser"

    Replace the following:

    • SERVICE_ACCOUNT_NAME: the name of theservice account that you are attaching the Cloud Runresource to
    • SERVICE_ACCOUNT_PROJECT_ID: the project ID where theservice account is located

    • PRINCIPAL: the deployer account you are adding thebinding for, using the formatuser|group|serviceAccount:emailordomain:domain—for example:

      • user:test-user@gmail.com
      • group:admins@example.com
      • serviceAccount:test123@example.domain.com
      • domain:example.domain.com

  2. You or your administrator must grant the Cloud Run resource'sservice agent the Service Account Token Creator role(roles/iam.serviceAccountTokenCreator) on the service accountyou use as the service identity. The service agent follows the format ofservice-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com.

    Console

    1. Go to theService accounts page of the Google Cloud console:

      Go to Service accounts

    2. Select the service account email address you are using as the serviceidentity.

    3. Click thePermissions tab.

    4. Click theGrant accessbutton.

    5. Enter the service agent email address. For example:service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com.

    6. In theSelect a role drop-down, select theService Accounts >Service Account Token Creator role.

    7. ClickSave.

    gcloud

    Use thegcloud iam service-accounts add-iam-policy-binding command:

    gcloudiamservice-accountsadd-iam-policy-binding\SERVICE_ACCOUNT_NAME@SERVICE_ACCOUNT_PROJECT_ID.iam.gserviceaccount.com\--member="serviceAccount:service-CLOUD_RUN_RESOURCE_PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com"\--role="roles/iam.serviceAccountTokenCreator"

    Replace the following:

    • SERVICE_ACCOUNT_NAME: the name of theservice account that you are attaching the Cloud Runresource to
    • SERVICE_ACCOUNT_PROJECT_ID: the project ID where theservice account is located
    • CLOUD_RUN_RESOURCE_PROJECT_NUMBER:the project number where the Cloud Run is located

    The command prints the updated allow policy for the user-managed serviceaccount.

  3. The project containing this service account requires the org-policyiam.disableCrossProjectServiceAccountUsage to be set tofalse or unenforced at the folder level or inherited from project-levelsettings. By default, this is set totrue.

    Console

    1. Go to theOrganization policies page in the Google Cloud console:

      Go to Organization policies

    2. From the project picker, select the organization and project forwhich you want to disable cross-project service account usage for.

    3. Select thedisable cross-project service account usage policy.

    4. ClickManage policy.

    5. UnderPolicy source, selectOverride parent's policy.

    6. ClickAdd a rule.

    7. UnderEnforcement, selectOff.

    8. To enforce the policy, clickSet policy.

    gcloud

    In the project that has the service account, ensure that theiam.disableCrossProjectServiceAccountUsage organization policy constraintis not enforced. This constraint is enforced by default.

    To disable this organization policy constraint, run:

    gcloudresource-managerorg-policiesdisable-enforceiam.disableCrossProjectServiceAccountUsage--project=SERVICE_ACCOUNT_PROJECT_ID

    ReplaceSERVICE_ACCOUNT_PROJECT_ID with the project ID thatcontains the service account.

You can apply role memberships directly to the service account resource orinherit from higher levels in theresource hierarchy.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.